Message boards : Questions and problems : HTTP error: Peer certificate cannot be authenticated with given CA certificates (with workaround)
Message board moderation
Author | Message |
---|---|
Send message Joined: 10 May 07 Posts: 1444 |
Not sure if this is a BOINC CA CERTIFICATE ERROR or that it's a PROJECT CA CERTIFICATE ERROR. Get the following error message across all 6 of my PC's (Windows 8.1, Windows 7, Windows VISTA and Window WINE under Ubuntu) this morning (US time) on TWO projects iThena and WuProp HTTP error: Peer certificate cannot be authenticated with given CA certificates Running latest stable BOINC 7.16.11 Windows x64 Happened shortly after 9:00 AM local time (US CENTRAL TIME), Add +5 hours to get UTC TIME OF 14:00 Not sure if it affects any other projects. As far as I can see the SSL Security certificates for the two projects are NOT expired and are current. Snippet from BOINC STDERR log from my Windows 8.1 PC when trying to send completed work to iThena. Similar error messages when contacting WuProp. 30-Sep-2021 09:02:24 [iThena] Sending scheduler request: To fetch work. 16:42 UTC EDIT TO ADD>> BOINC communicates with / Send / Receive tasks from my other two active projects on the pc's Minecraft and PRIVATE GFN with no certificate error messages |
Send message Joined: 5 Oct 06 Posts: 5129 |
I'd suspect it's a BOINC problem. Windows versions of BOINC rely on a 'ca-bundle.crt' file stored in your BOINC program folder, and only updated when a new version is installed. The most recent update to the sources held by BOINC was on May 31, 2020, which should have been included on v7.16.11 (released 2020-09-02) - I'll check. |
Send message Joined: 5 Oct 06 Posts: 5129 |
OK, I got this when attempting to attach to iThena. I expected the attach to fail, because they're not accepting new members: but that would be for the server to say, not SSL. 30/09/2021 18:05:06 | | Fetching configuration file from https://root.ithena.net/usr/get_project_config.php 30/09/2021 18:05:06 | | [http] HTTP_OP::init_get(): https://root.ithena.net/usr/get_project_config.php 30/09/2021 18:05:06 | | [http] HTTP_OP::libcurl_exec(): ca-bundle 'D:\BOINC\ca-bundle.crt' 30/09/2021 18:05:06 | | [http] HTTP_OP::libcurl_exec(): ca-bundle set 30/09/2021 18:05:06 | | [http] [ID#2] Info: Connection 2831 seems to be dead! 30/09/2021 18:05:06 | | [http] [ID#2] Info: Closing connection 2831 30/09/2021 18:05:06 | | [http] [ID#2] Info: Connection 2832 seems to be dead! 30/09/2021 18:05:06 | | [http] [ID#2] Info: Closing connection 2832 30/09/2021 18:05:06 | | [http] [ID#2] Info: Trying 85.204.27.80... 30/09/2021 18:05:07 | | [http] [ID#2] Info: Connected to root.ithena.net (85.204.27.80) port 443 (#2833) 30/09/2021 18:05:07 | | [http] [ID#2] Info: ALPN, offering http/1.1 30/09/2021 18:05:07 | | [http] [ID#2] Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH 30/09/2021 18:05:07 | | [http] [ID#2] Info: successfully set certificate verify locations: 30/09/2021 18:05:07 | | [http] [ID#2] Info: CAfile: D:\BOINC\ca-bundle.crt 30/09/2021 18:05:07 | | [http] [ID#2] Info: CApath: none 30/09/2021 18:05:07 | | [http] [ID#2] Info: TLSv1.2 (OUT), TLS header, Certificate Status (22): 30/09/2021 18:05:07 | | [http] [ID#2] Info: TLSv1.2 (OUT), TLS handshake, Client hello (1): 30/09/2021 18:05:07 | | [http] [ID#2] Info: TLSv1.2 (IN), TLS handshake, Server hello (2): 30/09/2021 18:05:07 | | [http] [ID#2] Info: TLSv1.2 (IN), TLS handshake, Certificate (11): 30/09/2021 18:05:07 | | [http] [ID#2] Info: TLSv1.2 (OUT), TLS alert, Server hello (2): 30/09/2021 18:05:07 | | [http] [ID#2] Info: SSL certificate problem: certificate has expired 30/09/2021 18:05:07 | | [http] [ID#2] Info: Closing connection 2833 30/09/2021 18:05:07 | | [http] HTTP error: Peer certificate cannot be authenticated with given CA certificatesNote "CAfile: D:\BOINC\ca-bundle.crt" (yours is in C:). My BOINC client is also v7.16.11, and the ca-bundle.crt file is dated 31 May 2020. Checking that ca-bundle.crt is still serviceable is on the Release Manager's checklist for new versions (I put it there), and there's supposed to be a new version to coincide with the release of Windows 11 on October 5. I'd suggest you wait for that release, see whether that cures the problem, and be ready to raise merry hell if it doesn't. |
Send message Joined: 30 Sep 21 Posts: 7 |
Yes. Let's encrypt has updated their certificated. The Root is the ISRG Root X1 Valid from 6/4/2015 to 6/4/2035 The intermediate is R3: Thursday, September 3, 2020 7:00:00 PM Monday, September 15, 2025 11:00:00 AM 30 82 01 0a 02 82 01 01 00 bb 02 15 28 cc f6 a0 94 d3 0f 12 ec 8d 55 92 c3 f8 82 f1 99 a6 7a 42 88 a7 5d 26 aa b5 2b b9 c5 4c b1 af 8e 6b f9 75 c8 a3 d7 0f 47 94 14 55 35 57 8c 9e a8 a2 39 19 f5 82 3c 42 a9 4e 6e f5 3b c3 2e db 8d c0 b0 5c f3 59 38 e7 ed cf 69 f0 5a 0b 1b be c0 94 24 25 87 fa 37 71 b3 13 e7 1c ac e1 9b ef db e4 3b 45 52 45 96 a9 c1 53 ce 34 c8 52 ee b5 ae ed 8f de 60 70 e2 a5 54 ab b6 6d 0e 97 a5 40 34 6b 2b d3 bc 66 eb 66 34 7c fa 6b 8b 8f 57 29 99 f8 30 17 5d ba 72 6f fb 81 c5 ad d2 86 58 3d 17 c7 e7 09 bb f1 2b f7 86 dc c1 da 71 5d d4 46 e3 cc ad 25 c1 88 bc 60 67 75 66 b3 f1 18 f7 a2 5c e6 53 ff 3a 88 b6 47 a5 ff 13 18 ea 98 09 77 3f 9d 53 f9 cf 01 e5 f5 a6 70 17 14 af 63 a4 ff 99 b3 93 9d dc 53 a7 06 fe 48 85 1d a1 69 ae 25 75 bb 13 cc 52 03 f5 ed 51 a1 8b db 15 02 03 01 00 01 So is there a way to download the new ca-bundle.crt in the interim? October 5th is a longways to go without uploading or downloading WU's. If BOINC is going to force the validity of certificates, then the updated file needs to be made available. |
Send message Joined: 5 Oct 06 Posts: 5129 |
I'll ask. Just had a report, and confirmed, that GPUGrid is affected as well. I seem to remember a previous panic on the last day of some earlier month, as well. Yes, there was an emergency release of v7.16.7 on 31 May 2020, and the final code change was 'Update CA bundle'. |
Send message Joined: 29 Aug 05 Posts: 15564 |
I'll ask. Just had a report, and confirmed, that GPUGrid is affected as well.As is CPDN, so I'd expect an earlier update. Checking https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/ it's the IdentTrust DST Root CA X3 that expired today. |
Send message Joined: 30 Sep 21 Posts: 7 |
But sites that use Let's Encrypt are the ones having an issue since they updated their chain *after* that emergency release in May of 2020. October 5th is a longways away. That will be a lot of lost work and lost computational time. If you are going to use a certificate bundle that is client based, then updates to it need to be made available before issues start. I believe it is unique to Windows that the client has a local certificate file. Either that needs to be updated when the client checks for updates or an option to launch the client be made available to bypass certificate validation. |
Send message Joined: 5 Oct 06 Posts: 5129 |
Add CPDN to the list. (sorry, Jord - I was busy replying to the CPDN moderators when you posted) |
Send message Joined: 29 Aug 05 Posts: 15564 |
It's all right, I posted to them as well and will put it on Github. Edit: and done that, let's wait what the devs say. |
Send message Joined: 5 Oct 06 Posts: 5129 |
Writing to the mailing lists as we speak. |
Send message Joined: 19 Jan 07 Posts: 1179 |
What OpenSSL version does BOINC for Windows show at the beginning of the log? |
Send message Joined: 5 Oct 06 Posts: 5129 |
While we wait, it's an easy job to update Windows clients with a new ca-bundle.crt file, when available: you don't even need to stop BOINC (though it might be a good idea to suspend networking while you do it). To be safe: Navigate to the BOINC program folder Rename the old file Drop in the new one. And that's it. If it goes wrong, you can return to the old file for the projects that are still accepting it, while the dust settles. BOINC on Linux and other operating systems uses system security, which is automatically updated when needed. There should be no need to update BOINC separately on those systems. |
Send message Joined: 5 Oct 06 Posts: 5129 |
What OpenSSL version does BOINC for Windows show at the beginning of the log?OpenSSL/1.0.2s |
Send message Joined: 19 Jan 07 Posts: 1179 |
What OpenSSL version does BOINC for Windows show at the beginning of the log?OpenSSL/1.0.2s Okay, so that is the problem. BOINC's ca-bundle.crt has had the new LetsEncrypt X1 certificate since January 2018, so that doesn't need to be updated. But OpenSSL 1.0 sees the X3 certificate expired and gives up, instead of noticing the project's certificate is also signed with X1 which is still valid. The fix is updating to OpenSSL 1.1. I already mentioned this in 2020 when the AddTrust certificate expired and we had the same problem... |
Send message Joined: 30 Sep 21 Posts: 7 |
That would also explain why adding the root, intermediate and even the certificate for the project itself doesn't remediate the issue. |
Send message Joined: 19 Jan 07 Posts: 1179 |
That would also explain why adding the root, intermediate and even the certificate for the project itself doesn't remediate the issue. What do you mean by "adding the certificates"? Are you modifying ca-bundle.crt? |
Send message Joined: 30 Sep 21 Posts: 7 |
That would also explain why adding the root, intermediate and even the certificate for the project itself doesn't remediate the issue. Yes. |
Send message Joined: 5 Oct 06 Posts: 5129 |
I think someone made a working bodge last time, by removing the expired X3 certificate (or equivalent). |
Send message Joined: 30 Sep 21 Posts: 7 |
I think someone made a working bodge last time, by removing the expired X3 certificate (or equivalent). Removing it does indeed remediate the issue. |
Send message Joined: 10 May 07 Posts: 1444 |
I think someone made a working bodge last time, by removing the expired X3 certificate (or equivalent). Can someone post a download link to a modified working certificate or what section(s) of the current certificate to edit out. |
Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software Foundation.