Peer certificate cannot be authenticated with given CA certificates

Message boards : Number crunching : Peer certificate cannot be authenticated with given CA certificates

To post messages, you must log in.

Previous · 1 · 2 · 3 · 4 · 5 · 6 . . . 9 · Next

AuthorMessage
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 1600
Credit: 12,050,318
RAC: 17,840
Message 96982 - Posted: 31 May 2020, 11:50:34 UTC - in response to Message 96955.  

run command prompt as administrator

Easier said than done: you have to go Windows key+R then Ctrl+Shift+Enter together

cd "/Program Files/BOINC" (using backslashes, which I can't seem to make display OK)
copy ca-bundle.crt ca-bundle.crt.bak

This didn't work as I get access denied.

WTF - why isn't the Rosetta admin fixing this snafu?


I think this is an issue with BOINC, not Rosetta. LHC@home is also affected, as well as NumberFields@Home.
My Mac is doing fine so far, which is rather interesting.


Macs are probably more sensible like Linux, using a central store of these keys in the OS, rather than just in the Boinc folder. Apple update those presumably, for every program you run not just Boinc. Windows SSL keys are a mess, some in the registry, some in the system folder, some in program folders....
ID: 96982 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 1600
Credit: 12,050,318
RAC: 17,840
Message 96983 - Posted: 31 May 2020, 11:53:05 UTC - in response to Message 96969.  

Alongside the issues here, which most of us here are solving on PCs though not on Android, the project front page <had been> showing maybe 780k completed tasks in the last 24hrs
About 21hrs later now it's only showing about 340k completed in the last 24hrs and will continue to drop for a few hours more. Maybe to 300k or even less.

This certificate having already expired, I'm not sure what anyone at Rosetta can do to push a solution to people who don't view the forums at all, let alone this topic. let alone if they've got the ability to implement a solution.

The most obvious route may be to put a Notice out through the Boinc Manager itself, though someone will have to prepare an idiot-proof set of instructions to do so.

The only other thing I can think of is for people here who are in teams to contact their other Rosetta team members and advise them how to solve the immediate problem.

Anyone else with any ideas before Admin and Mod.Sense get back to us with some clever solution of their own?


Does Boinc auto-update? If so, Boinc could release a new version with an updated security file. If it doesn't autoupdate, then Rosetta (and LHC and Numberfields) should email every user and tell them to update Boinc.
ID: 96983 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Tomcat雄猫

Send message
Joined: 20 Dec 14
Posts: 180
Credit: 5,386,173
RAC: 0
Message 96984 - Posted: 31 May 2020, 11:53:46 UTC - in response to Message 96981.  

Presumably this will rectify after midnight in each user's timezone? In Android 9 (Pie) the following DID NOT WORK:

1) Settings >> General >> Lock screen & security >> Advanced / Encryption & credentials >> Trusted credentials
2) Select AddTrust AB (AddTrust External CA Root)
3) Note that this cert expires 30 May 2020
4) Press DISABLE
5) Restart device
6) Restart BOINC

At least for me this does not rectify the uploads hanging. There is a RESET option when selecting the Rosetta@home project in the Android app, but I'm reluctant to select this as I could lose the work I'm attempting to upload. Setting the time/date to tomorrow (E.g. selecting timezone for Sydney) also did not resolve.


I'm on Android 8.0 and it didn't work for me. In the end, I was forced to abort all tasks and let some others timeout. This is not good. Fortunately, I have a really small cache.
I even tried disabling all the AddTrust AB certificates. No dice. I can't even re-add Rosetta after removing it (that probably means RESET won't work). I think one needs to remove those expired credentials outright to fix this (I don't think you can remove single credentials from Android).

Welp, I guess that's two Android devices down for me. One because of issues with BOINC and Android 9.0, plus the fact that I don't charge that device enough to meet the deadlines. One because of this certificate expiring.

I hope this gets resolved before we get a massive wave of tasks timing out.


It only affects some projects, my Androids are doing other project work instead. I only know of LHC, Rosetta, and Numberfields needing the certificate.


I'm running WCG on my two phones now. I am concerned about the impact on this project though.
ID: 96984 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Erich56

Send message
Joined: 11 Jan 16
Posts: 35
Credit: 1,437,503
RAC: 0
Message 96986 - Posted: 31 May 2020, 12:06:59 UTC - in response to Message 96984.  

I am concerned about the impact on this project though.
So am I. If there won't be a fast and easy solution available to everyone, many valuable crunchers may abandon the project.
ID: 96986 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Warren Brandon

Send message
Joined: 16 Mar 20
Posts: 1
Credit: 49,937
RAC: 0
Message 96993 - Posted: 31 May 2020, 13:07:18 UTC - in response to Message 96882.  

I analyzed the ca-bundle.crt file and found out that AddTrust External Root certificate expired today.
I removed the expired certificate part from the file and now everything works normal for me again.

Here is a guide to a quick fix:
Backup all your sensitive data first, This is only tested on 1 computer so far.
Exit BOINC
Open file manager and go to C:ProgramFilesBOINC or wherever you have installed BOINC.
Make a backup copy of ca-bundle.crt just in case my instuctions screw up something.
Right click on ca-bundle.crt and open it with Notepad
Scroll down to AddTrust External Root, Below this is the expired certificate.
Delete everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- including the begin and end lines.
Save the file
Start BOINC and try again.

Please let me know if this works or not.


This worked for me perfectly, I had to open the file in Notepad++ as admin but afterwards I could connect to the project again.
Thank you so much
ID: 96993 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Siran d'Vel'nahr
Avatar

Send message
Joined: 15 Nov 06
Posts: 72
Credit: 2,674,678
RAC: 0
Message 96994 - Posted: 31 May 2020, 13:07:39 UTC

Greetings,

I am running Linux Mint v19.3 which is based on Ubuntu. I have done the following procedure:
The procedure that worked for me on Ubuntu 18.04.4:
(1) Download this file: https://crt.sh/?d=1720081
(2) Place "1720081.crt" in Home directory (e.g., move from desktop)
(3) sudo mv 1720081.crt /usr/local/share/ca-certificates
(4) sudo update-ca-certificates

I restarted BOINC and am still getting stuck uploads and reports. Is there something else that needs to be done. I have only been using Linux continually for about 8 months, so I'm sorta a noob. ;)

Have a great day! :)

Siran
CAPT Siran d'Vel'nahr XO
USS Vre'kasht NCC-33187

"Logic is the cement of our civilization with which we ascend from chaos using reason as our guide." - T'Plana-hath
ID: 96994 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Sid Celery

Send message
Joined: 11 Feb 08
Posts: 2130
Credit: 41,424,155
RAC: 16,102
Message 96996 - Posted: 31 May 2020, 13:21:24 UTC - in response to Message 96979.  

Sid Celery wrote:
I'm not sure what anyone at Rosetta can do

They might be able to change the servers’ SSL certificates to ones signed by CAs that aren’t affected by this client problem.

put a Notice out through the Boinc Manager

There might be a chicken-and-egg problem there: if the notices are fetched via HTTPS, and HTTPS isn’t working…

Not being knowledgeable enough myself, I can only hope those "might be's" turn into "can do's"
ID: 96996 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Sid Celery

Send message
Joined: 11 Feb 08
Posts: 2130
Credit: 41,424,155
RAC: 16,102
Message 96997 - Posted: 31 May 2020, 13:25:55 UTC - in response to Message 96983.  

Does Boinc auto-update? If so, Boinc could release a new version with an updated security file.
If it doesn't autoupdate, then Rosetta (and LHC and Numberfields) should email every user and tell them to update Boinc.

It doesn't auto-update, no.
Though it could auto-update Android Boinc if people's Google Play Store settings allow it
ID: 96997 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Sid Celery

Send message
Joined: 11 Feb 08
Posts: 2130
Credit: 41,424,155
RAC: 16,102
Message 96999 - Posted: 31 May 2020, 13:34:45 UTC - in response to Message 96984.  

[quote]Welp, I guess that's two Android devices down for me. One because of issues with BOINC and Android 9.0, plus the fact that I don't charge that device enough to meet the deadlines. One because of this certificate expiring.

I hope this gets resolved before we get a massive wave of tasks timing out.

It only affects some projects, my Androids are doing other project work instead. I only know of LHC, Rosetta, and Numberfields needing the certificate.

I'm running WCG on my two phones now. I am concerned about the impact on this project though.

From the sound of things, I'm inclined to advise people to suspend all Android Rosetta tasks, abort those that haven't started, and switch to run or join WCG's Open Pandemics CV19 tasks.
I can't be sure this issue will be fixed before deadlines and that time is better spent running something productive.
If Admins aren't around until Monday it'll have been 2 days before they can begin to look for a solution and Android deadlines will likely be missed
ID: 96999 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
CasualPhotos

Send message
Joined: 26 Jun 16
Posts: 1
Credit: 1,070,500
RAC: 1,444
Message 97010 - Posted: 31 May 2020, 14:26:37 UTC - in response to Message 96941.  
Last modified: 31 May 2020, 14:27:45 UTC

...Such things should be fixed by BOINC programmers centrally, rather than manually editing certificate file by each user.

I could not agree more. First, this never should have happened. Second, the solution has to be 'pushed' to each client versus having every user manually edit a configuration file on each machine doing work.

While it's well within my capabilities to make the changes it's a matter of professional 'outrage' (I'm a former S/W developer who understands how things should be done) I'm going to leave things as they are until the powers that be correct the problem properly. In the meantime the WGC OpenPandemics project is getting a lot more processing time on my systems.
ID: 97010 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Cartoonman

Send message
Joined: 9 Oct 08
Posts: 13
Credit: 7,274,094
RAC: 284
Message 97011 - Posted: 31 May 2020, 14:39:09 UTC
Last modified: 31 May 2020, 14:40:12 UTC

Update for everyone reading this thread (esp. Android users):

A Github issue has been made and BOINC maintainers have been alerted. Please see https://github.com/BOINC/boinc/issues/3789 for details.

Currently there are workarounds available for Windows and Linux (and possibly Mac as well). Android currently does not appear to have a viable workaround, and an APK update is being pressured.
ID: 97011 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Richard Haselgrove

Send message
Joined: 4 Oct 18
Posts: 4
Credit: 301,393
RAC: 0
Message 97015 - Posted: 31 May 2020, 14:53:38 UTC - in response to Message 97011.  

In addition to making that GitHub issue, I also sent a direct email to the key personnel. But it is the weekend, and there are practical issues regarding gaining access to offices around the world at the moment.
ID: 97015 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Vincent Dark

Send message
Joined: 29 Sep 12
Posts: 1
Credit: 9,235,288
RAC: 1,650
Message 97017 - Posted: 31 May 2020, 15:15:16 UTC
Last modified: 31 May 2020, 15:20:12 UTC

I've tried all the methods above, but noting working on my ubuntu14.04 rigs, so sad.
ID: 97017 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
JohnDK
Avatar

Send message
Joined: 6 Apr 20
Posts: 33
Credit: 2,390,240
RAC: 0
Message 97024 - Posted: 31 May 2020, 15:50:38 UTC - in response to Message 96994.  
Last modified: 31 May 2020, 15:51:07 UTC

Greetings,

I am running Linux Mint v19.3 which is based on Ubuntu. I have done the following procedure:
The procedure that worked for me on Ubuntu 18.04.4:
(1) Download this file: https://crt.sh/?d=1720081
(2) Place "1720081.crt" in Home directory (e.g., move from desktop)
(3) sudo mv 1720081.crt /usr/local/share/ca-certificates
(4) sudo update-ca-certificates

I restarted BOINC and am still getting stuck uploads and reports. Is there something else that needs to be done. I have only been using Linux continually for about 8 months, so I'm sorta a noob. ;)

Have a great day! :)

Siran

Are you 100% sure 1720081.crt was moved to /usr/local/share/ca-certificates before doing sudo update-ca-certificates?

btw if wasn't necessary to restart BOINC for me, it just worked.
ID: 97024 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Siran d'Vel'nahr
Avatar

Send message
Joined: 15 Nov 06
Posts: 72
Credit: 2,674,678
RAC: 0
Message 97025 - Posted: 31 May 2020, 16:07:32 UTC - in response to Message 97024.  

-[ snip ]-

Have a great day! :)

Siran

Are you 100% sure 1720081.crt was moved to /usr/local/share/ca-certificates before doing sudo update-ca-certificates?

btw if wasn't necessary to restart BOINC for me, it just worked.

Hi John,

Yes, I double checked to make sure the file was moved.

I'll be logging into Winders 10 in a bit, so I'll see what happens when I log back into Linux.

I just tried a manual upload restart and got a 23 minute back off from the server. :(

Have a great day! :)

Siran
CAPT Siran d'Vel'nahr XO
USS Vre'kasht NCC-33187

"Logic is the cement of our civilization with which we ascend from chaos using reason as our guide." - T'Plana-hath
ID: 97025 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Jim Brossard

Send message
Joined: 11 Dec 05
Posts: 5
Credit: 2,480,726
RAC: 2,211
Message 97027 - Posted: 31 May 2020, 16:11:39 UTC - in response to Message 97010.  

...Such things should be fixed by BOINC programmers centrally, rather than manually editing certificate file by each user.

I could not agree more. First, this never should have happened. Second, the solution has to be 'pushed' to each client versus having every user manually edit a configuration file on each machine doing work.

While it's well within my capabilities to make the changes it's a matter of professional 'outrage' (I'm a former S/W developer who understands how things should be done) I'm going to leave things as they are until the powers that be correct the problem properly. In the meantime the WGC OpenPandemics project is getting a lot more processing time on my systems.


I have checked the master file at https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt and it also contains the expired cert. It looks like the BOINC team used the latest ca-bundle.crt file available. Blame the maintainers of the ca-bundle.crt file.
ID: 97027 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile yoerik
Avatar

Send message
Joined: 24 Mar 20
Posts: 128
Credit: 169,525
RAC: 0
Message 97029 - Posted: 31 May 2020, 16:28:32 UTC - in response to Message 96931.  

I analyzed the ca-bundle.crt file and found out that AddTrust External Root certificate expired today.
I removed the expired certificate part from the file and now everything works normal for me again.

Here is a guide to a quick fix:
Backup all your sensitive data first, This is only tested on 1 computer so far.
Exit BOINC
Open file manager and go to C:ProgramFilesBOINC or wherever you have installed BOINC.
Make a backup copy of ca-bundle.crt just in case my instuctions screw up something.
Right click on ca-bundle.crt and open it with Notepad
Scroll down to AddTrust External Root, Below this is the expired certificate.
Delete everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- including the begin and end lines.
Save the file
Start BOINC and try again.

Please let me know if this works or not.


This worked fine for me, R@H is uploading and downloading again. THANK YOU Gylling!

I did the following (Windows 10):
run command prompt as administrator
cd "/Program Files/BOINC" (using backslashes, which I can't seem to make display OK)
copy ca-bundle.crt ca-bundle.crt.bak
notepad ca-bundle.crt
Ctrl+F External
Delete the following:
AddTrust External Root
======================
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----

Save and exit Notepad
Close command prompt
Go to BOINC Manager
Suspend Rosetta@Home project
Close BOINC Manager
Reopen BOINC Manager
Resume Rosetta@Home project
Select Tools, Retry Pending Transfers from menu (advanced view active - you may need to select View, Advanced View first)[/code]


instead of using command prompt (which I found wasn't working for me, probably did something wrong but *shrug*
I instead used Properties - Security - and gave users full control over that file. Used notepad to edit and could save no issue.
ID: 97029 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile keik

Send message
Joined: 8 May 20
Posts: 5
Credit: 43,612
RAC: 0
Message 97031 - Posted: 31 May 2020, 16:44:02 UTC

I have followed threads and GitHub and BOINC still refused to connect so tried few things, and these are my results:

1) download ca-bundle.crt linked by Tony https://boinc.berkeley.edu/forum_thread.php?id=13758&postid=98903#98903
2) copy 1720081.crt certificate from GitHub https://github.com/BOINC/boinc/issues/3789
3) in Tony's crt file search for "COMO" and paste 1720081's certificate string under each already present Comodo related certyficate, then save the file
4) turn off BOINC and don't let it autostart (check BOINC settings and Task Manager "Start up" tab)
5) reset PC
6) before logging into Windows, reset it again and confirm if there's a prompt
7) log in and manually run BOINC
8) let it update and carry on folding
ID: 97031 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Jim Martin

Send message
Joined: 9 Oct 05
Posts: 23
Credit: 1,443,682
RAC: 1,636
Message 97038 - Posted: 31 May 2020, 17:29:29 UTC

Erich, et. al. May I suggest that someone with more authority than I have, notify BOINC software engineering, to up-rev BOINC, with our problem. It's certainly impacted some important wu's. Perhaps, this has already been brought to BOINC's attention. If so, I await uploading ops. to
commence, with the next BOINC rev.
ID: 97038 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile hnapel

Send message
Joined: 8 Apr 20
Posts: 8
Credit: 835,346
RAC: 0
Message 97044 - Posted: 31 May 2020, 18:22:48 UTC - in response to Message 97029.  



instead of using command prompt (which I found wasn't working for me, probably did something wrong but *shrug*
I instead used Properties - Security - and gave users full control over that file. Used notepad to edit and could save no issue.


You can also open Notepad as administrator and it will work to save the file after the edit.
ID: 97044 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Previous · 1 · 2 · 3 · 4 · 5 · 6 . . . 9 · Next

Message boards : Number crunching : Peer certificate cannot be authenticated with given CA certificates



©2024 University of Washington
https://www.bakerlab.org