Expired SSL certificates in BOINC Client -- User Action Required

Message boards : News : Expired SSL certificates in BOINC Client -- User Action Required
Message board moderation

To post messages, you must log in.

1 · 2 · Next

AuthorMessage
Profile Eric Driver
Project administrator
Project developer
Project tester
Project scientist

Send message
Joined: 8 Jul 11
Posts: 1341
Credit: 493,894,121
RAC: 558,810
Message 2794 - Posted: 31 May 2020, 5:27:43 UTC

This was discussed in another thread, and it just occurred to me I should post a news item with more explicit instructions.

The issue is that the BOINC client comes bundled with SSL certificates and these expired earlier today. Here are the basic steps to fix the problem. (Note: this works on linux and I see no reason why it shouldn't work on Windows too.)
1. Download the new "ca-bundle.crt" file from here:
https://1drv.ms/u/s!AsVDg7OAm7-whqEqBXKHuOie0UoBKA?e=VHwBAP
2. Replace the old ca-bundle.crt file with the new one (it should be in your BOINC root directory).
ID: 2794 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Richard Haselgrove

Send message
Joined: 28 Oct 11
Posts: 180
Credit: 241,761,954
RAC: 143,546
Message 2795 - Posted: 31 May 2020, 6:46:00 UTC - in response to Message 2794.  

(it should be in your BOINC root directory).
This problem primarily affects Windows, and some (but not all) versions of Linux.

The file needing replacement can be found in the program directory for Windows - most commonly C:\Program Files\BOINC
ID: 2795 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile marsinph

Send message
Joined: 13 Apr 18
Posts: 5
Credit: 17,061,620
RAC: 0
Message 2796 - Posted: 31 May 2020, 8:25:07 UTC

Hello,
the CRT file already installed is valid from 1998 till 2028 !
Then it will affect all BOINC project ! You are the only one who report this problem.
And you are not sure it will works under Windows.
Can you be more clear ? And first fix the up/download problem.
Server seems to work, but unable to acces
31/05/2020 10:22:13 | NumberFields@home | Started upload of wu_sf3_DS-15x271_Grp4792905of6553600_0_r943010916_0
31/05/2020 10:22:13 | NumberFields@home | Started upload of wu_sf3_DS-15x271_Grp4802684of6553600_1_r1358983788_0
31/05/2020 10:22:17 | | Project communication failed: attempting access to reference site
31/05/2020 10:22:17 | NumberFields@home | Temporarily failed upload of wu_sf3_DS-15x271_Grp4792905of6553600_0_r943010916_0: transient HTTP error
31/05/2020 10:22:17 | NumberFields@home | Backing off 00:16:43 on upload of wu_sf3_DS-15x271_Grp4792905of6553600_0_r943010916_0
31/05/2020 10:22:17 | NumberFields@home | Temporarily failed upload of wu_sf3_DS-15x271_Grp4802684of6553600_1_r1358983788_0: transient HTTP error
31/05/2020 10:22:17 | NumberFields@home | Backing off 00:18:17 on upload of wu_sf3_DS-15x271_Grp4802684of6553600_1_r1358983788_0
31/05/2020 10:22:19 | | Internet access OK - project servers may be temporarily down.
31/05/2020 10:23:46 | NumberFields@home | Started upload of wu_sf3_DS-15x271_Grp4792510of6553600_0_r1802548779_0
31/05/2020 10:23:46 | NumberFields@home | Started upload of wu_sf3_DS-15x271_Grp4467611of6553600_1_r143695444_0
31/05/2020 10:23:47 | | Project communication failed: attempting access to reference site
31/05/2020 10:23:47 | NumberFields@home | Temporarily failed upload of wu_sf3_DS-15x271_Grp4792510of6553600_0_r1802548779_0: transient HTTP error
31/05/2020 10:23:47 | NumberFields@home | Backing off 00:10:20 on upload of wu_sf3_DS-15x271_Grp4792510of6553600_0_r1802548779_0
31/05/2020 10:23:47 | NumberFields@home | Temporarily failed upload of wu_sf3_DS-15x271_Grp4467611of6553600_1_r143695444_0: transient HTTP error
31/05/2020 10:23:47 | NumberFields@home | Backing off 00:07:13 on upload of wu_sf3_DS-15x271_Grp4467611of6553600_1_r143695444_0
31/05/2020 10:23:47 | NumberFields@home | Started upload of wu_sf3_DS-15x271_Grp4801304of6553600_0_r17914782_0
31/05/2020 10:23:47 | NumberFields@home | Started upload of wu_sf3_DS-15x271_Grp4806193of6553600_0_r461151290_0
ID: 2796 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Reaper

Send message
Joined: 19 Apr 19
Posts: 3
Credit: 1,586,498
RAC: 0
Message 2797 - Posted: 31 May 2020, 8:42:04 UTC

I have replacement the File and now works the Upload. Thx 4 the fast fix!

Best Regards
ID: 2797 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile marsinph

Send message
Joined: 13 Apr 18
Posts: 5
Credit: 17,061,620
RAC: 0
Message 2798 - Posted: 31 May 2020, 9:27:23 UTC

Hello,
tested under Win7 and Win10 : working !
Seems to have no impact on other projects.
Thanks
ID: 2798 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Richard Haselgrove

Send message
Joined: 28 Oct 11
Posts: 180
Credit: 241,761,954
RAC: 143,546
Message 2799 - Posted: 31 May 2020, 9:29:07 UTC - in response to Message 2796.  

the CRT file already installed is valid from 1998 till 2028 !
The certificate file is a bundle, containing 133 different certificates.

The Microsoft Windows tool only shows you the expiry date of the one on the top of the pile - the first certificate in the bundle.

The problem here is caused by certificate number 6 in the bundle, which expired yesterday. Follow any of the suggestions for editing/replacing your bundle, and you will be able to contact this project's servers again.
ID: 2799 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
PaoloNasca

Send message
Joined: 22 Jul 19
Posts: 8
Credit: 1,466,981
RAC: 1,066
Message 2800 - Posted: 31 May 2020, 13:10:40 UTC

After having substituted the ca-bundle.crt, I got new issue:

Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates.

Ralph@home, Rosetta@home and NumberFields@home have the same certificate issue.

The upload is still stuck.
Here below the logs
31-May-2020 14:48:19 [ralph@home] Sending scheduler request: Requested by user.
31-May-2020 14:48:19 [ralph@home] Requesting new tasks for CPU
31-May-2020 14:48:20 [ralph@home] Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
31-May-2020 14:48:23 [---] Project communication failed: attempting access to reference site
31-May-2020 14:48:24 [---] Internet access OK - project servers may be temporarily down.

31-May-2020 14:48:25 [Rosetta@home] Sending scheduler request: Requested by user.
31-May-2020 14:48:25 [Rosetta@home] Requesting new tasks for CPU
31-May-2020 14:48:27 [---] Project communication failed: attempting access to reference site
31-May-2020 14:48:27 [Rosetta@home] Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
31-May-2020 14:48:28 [---] Internet access OK - project servers may be temporarily down.

31-May-2020 14:49:01 [NumberFields@home] Sending scheduler request: Requested by user.
31-May-2020 14:49:01 [NumberFields@home] Not requesting tasks: don't need (job cache full)
31-May-2020 14:49:02 [---] Project communication failed: attempting access to reference site
31-May-2020 14:49:02 [NumberFields@home] Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
31-May-2020 14:49:03 [---] Internet access OK - project servers may be temporarily down.
31-May-2020 14:49:28 [NumberFields@home] Started upload of wu_sf3_DS-15x271_Grp4533296of6553600_0_r594049101_0
31-May-2020 14:49:31 [---] Project communication failed: attempting access to reference site
31-May-2020 14:49:31 [NumberFields@home] Temporarily failed upload of wu_sf3_DS-15x271_Grp4533296of6553600_0_r594049101_0: transient HTTP error
31-May-2020 14:49:31 [NumberFields@home] Backing off 02:43:20 on upload of wu_sf3_DS-15x271_Grp4533296of6553600_0_r594049101_0
ID: 2800 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Eric Driver
Project administrator
Project developer
Project tester
Project scientist

Send message
Joined: 8 Jul 11
Posts: 1341
Credit: 493,894,121
RAC: 558,810
Message 2801 - Posted: 31 May 2020, 16:19:10 UTC - in response to Message 2800.  

After having substituted the ca-bundle.crt, I got new issue:

Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates.

Ralph@home, Rosetta@home and NumberFields@home have the same certificate issue.

The upload is still stuck.
Here below the logs
31-May-2020 14:48:19 [ralph@home] Sending scheduler request: Requested by user.
31-May-2020 14:48:19 [ralph@home] Requesting new tasks for CPU
31-May-2020 14:48:20 [ralph@home] Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
31-May-2020 14:48:23 [---] Project communication failed: attempting access to reference site
31-May-2020 14:48:24 [---] Internet access OK - project servers may be temporarily down.

31-May-2020 14:48:25 [Rosetta@home] Sending scheduler request: Requested by user.
31-May-2020 14:48:25 [Rosetta@home] Requesting new tasks for CPU
31-May-2020 14:48:27 [---] Project communication failed: attempting access to reference site
31-May-2020 14:48:27 [Rosetta@home] Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
31-May-2020 14:48:28 [---] Internet access OK - project servers may be temporarily down.

31-May-2020 14:49:01 [NumberFields@home] Sending scheduler request: Requested by user.
31-May-2020 14:49:01 [NumberFields@home] Not requesting tasks: don't need (job cache full)
31-May-2020 14:49:02 [---] Project communication failed: attempting access to reference site
31-May-2020 14:49:02 [NumberFields@home] Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
31-May-2020 14:49:03 [---] Internet access OK - project servers may be temporarily down.
31-May-2020 14:49:28 [NumberFields@home] Started upload of wu_sf3_DS-15x271_Grp4533296of6553600_0_r594049101_0
31-May-2020 14:49:31 [---] Project communication failed: attempting access to reference site
31-May-2020 14:49:31 [NumberFields@home] Temporarily failed upload of wu_sf3_DS-15x271_Grp4533296of6553600_0_r594049101_0: transient HTTP error
31-May-2020 14:49:31 [NumberFields@home] Backing off 02:43:20 on upload of wu_sf3_DS-15x271_Grp4533296of6553600_0_r594049101_0


Is this happening on all your computers or just the one with windows?
Could you also set the http_debug flag in the event log options to get some more information?
ID: 2801 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
PaoloNasca

Send message
Joined: 22 Jul 19
Posts: 8
Credit: 1,466,981
RAC: 1,066
Message 2802 - Posted: 31 May 2020, 16:59:24 UTC - in response to Message 2801.  

Hi Eric
Is this happening on all your computers or just the one with windows?

I have 4 PCs. I made the substitution in only one PC (Linux 32bit Ubuntu 12.04.5, BOINC 7.4.22).
Asap I'll test the ca-bundle.crt in the other PCs (Windows and Linux x64)

Could you also set the http_debug flag in the event log options to get some more information?

Here below the logs.
Thanks a lot.

31-May-2020 18:38:34 [---] Re-reading cc_config.xml
31-May-2020 18:38:34 [---] Not using a proxy
31-May-2020 18:38:34 [---] Config: GUI RPCs allowed from:
31-May-2020 18:38:34 [---] 192.168.1.198
31-May-2020 18:38:34 [---] 192.168.1.199
31-May-2020 18:38:34 [---] log flags: file_xfer, sched_ops, task, http_debug
31-May-2020 18:38:46 [NumberFields@home] Started upload of wu_sf3_DS-15x271_Grp4533296of6553600_0_r594049101_0
31-May-2020 18:38:46 [NumberFields@home] [http] [ID#7] Info: About to connect() to numberfields.asu.edu port 80 (#1)
31-May-2020 18:38:46 [NumberFields@home] [http] [ID#7] Info: Trying 129.219.51.76...
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Info: Connected to numberfields.asu.edu (129.219.51.76) port 80 (#1)
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Sent header to server: POST /NumberFields_cgi/file_upload_handler/ HTTP/1.1
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Sent header to server: User-Agent: BOINC client (i686-pc-linux-gnu 7.4.22)
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Sent header to server: Host: numberfields.asu.edu
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Sent header to server: Accept: */*
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Sent header to server: Accept-Encoding: deflate, gzip
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Sent header to server: Content-Type: application/x-www-form-urlencoded
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Sent header to server: Accept-Language: en_US
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Sent header to server: Content-Length: 716
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Sent header to server:
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Received header from server: HTTP/1.1 301 Moved Permanently
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Received header from server: Date: Sun, 31 May 2020 16:38:47 GMT
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Received header from server: Server: Apache/2.4.29 (Ubuntu)
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Info: the ioctl callback returned 0
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Received header from server: Location: https://numberfields.asu.edu/NumberFields_cgi/file_upload_handler/
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Received header from server: Content-Length: 360
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Received header from server: Content-Type: text/html; charset=iso-8859-1
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Info: HTTP error before end of send, stop sending
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Received header from server:
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Info: Closing connection #1
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Info: Issue another request to this URL: 'https://numberfields.asu.edu/NumberFields_cgi/file_upload_handler/'
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Info: About to connect() to numberfields.asu.edu port 443 (#1)
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Info: Trying 129.219.51.76...
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Info: Connected to numberfields.asu.edu (129.219.51.76) port 443 (#1)
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Info: successfully set certificate verify locations:
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Info: CAfile: ca-bundle.crt
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Info: CApath: /etc/ssl/certs
31-May-2020 18:38:47 [NumberFields@home] [http] [ID#7] Info: SSLv3, TLS handshake, Client hello (1):
31-May-2020 18:38:48 [NumberFields@home] [http] [ID#7] Info: SSLv3, TLS handshake, Server hello (2):
31-May-2020 18:38:48 [NumberFields@home] [http] [ID#7] Info: SSLv3, TLS handshake, CERT (11):
31-May-2020 18:38:48 [NumberFields@home] [http] [ID#7] Info: SSLv3, TLS alert, Server hello (2):
31-May-2020 18:38:48 [NumberFields@home] [http] [ID#7] Info: SSL certificate problem, verify that the CA cert is OK. Details:
31-May-2020 18:38:48 [NumberFields@home] [http] [ID#7] Info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
31-May-2020 18:38:48 [NumberFields@home] [http] [ID#7] Info: Closing connection #1
31-May-2020 18:38:48 [NumberFields@home] [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates
31-May-2020 18:38:48 [---] Project communication failed: attempting access to reference site
31-May-2020 18:38:48 [---] [http] HTTP_OP::init_get(): http://www.google.com/
31-May-2020 18:38:48 [NumberFields@home] Temporarily failed upload of wu_sf3_DS-15x271_Grp4533296of6553600_0_r594049101_0: transient HTTP error
31-May-2020 18:38:48 [NumberFields@home] Backing off 03:12:28 on upload of wu_sf3_DS-15x271_Grp4533296of6553600_0_r594049101_0
31-May-2020 18:38:48 [---] [http] [ID#0] Info: Re-using existing connection! (#0) with host www.google.com
31-May-2020 18:38:48 [---] [http] [ID#0] Info: Connected to www.google.com (216.58.208.164) port 80 (#0)
31-May-2020 18:38:48 [---] [http] [ID#0] Sent header to server: GET / HTTP/1.1
31-May-2020 18:38:48 [---] [http] [ID#0] Sent header to server: User-Agent: BOINC client (i686-pc-linux-gnu 7.4.22)
31-May-2020 18:38:48 [---] [http] [ID#0] Sent header to server: Host: www.google.com
31-May-2020 18:38:48 [---] [http] [ID#0] Sent header to server: Accept: */*
31-May-2020 18:38:48 [---] [http] [ID#0] Sent header to server: Accept-Encoding: deflate, gzip
31-May-2020 18:38:48 [---] [http] [ID#0] Sent header to server: Content-Type: application/x-www-form-urlencoded
31-May-2020 18:38:48 [---] [http] [ID#0] Sent header to server: Accept-Language: en_US
31-May-2020 18:38:48 [---] [http] [ID#0] Sent header to server:
31-May-2020 18:38:49 [---] [http] [ID#0] Received header from server: HTTP/1.1 200 OK
31-May-2020 18:38:49 [---] [http] [ID#0] Received header from server: Date: Sun, 31 May 2020 16:38:49 GMT
31-May-2020 18:38:49 [---] [http] [ID#0] Received header from server: Expires: -1
31-May-2020 18:38:49 [---] [http] [ID#0] Received header from server: Cache-Control: private, max-age=0
31-May-2020 18:38:49 [---] [http] [ID#0] Received header from server: Content-Type: text/html; charset=ISO-8859-1
31-May-2020 18:38:49 [---] [http] [ID#0] Received header from server: P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
31-May-2020 18:38:49 [---] [http] [ID#0] Received header from server: Content-Encoding: gzip
31-May-2020 18:38:49 [---] [http] [ID#0] Received header from server: Server: gws
31-May-2020 18:38:49 [---] [http] [ID#0] Received header from server: Content-Length: 5461
31-May-2020 18:38:49 [---] [http] [ID#0] Received header from server: X-XSS-Protection: 0
31-May-2020 18:38:49 [---] [http] [ID#0] Received header from server: X-Frame-Options: SAMEORIGIN
31-May-2020 18:38:49 [---] [http] [ID#0] Received header from server: Set-Cookie: 1P_JAR=2020-05-31-16; expires=Tue, 30-Jun-2020 16:38:49 GMT; path=/; domain=.google.com; Secure
31-May-2020 18:38:49 [---] [http] [ID#0] Received header from server: Set-Cookie: NID=204=S1IbZM4cTKbET9-0-Ns97GKD3Arg1mUPPMB0cZVgY3U7qFl8a_ykJbD0BthOkMOmTnMWjJ3HZB0VBKiFfVn9MFHJdYXAAWGX1rIB3V9JSyhNn1N98xaadxR-ibCuOoMMQCw2VptnNUt5terTGA8XtN8beeqRaKYEXRjkwLIudWU; expires=Mon, 30-Nov-2020 16:38:49 GMT; path=/; domain=.google.com; HttpOnly
31-May-2020 18:38:49 [---] [http] [ID#0] Received header from server:
31-May-2020 18:38:49 [---] [http] [ID#0] Info: Connection #0 to host www.google.com left intact
31-May-2020 18:38:49 [---] Internet access OK - project servers may be temporarily down.
31-May-2020 18:39:42 [NumberFields@home] update requested by user
31-May-2020 18:39:43 [---] [http] HTTP_OP::init_get(): https://numberfields.asu.edu/NumberFields/notices.php?userid=95159&auth=95159_12c786ec4d500376aebb3541de0775d2
31-May-2020 18:39:43 [---] [http] [ID#0] Info: About to connect() to numberfields.asu.edu port 443 (#1)
31-May-2020 18:39:43 [---] [http] [ID#0] Info: Trying 129.219.51.76...
31-May-2020 18:39:43 [---] [http] [ID#0] Info: Connected to numberfields.asu.edu (129.219.51.76) port 443 (#1)
31-May-2020 18:39:43 [---] [http] [ID#0] Info: successfully set certificate verify locations:
31-May-2020 18:39:43 [---] [http] [ID#0] Info: CAfile: ca-bundle.crt
31-May-2020 18:39:43 [---] [http] [ID#0] Info: CApath: /etc/ssl/certs
31-May-2020 18:39:43 [---] [http] [ID#0] Info: SSLv3, TLS handshake, Client hello (1):
31-May-2020 18:39:43 [---] [http] [ID#0] Info: SSLv3, TLS handshake, Server hello (2):
31-May-2020 18:39:43 [---] [http] [ID#0] Info: SSLv3, TLS handshake, CERT (11):
31-May-2020 18:39:43 [---] [http] [ID#0] Info: SSLv3, TLS alert, Server hello (2):
31-May-2020 18:39:43 [---] [http] [ID#0] Info: SSL certificate problem, verify that the CA cert is OK. Details:
31-May-2020 18:39:43 [---] [http] [ID#0] Info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
31-May-2020 18:39:43 [---] [http] [ID#0] Info: Closing connection #1
31-May-2020 18:39:43 [---] [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates
31-May-2020 18:39:46 [NumberFields@home] Sending scheduler request: Requested by user.
31-May-2020 18:39:46 [NumberFields@home] Not requesting tasks: don't need (not highest priority project)
31-May-2020 18:39:46 [NumberFields@home] [http] HTTP_OP::init_post(): https://numberfields.asu.edu/NumberFields_cgi/cgi
31-May-2020 18:39:46 [NumberFields@home] [http] [ID#1] Info: About to connect() to numberfields.asu.edu port 443 (#1)
31-May-2020 18:39:46 [NumberFields@home] [http] [ID#1] Info: Trying 129.219.51.76...
31-May-2020 18:39:46 [NumberFields@home] [http] [ID#1] Info: Connected to numberfields.asu.edu (129.219.51.76) port 443 (#1)
31-May-2020 18:39:46 [NumberFields@home] [http] [ID#1] Info: successfully set certificate verify locations:
31-May-2020 18:39:46 [NumberFields@home] [http] [ID#1] Info: CAfile: ca-bundle.crt
31-May-2020 18:39:46 [NumberFields@home] [http] [ID#1] Info: CApath: /etc/ssl/certs
31-May-2020 18:39:46 [NumberFields@home] [http] [ID#1] Info: SSLv3, TLS handshake, Client hello (1):
31-May-2020 18:39:46 [NumberFields@home] [http] [ID#1] Info: SSLv3, TLS handshake, Server hello (2):
31-May-2020 18:39:47 [NumberFields@home] [http] [ID#1] Info: SSLv3, TLS handshake, CERT (11):
31-May-2020 18:39:47 [NumberFields@home] [http] [ID#1] Info: SSLv3, TLS alert, Server hello (2):
31-May-2020 18:39:47 [NumberFields@home] [http] [ID#1] Info: SSL certificate problem, verify that the CA cert is OK. Details:
31-May-2020 18:39:47 [NumberFields@home] [http] [ID#1] Info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
31-May-2020 18:39:47 [NumberFields@home] [http] [ID#1] Info: Closing connection #1
31-May-2020 18:39:47 [NumberFields@home] [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates
31-May-2020 18:39:47 [---] Project communication failed: attempting access to reference site
31-May-2020 18:39:47 [---] [http] HTTP_OP::init_get(): http://www.google.com/
31-May-2020 18:39:47 [NumberFields@home] Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
31-May-2020 18:39:47 [---] [http] [ID#0] Info: Re-using existing connection! (#0) with host www.google.com
31-May-2020 18:39:47 [---] [http] [ID#0] Info: Connected to www.google.com (216.58.208.164) port 80 (#0)
31-May-2020 18:39:47 [---] [http] [ID#0] Sent header to server: GET / HTTP/1.1
31-May-2020 18:39:47 [---] [http] [ID#0] Sent header to server: User-Agent: BOINC client (i686-pc-linux-gnu 7.4.22)
31-May-2020 18:39:47 [---] [http] [ID#0] Sent header to server: Host: www.google.com
31-May-2020 18:39:47 [---] [http] [ID#0] Sent header to server: Accept: */*
31-May-2020 18:39:47 [---] [http] [ID#0] Sent header to server: Accept-Encoding: deflate, gzip
31-May-2020 18:39:47 [---] [http] [ID#0] Sent header to server: Content-Type: application/x-www-form-urlencoded
31-May-2020 18:39:47 [---] [http] [ID#0] Sent header to server: Accept-Language: en_US
31-May-2020 18:39:47 [---] [http] [ID#0] Sent header to server:
31-May-2020 18:39:48 [---] [http] [ID#0] Received header from server: HTTP/1.1 200 OK
31-May-2020 18:39:48 [---] [http] [ID#0] Received header from server: Date: Sun, 31 May 2020 16:39:48 GMT
31-May-2020 18:39:48 [---] [http] [ID#0] Received header from server: Expires: -1
31-May-2020 18:39:48 [---] [http] [ID#0] Received header from server: Cache-Control: private, max-age=0
31-May-2020 18:39:48 [---] [http] [ID#0] Received header from server: Content-Type: text/html; charset=ISO-8859-1
31-May-2020 18:39:48 [---] [http] [ID#0] Received header from server: P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
31-May-2020 18:39:48 [---] [http] [ID#0] Received header from server: Content-Encoding: gzip
31-May-2020 18:39:48 [---] [http] [ID#0] Received header from server: Server: gws
31-May-2020 18:39:48 [---] [http] [ID#0] Received header from server: Content-Length: 5429
31-May-2020 18:39:48 [---] [http] [ID#0] Received header from server: X-XSS-Protection: 0
31-May-2020 18:39:48 [---] [http] [ID#0] Received header from server: X-Frame-Options: SAMEORIGIN
31-May-2020 18:39:48 [---] [http] [ID#0] Received header from server: Set-Cookie: 1P_JAR=2020-05-31-16; expires=Tue, 30-Jun-2020 16:39:48 GMT; path=/; domain=.google.com; Secure
31-May-2020 18:39:48 [---] [http] [ID#0] Received header from server: Set-Cookie: NID=204=Y1rrTSAELQ8BQcNu2RPVzsg_rCZLmZn7ZXJLzctesxVw3l3liJRTIRJzjYE8eszeyoIj_BDu41iXmfXakrWWHwfN538Gghj1ZcsKCVZ-XE0M6u6YoX9An8NpPqQX2prW-0AXJpipu6QXzWDdI1rZwVh6MG76vAw_yadQ2fYTDgo; expires=Mon, 30-Nov-2020 16:39:48 GMT; path=/; domain=.google.com; HttpOnly
31-May-2020 18:39:48 [---] [http] [ID#0] Received header from server:
31-May-2020 18:39:48 [---] [http] [ID#0] Info: Connection #0 to host www.google.com left intact
31-May-2020 18:39:48 [---] Internet access OK - project servers may be temporarily down.
ID: 2802 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Steve Dodd

Send message
Joined: 6 Jun 12
Posts: 3
Credit: 12,076,243
RAC: 0
Message 2803 - Posted: 31 May 2020, 17:40:37 UTC

Just replaced ca-bundle on Windows 10 machine, retried uploads with success.
ID: 2803 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Eric Driver
Project administrator
Project developer
Project tester
Project scientist

Send message
Joined: 8 Jul 11
Posts: 1341
Credit: 493,894,121
RAC: 558,810
Message 2804 - Posted: 31 May 2020, 18:25:51 UTC - in response to Message 2802.  

31-May-2020 18:38:48 [NumberFields@home] [http] [ID#7] Info: SSL certificate problem, verify that the CA cert is OK.


Hi Paolo,

This error message is different from previous error messages which explicitly said the certificate had expired. This message tells me there is something wrong with the ca-bundle.crt file. Could it be the classic windows/linux line ending problem? The file worked for me as is, but then again I use Fedora. You could try running dos2unix on it to see if that helps.
ID: 2804 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
PaoloNasca

Send message
Joined: 22 Jul 19
Posts: 8
Credit: 1,466,981
RAC: 1,066
Message 2805 - Posted: 31 May 2020, 18:46:16 UTC - in response to Message 2803.  

Just replaced ca-bundle on Windows 10 machine, retried uploads with success.


Very very thanks Steve Dodd.
The Windows machine now works fine.
The upload of NumberField and Rosetta WUs works.

@Eric Driver
I think the root cause of the issue in my old Linux x32 is SSLv3, maybe the certificate doesn't work with old and deprecate SSLv3.
The certificate works fine in the Windows 10 x64 machine because Windows uses TLSv1.2!!
ID: 2805 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Eric Driver
Project administrator
Project developer
Project tester
Project scientist

Send message
Joined: 8 Jul 11
Posts: 1341
Credit: 493,894,121
RAC: 558,810
Message 2806 - Posted: 31 May 2020, 21:41:09 UTC - in response to Message 2805.  

Just replaced ca-bundle on Windows 10 machine, retried uploads with success.


Very very thanks Steve Dodd.
The Windows machine now works fine.
The upload of NumberField and Rosetta WUs works.

@Eric Driver
I think the root cause of the issue in my old Linux x32 is SSLv3, maybe the certificate doesn't work with old and deprecate SSLv3.
The certificate works fine in the Windows 10 x64 machine because Windows uses TLSv1.2!!


I'm not well versed in the different SSL versions. If I run "openssl version -a", I get OpenSSL 1.1.1g as my version and the supported ciphers are TLSv1.0, TLSv1.1, and TLSv1.2. I don't know what "SSLv3" is. If that is a deprecated protocol as you suggest, then yes, that is most likely your problem.
ID: 2806 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
PaoloNasca

Send message
Joined: 22 Jul 19
Posts: 8
Credit: 1,466,981
RAC: 1,066
Message 2807 - Posted: 1 Jun 2020, 8:27:54 UTC - in response to Message 2806.  

I'm not well versed in the different SSL versions. If I run "openssl version -a", I get OpenSSL 1.1.1g as my version and the supported ciphers are TLSv1.0, TLSv1.1, and TLSv1.2. I don't know what "SSLv3" is. If that is a deprecated protocol as you suggest, then yes, that is most likely your problem.


Hi Eric and hi folks,
Please forget my post about SSLv3 vs TLSv1.2. It was a big mistake.

Now my old Linux Ubuntu 12 x32 works fine.

I don’t know what was the winning procedure, so I share all the tasks I did.
*) Alternately I used the ca-bundle.crt Eric gave us, the ca-bundle.crt from the post thread Rosetta and the original ca-bundle.crt from Boinc package 7.4.22.
*) I put “!” at the beginning of the entry mozilla/AddTrust_External_Root.crt in the file /etc/ca-certificates.conf.
*) After each change, I executed update-ca-certificates two times
ID: 2807 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Richard Haselgrove

Send message
Joined: 28 Oct 11
Posts: 180
Credit: 241,761,954
RAC: 143,546
Message 2808 - Posted: 1 Jun 2020, 9:30:51 UTC

If any Windows user, 64-bit only, is still affected by this, there is a hotfix v7.16.7 of BOINC available from https://boinc.berkeley.edu/download.php
ID: 2808 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Vitaly

Send message
Joined: 5 Jan 13
Posts: 43
Credit: 41,024,048
RAC: 1,387
Message 2816 - Posted: 8 Jun 2020, 19:52:10 UTC - in response to Message 2808.  

It looks like overall speed is reduced after this incident.
ID: 2816 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Eric Driver
Project administrator
Project developer
Project tester
Project scientist

Send message
Joined: 8 Jul 11
Posts: 1341
Credit: 493,894,121
RAC: 558,810
Message 2817 - Posted: 8 Jun 2020, 20:50:16 UTC - in response to Message 2816.  

It looks like overall speed is reduced after this incident.


Yes, speed has dropped significantly since the Pentathlon finished. I have been watching the stats page and it seems the big dogs have been slowly dropping- charity engine, grcpool, etc.

There was a drop before the pentathlon which I am pretty sure is related to Covid19. But I agree the recent drops are due to the SSL certificate issue. Not sure what to do about it, and I don't think disabling SSL is a good idea.
ID: 2817 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Richard Haselgrove

Send message
Joined: 28 Oct 11
Posts: 180
Credit: 241,761,954
RAC: 143,546
Message 2819 - Posted: 8 Jun 2020, 21:54:34 UTC - in response to Message 2817.  

But I agree the recent drops are due to the SSL certificate issue. Not sure what to do about it, and I don't think disabling SSL is a good idea.
Both LHC@home and Rosetta@home managed to modify their server certificates in a way that enabled work to flow even for people with the older client version / certificate bundle. You could reach out to those two projects, either over the BOINC projects email list, or privately in case they don't want to be public about their security settings.
ID: 2819 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Eric Driver
Project administrator
Project developer
Project tester
Project scientist

Send message
Joined: 8 Jul 11
Posts: 1341
Credit: 493,894,121
RAC: 558,810
Message 2822 - Posted: 9 Jun 2020, 0:58:54 UTC - in response to Message 2819.  

But I agree the recent drops are due to the SSL certificate issue. Not sure what to do about it, and I don't think disabling SSL is a good idea.
Both LHC@home and Rosetta@home managed to modify their server certificates in a way that enabled work to flow even for people with the older client version / certificate bundle. You could reach out to those two projects, either over the BOINC projects email list, or privately in case they don't want to be public about their security settings.


I did try something yesterday, but I'm not sure yet if it worked. I'll reach out to them to see what they did.
ID: 2822 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
[AF>Libristes] Dudumomo

Send message
Joined: 21 Sep 11
Posts: 3
Credit: 17,155,801
RAC: 0
Message 2823 - Posted: 9 Jun 2020, 15:48:38 UTC - in response to Message 2822.  

Hello,
It seems this modification impact more than upload/download.
It seems some statistics websites are also having issues to retrieve the data:
https://statsbzh.boinc-af.org/formulamt.php?project_id=numberfieldsathome&

Will need to get around
MyUneo, the Cupid of Service
ID: 2823 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
1 · 2 · Next

Message boards : News : Expired SSL certificates in BOINC Client -- User Action Required


Main page · Your account · Message boards


Copyright © 2024 Arizona State University