Message boards : Number crunching : Peer certificate cannot be authenticated with given CA certificates
Author | Message |
---|---|
Mr P Hucker Send message Joined: 12 Aug 06 Posts: 1600 Credit: 11,829,566 RAC: 12,958 |
Got this error with Rosetta and LHC 11:01am UTC 30th May 2020. On all my (Windows 10) machines, while requesting work. "Peer certificate cannot be authenticated with given CA certificates" But Universe and Einstein and Milkyway are ok. Any ideas what screwed up? My computer? Both Rosetta and LHC at once? Boinc in general? |
Timo Send message Joined: 9 Jan 12 Posts: 185 Credit: 45,649,459 RAC: 0 |
I'm seeing the same error message in the event log as of this morning and a number of tasks are stuck in 'uploading' status. I suspect this is only affecting one of my machines which I switched to Rosetta@Home's new SSL URL, which makes sense. Unfortunate timing for this to happen on a Saturday. **38 cores crunching for R@H on behalf of cancercomputer.org - a non-profit supporting High Performance Computing in Cancer Research |
Mr P Hucker Send message Joined: 12 Aug 06 Posts: 1600 Credit: 11,829,566 RAC: 12,958 |
I'm seeing the same error message in the event log as of this morning and a number of tasks are stuck in 'uploading' status. It happened on all my computers at once (all on SSL URL), and also on LHC (but not Einstein, Milkyway, or Universe). Perhaps Rosetta only bought a one month contract with whoever gives these certificates out? But strange LHC ran out at the same time, in another country! |
Gylling Send message Joined: 26 Mar 20 Posts: 9 Credit: 360,665 RAC: 0 |
I have the same problem on all my computers, All are switched to SSL. |
Mr P Hucker Send message Joined: 12 Aug 06 Posts: 1600 Credit: 11,829,566 RAC: 12,958 |
I have the same problem on all my computers, All are switched to SSL. This is odd. Einstein and Milkyway don't use SSL, so I'll ignore those. But Universe, Rosetta, and LHC all do. So how come Universe still works and LHC and Rosetta failed at once? |
ArcSedna Send message Joined: 23 Oct 11 Posts: 14 Credit: 69,718,938 RAC: 45,875 |
I'm having this issue too. I have Windows 10 (boinc 7.16.5), macOS 10.15.5 (boinc 7.16.6), Manjaro Linux(boinc 7.16.6) machines, and only Windows machines are getting this error. macOS and Linux Machines are downloading/uploading normally. |
Gylling Send message Joined: 26 Mar 20 Posts: 9 Credit: 360,665 RAC: 0 |
I turned on additional event log options, Might be caused by the ca-bundle.crt file 15:57:36 | Rosetta@home | update requested by user 15:57:36 | | [network_status] status: don't need connection 15:57:36 | | [http] HTTP_OP::init_get(): https://boinc.bakerlab.org/rosetta/notices.php?userid=2121xxx&auth=2121xxx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 15:57:36 | | [http] HTTP_OP::libcurl_exec(): ca-bundle set 15:57:36 | | [http] [ID#0] Info: Connection 27 seems to be dead! 15:57:36 | | [http] [ID#0] Info: Closing connection 27 15:57:37 | | [http] [ID#0] Info: Trying 128.95.160.157... 15:57:37 | | [http] [ID#0] Info: Connected to boinc.bakerlab.org (128.95.160.157) port 443 (#28) 15:57:37 | | [http] [ID#0] Info: ALPN, offering http/1.1 15:57:37 | | [http] [ID#0] Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH 15:57:37 | | [http] [ID#0] Info: successfully set certificate verify locations: 15:57:37 | | [http] [ID#0] Info: CAfile: X:XXXXXXBOINCca-bundle.crt 15:57:37 | | [http] [ID#0] Info: CApath: none 15:57:37 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS header, Certificate Status (22): 15:57:37 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS handshake, Client hello (1): 15:57:37 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Server hello (2): 15:57:37 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Certificate (11): 15:57:37 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS alert, Server hello (2): 15:57:37 | | [http] [ID#0] Info: SSL certificate problem: certificate has expired 15:57:37 | | [http] [ID#0] Info: Closing connection 28 15:57:37 | | [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates 15:57:37 | | [network_status] status: online 15:57:38 | | [network_status] status: online 15:57:39 | Rosetta@home | Sending scheduler request: Requested by user. 15:57:39 | Rosetta@home | Reporting 1 completed tasks 15:57:39 | Rosetta@home | Requesting new tasks for CPU 15:57:39 | Rosetta@home | [http] HTTP_OP::init_post(): https://bwsrv1.bakerlab.org/rosetta_cgi/cgi 15:57:39 | Rosetta@home | [http] HTTP_OP::libcurl_exec(): ca-bundle set 15:57:40 | | [network_status] status: online 15:57:40 | Rosetta@home | [http] [ID#1] Info: Trying 128.95.160.156... 15:57:40 | Rosetta@home | [http] [ID#1] Info: Connected to bwsrv1.bakerlab.org (128.95.160.156) port 443 (#29) 15:57:40 | Rosetta@home | [http] [ID#1] Info: ALPN, offering http/1.1 15:57:40 | Rosetta@home | [http] [ID#1] Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH 15:57:40 | Rosetta@home | [http] [ID#1] Info: successfully set certificate verify locations: 15:57:40 | Rosetta@home | [http] [ID#1] Info: CAfile: X:XXXXXXBOINCca-bundle.crt 15:57:40 | Rosetta@home | [http] [ID#1] Info: CApath: none 15:57:40 | Rosetta@home | [http] [ID#1] Info: TLSv1.2 (OUT), TLS header, Certificate Status (22): 15:57:40 | Rosetta@home | [http] [ID#1] Info: TLSv1.2 (OUT), TLS handshake, Client hello (1): 15:57:40 | Rosetta@home | [http] [ID#1] Info: TLSv1.2 (IN), TLS handshake, Server hello (2): 15:57:40 | Rosetta@home | [http] [ID#1] Info: TLSv1.2 (IN), TLS handshake, Certificate (11): 15:57:40 | Rosetta@home | [http] [ID#1] Info: TLSv1.2 (OUT), TLS alert, Server hello (2): 15:57:40 | Rosetta@home | [http] [ID#1] Info: SSL certificate problem: certificate has expired 15:57:40 | Rosetta@home | [http] [ID#1] Info: Closing connection 29 15:57:40 | | [network_status] got HTTP error - checking ref site 15:57:40 | Rosetta@home | [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates 15:57:41 | | [network_status] status: reference site lookup pending 15:57:41 | | [network_status] need_phys_conn 0; trying https://www.google.com/ 15:57:41 | | Project communication failed: attempting access to reference site 15:57:41 | | [http] HTTP_OP::init_get(): https://www.google.com/ 15:57:41 | | [http] HTTP_OP::libcurl_exec(): ca-bundle set 15:57:41 | Rosetta@home | Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates 15:57:42 | | [network_status] status: reference site lookup pending 15:57:42 | | [http] [ID#0] Info: Trying 172.217.21.164... 15:57:42 | | [http] [ID#0] Info: Connected to www.google.com (172.217.21.164) port 443 (#30) 15:57:42 | | [http] [ID#0] Info: ALPN, offering http/1.1 15:57:42 | | [http] [ID#0] Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH 15:57:42 | | [http] [ID#0] Info: successfully set certificate verify locations: 15:57:42 | | [http] [ID#0] Info: CAfile: X:XXXXXXBOINCca-bundle.crt 15:57:42 | | [http] [ID#0] Info: CApath: none 15:57:42 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS header, Certificate Status (22): 15:57:42 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS handshake, Client hello (1): 15:57:42 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Server hello (2): 15:57:42 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Certificate (11): 15:57:42 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Server key exchange (12): 15:57:42 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Server finished (14): 15:57:42 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS handshake, Client key exchange (16): 15:57:42 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS change cipher, Client hello (1): 15:57:42 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS handshake, Finished (20): 15:57:42 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS change cipher, Client hello (1): 15:57:42 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Finished (20): 15:57:42 | | [http] [ID#0] Info: SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 15:57:42 | | [http] [ID#0] Info: ALPN, server accepted to use http/1.1 15:57:42 | | [http] [ID#0] Info: Server certificate: 15:57:42 | | [http] [ID#0] Info: subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=www.google.com 15:57:42 | | [http] [ID#0] Info: start date: May 5 08:31:24 2020 GMT 15:57:42 | | [http] [ID#0] Info: expire date: Jul 28 08:31:24 2020 GMT 15:57:42 | | [http] [ID#0] Info: subjectAltName: www.google.com matched 15:57:42 | | [http] [ID#0] Info: issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1 15:57:42 | | [http] [ID#0] Info: SSL certificate verify ok. |
Gylling Send message Joined: 26 Mar 20 Posts: 9 Credit: 360,665 RAC: 0 |
I analyzed the ca-bundle.crt file and found out that AddTrust External Root certificate expired today. I removed the expired certificate part from the file and now everything works normal for me again. Here is a guide to a quick fix: Backup all your sensitive data first, This is only tested on 1 computer so far. Exit BOINC Open file manager and go to C:ProgramFilesBOINC or wherever you have installed BOINC. Make a backup copy of ca-bundle.crt just in case my instuctions screw up something. Right click on ca-bundle.crt and open it with Notepad Scroll down to AddTrust External Root, Below this is the expired certificate. Delete everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- including the begin and end lines. Save the file Start BOINC and try again. Please let me know if this works or not. |
Toby Broom Send message Joined: 15 Oct 08 Posts: 11 Credit: 18,732,062 RAC: 7 |
I got the new Add trust certificate from the main BOINC site. it worked fine with updated certs, I didn't even restart https://boinc.berkeley.edu/forum_thread.php?id=13758 |
SootAndShale Send message Joined: 7 Apr 20 Posts: 1 Credit: 1,642,999 RAC: 0 |
Thanks Gylling, that's fixed my system too. |
Mr P Hucker Send message Joined: 12 Aug 06 Posts: 1600 Credit: 11,829,566 RAC: 12,958 |
I got the new Add trust certificate from the main BOINC site. Excellent, thanks, I just pasted that into mine without restarting Boinc and it works. How are you going to get that new file to everyone else? |
Toby Broom Send message Joined: 15 Oct 08 Posts: 11 Credit: 18,732,062 RAC: 7 |
|
Brian Nixon Send message Joined: 12 Apr 20 Posts: 293 Credit: 8,432,366 RAC: 0 |
Adding a new certificate should not be necessary, as the required COMODO entry should already be present in ca-bundle.crt. You should only need to remove the expired one, as Gylling wrote. You shouldn’t even need to restart BOINC. Background information: Sectigo AddTrust External CA Root Expiring May 30, 2020 |
Sid Celery Send message Joined: 11 Feb 08 Posts: 2124 Credit: 41,217,838 RAC: 10,815 |
Here is a link for people that trust me This worked for me on both my desktop and laptop, but when I tried to go there on my Android phone the file wouldn't install - saying something like "no certificate to install" How would I go about it on a phone please? |
Mr P Hucker Send message Joined: 12 Aug 06 Posts: 1600 Credit: 11,829,566 RAC: 12,958 |
Here is a link for people that trust me Should be possible, but someone with more technical knowledge than me needs to interpret this: https://cheapsslsecurity.com/blog/install-ssl-certificate-on-android/ |
Curt3g Send message Joined: 30 Mar 20 Posts: 4 Credit: 1,908,126 RAC: 0 |
I analyzed the ca-bundle.crt file and found out that AddTrust External Root certificate expired today. Worked like a charm. Thanks much! |
Jim1348 Send message Joined: 19 Jan 06 Posts: 881 Credit: 52,257,545 RAC: 0 |
On Linux, it is a bit more involved. The general discussion is here: https://boinc.berkeley.edu/forum_thread.php?id=13758 The procedure that worked for me on Ubuntu 18.04.4: (1) Download this file: https://crt.sh/?d=1720081 (2) Place "1720081.crt" in Home directory (e.g., move from desktop) (3) sudo mv 1720081.crt /usr/local/share/ca-certificates (4) sudo update-ca-certificates It updates apparently OK, but it has not been tested with an actual upload yet. Good luck. Alternative: The procedure by Gylling also worked for me, insofar as I can see, and might be simpler. https://boinc.bakerlab.org/rosetta/forum_thread.php?id=14006#96882 |
bunnybooboo Send message Joined: 15 Apr 20 Posts: 8 Credit: 66,579 RAC: 0 |
Presumably this will rectify after midnight in each user's timezone? In Android 9 (Pie) the following DID NOT WORK: 1) Settings >> General >> Lock screen & security >> Advanced / Encryption & credentials >> Trusted credentials 2) Select AddTrust AB (AddTrust External CA Root) 3) Note that this cert expires 30 May 2020 4) Press DISABLE 5) Restart device 6) Restart BOINC At least for me this does not rectify the uploads hanging. There is a RESET option when selecting the Rosetta@home project in the Android app, but I'm reluctant to select this as I could lose the work I'm attempting to upload. Setting the time/date to tomorrow (E.g. selecting timezone for Sydney) also did not resolve. |
Tim Send message Joined: 11 May 20 Posts: 1 Credit: 170,711 RAC: 0 |
Thanks, that worked for me. PC-User Win10 x64 BOINC Version 7.16.5 |
Sid Celery Send message Joined: 11 Feb 08 Posts: 2124 Credit: 41,217,838 RAC: 10,815 |
Here is a link for people that trust me I tried to follow the instructions and it wouldn't install from device storage (no certificate to install again) I tried to simply disable the AddTrust AB certificate and no good Then I navigated to the Boinc forum page on my phone, clicked on the direct link to the new file and it offered to install, then said it was successfully installed. But Rosetta still said no. Just rebooted and no dice again Ugh |
Message boards :
Number crunching :
Peer certificate cannot be authenticated with given CA certificates
©2024 University of Washington
https://www.bakerlab.org