Peer certificate cannot be authenticated with given CA certificates

Message boards : Number crunching : Peer certificate cannot be authenticated with given CA certificates

To post messages, you must log in.

1 · 2 · 3 · 4 . . . 9 · Next

AuthorMessage
Peter Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 730
Credit: 5,404,916
RAC: 1,211
Message 96861 - Posted: 30 May 2020, 11:15:56 UTC
Last modified: 30 May 2020, 11:34:20 UTC

Got this error with Rosetta and LHC 11:01am UTC 30th May 2020. On all my (Windows 10) machines, while requesting work.
"Peer certificate cannot be authenticated with given CA certificates"
But Universe and Einstein and Milkyway are ok.

Any ideas what screwed up? My computer? Both Rosetta and LHC at once? Boinc in general?
ID: 96861 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Timo
Avatar

Send message
Joined: 9 Jan 12
Posts: 185
Credit: 43,937,768
RAC: 11,032
Message 96866 - Posted: 30 May 2020, 13:02:33 UTC

I'm seeing the same error message in the event log as of this morning and a number of tasks are stuck in 'uploading' status.
I suspect this is only affecting one of my machines which I switched to Rosetta@Home's new SSL URL, which makes sense.
Unfortunate timing for this to happen on a Saturday.
**38 cores crunching for R@H on behalf of cancercomputer.org - a non-profit supporting High Performance Computing in Cancer Research
ID: 96866 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Peter Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 730
Credit: 5,404,916
RAC: 1,211
Message 96868 - Posted: 30 May 2020, 13:09:43 UTC - in response to Message 96866.  
Last modified: 30 May 2020, 13:10:10 UTC

I'm seeing the same error message in the event log as of this morning and a number of tasks are stuck in 'uploading' status.
I suspect this is only affecting one of my machines which I switched to Rosetta@Home's new SSL URL, which makes sense.
Unfortunate timing for this to happen on a Saturday.


It happened on all my computers at once (all on SSL URL), and also on LHC (but not Einstein, Milkyway, or Universe). Perhaps Rosetta only bought a one month contract with whoever gives these certificates out? But strange LHC ran out at the same time, in another country!
ID: 96868 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Gylling

Send message
Joined: 26 Mar 20
Posts: 9
Credit: 360,665
RAC: 0
Message 96871 - Posted: 30 May 2020, 13:37:21 UTC

I have the same problem on all my computers, All are switched to SSL.
ID: 96871 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Peter Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 730
Credit: 5,404,916
RAC: 1,211
Message 96873 - Posted: 30 May 2020, 13:43:05 UTC - in response to Message 96871.  
Last modified: 30 May 2020, 13:43:22 UTC

I have the same problem on all my computers, All are switched to SSL.


This is odd. Einstein and Milkyway don't use SSL, so I'll ignore those.

But Universe, Rosetta, and LHC all do. So how come Universe still works and LHC and Rosetta failed at once?
ID: 96873 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
ArcSedna

Send message
Joined: 23 Oct 11
Posts: 10
Credit: 46,017,744
RAC: 16,292
Message 96875 - Posted: 30 May 2020, 14:20:10 UTC

I'm having this issue too.
I have Windows 10 (boinc 7.16.5), macOS 10.15.5 (boinc 7.16.6), Manjaro Linux(boinc 7.16.6) machines,
and only Windows machines are getting this error.
macOS and Linux Machines are downloading/uploading normally.
ID: 96875 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Gylling

Send message
Joined: 26 Mar 20
Posts: 9
Credit: 360,665
RAC: 0
Message 96876 - Posted: 30 May 2020, 14:24:44 UTC

I turned on additional event log options, Might be caused by the ca-bundle.crt file

15:57:36 | Rosetta@home | update requested by user
15:57:36 | | [network_status] status: don't need connection
15:57:36 | | [http] HTTP_OP::init_get(): https://boinc.bakerlab.org/rosetta/notices.php?userid=2121xxx&auth=2121xxx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
15:57:36 | | [http] HTTP_OP::libcurl_exec(): ca-bundle set
15:57:36 | | [http] [ID#0] Info: Connection 27 seems to be dead!
15:57:36 | | [http] [ID#0] Info: Closing connection 27
15:57:37 | | [http] [ID#0] Info: Trying 128.95.160.157...
15:57:37 | | [http] [ID#0] Info: Connected to boinc.bakerlab.org (128.95.160.157) port 443 (#28)
15:57:37 | | [http] [ID#0] Info: ALPN, offering http/1.1
15:57:37 | | [http] [ID#0] Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
15:57:37 | | [http] [ID#0] Info: successfully set certificate verify locations:
15:57:37 | | [http] [ID#0] Info: CAfile: X:XXXXXXBOINCca-bundle.crt
15:57:37 | | [http] [ID#0] Info: CApath: none
15:57:37 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS header, Certificate Status (22):
15:57:37 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
15:57:37 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
15:57:37 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
15:57:37 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS alert, Server hello (2):
15:57:37 | | [http] [ID#0] Info: SSL certificate problem: certificate has expired
15:57:37 | | [http] [ID#0] Info: Closing connection 28
15:57:37 | | [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates
15:57:37 | | [network_status] status: online
15:57:38 | | [network_status] status: online
15:57:39 | Rosetta@home | Sending scheduler request: Requested by user.
15:57:39 | Rosetta@home | Reporting 1 completed tasks
15:57:39 | Rosetta@home | Requesting new tasks for CPU
15:57:39 | Rosetta@home | [http] HTTP_OP::init_post(): https://bwsrv1.bakerlab.org/rosetta_cgi/cgi
15:57:39 | Rosetta@home | [http] HTTP_OP::libcurl_exec(): ca-bundle set
15:57:40 | | [network_status] status: online
15:57:40 | Rosetta@home | [http] [ID#1] Info: Trying 128.95.160.156...
15:57:40 | Rosetta@home | [http] [ID#1] Info: Connected to bwsrv1.bakerlab.org (128.95.160.156) port 443 (#29)
15:57:40 | Rosetta@home | [http] [ID#1] Info: ALPN, offering http/1.1
15:57:40 | Rosetta@home | [http] [ID#1] Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
15:57:40 | Rosetta@home | [http] [ID#1] Info: successfully set certificate verify locations:
15:57:40 | Rosetta@home | [http] [ID#1] Info: CAfile: X:XXXXXXBOINCca-bundle.crt
15:57:40 | Rosetta@home | [http] [ID#1] Info: CApath: none
15:57:40 | Rosetta@home | [http] [ID#1] Info: TLSv1.2 (OUT), TLS header, Certificate Status (22):
15:57:40 | Rosetta@home | [http] [ID#1] Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
15:57:40 | Rosetta@home | [http] [ID#1] Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
15:57:40 | Rosetta@home | [http] [ID#1] Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
15:57:40 | Rosetta@home | [http] [ID#1] Info: TLSv1.2 (OUT), TLS alert, Server hello (2):
15:57:40 | Rosetta@home | [http] [ID#1] Info: SSL certificate problem: certificate has expired
15:57:40 | Rosetta@home | [http] [ID#1] Info: Closing connection 29
15:57:40 | | [network_status] got HTTP error - checking ref site
15:57:40 | Rosetta@home | [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates
15:57:41 | | [network_status] status: reference site lookup pending
15:57:41 | | [network_status] need_phys_conn 0; trying https://www.google.com/
15:57:41 | | Project communication failed: attempting access to reference site
15:57:41 | | [http] HTTP_OP::init_get(): https://www.google.com/
15:57:41 | | [http] HTTP_OP::libcurl_exec(): ca-bundle set
15:57:41 | Rosetta@home | Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
15:57:42 | | [network_status] status: reference site lookup pending
15:57:42 | | [http] [ID#0] Info: Trying 172.217.21.164...
15:57:42 | | [http] [ID#0] Info: Connected to www.google.com (172.217.21.164) port 443 (#30)
15:57:42 | | [http] [ID#0] Info: ALPN, offering http/1.1
15:57:42 | | [http] [ID#0] Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
15:57:42 | | [http] [ID#0] Info: successfully set certificate verify locations:
15:57:42 | | [http] [ID#0] Info: CAfile: X:XXXXXXBOINCca-bundle.crt
15:57:42 | | [http] [ID#0] Info: CApath: none
15:57:42 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS header, Certificate Status (22):
15:57:42 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
15:57:42 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
15:57:42 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
15:57:42 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Server key exchange (12):
15:57:42 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Server finished (14):
15:57:42 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
15:57:42 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS change cipher, Client hello (1):
15:57:42 | | [http] [ID#0] Info: TLSv1.2 (OUT), TLS handshake, Finished (20):
15:57:42 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS change cipher, Client hello (1):
15:57:42 | | [http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Finished (20):
15:57:42 | | [http] [ID#0] Info: SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
15:57:42 | | [http] [ID#0] Info: ALPN, server accepted to use http/1.1
15:57:42 | | [http] [ID#0] Info: Server certificate:
15:57:42 | | [http] [ID#0] Info: subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=www.google.com
15:57:42 | | [http] [ID#0] Info: start date: May 5 08:31:24 2020 GMT
15:57:42 | | [http] [ID#0] Info: expire date: Jul 28 08:31:24 2020 GMT
15:57:42 | | [http] [ID#0] Info: subjectAltName: www.google.com matched
15:57:42 | | [http] [ID#0] Info: issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
15:57:42 | | [http] [ID#0] Info: SSL certificate verify ok.
ID: 96876 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Gylling

Send message
Joined: 26 Mar 20
Posts: 9
Credit: 360,665
RAC: 0
Message 96882 - Posted: 30 May 2020, 15:44:52 UTC

I analyzed the ca-bundle.crt file and found out that AddTrust External Root certificate expired today.
I removed the expired certificate part from the file and now everything works normal for me again.

Here is a guide to a quick fix:
Backup all your sensitive data first, This is only tested on 1 computer so far.
Exit BOINC
Open file manager and go to C:ProgramFilesBOINC or wherever you have installed BOINC.
Make a backup copy of ca-bundle.crt just in case my instuctions screw up something.
Right click on ca-bundle.crt and open it with Notepad
Scroll down to AddTrust External Root, Below this is the expired certificate.
Delete everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- including the begin and end lines.
Save the file
Start BOINC and try again.

Please let me know if this works or not.
ID: 96882 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Toby Broom

Send message
Joined: 15 Oct 08
Posts: 10
Credit: 15,426,151
RAC: 0
Message 96883 - Posted: 30 May 2020, 15:52:57 UTC - in response to Message 96882.  

I got the new Add trust certificate from the main BOINC site.

it worked fine with updated certs, I didn't even restart

https://boinc.berkeley.edu/forum_thread.php?id=13758
ID: 96883 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
SootAndShale

Send message
Joined: 7 Apr 20
Posts: 1
Credit: 1,642,999
RAC: 741
Message 96884 - Posted: 30 May 2020, 15:53:00 UTC - in response to Message 96882.  

Thanks Gylling, that's fixed my system too.
ID: 96884 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Peter Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 730
Credit: 5,404,916
RAC: 1,211
Message 96885 - Posted: 30 May 2020, 15:57:13 UTC - in response to Message 96883.  

I got the new Add trust certificate from the main BOINC site.

it worked fine with updated certs, I didn't even restart

https://boinc.berkeley.edu/forum_thread.php?id=13758


Excellent, thanks, I just pasted that into mine without restarting Boinc and it works.

How are you going to get that new file to everyone else?
ID: 96885 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Toby Broom

Send message
Joined: 15 Oct 08
Posts: 10
Credit: 15,426,151
RAC: 0
Message 96886 - Posted: 30 May 2020, 16:02:31 UTC - in response to Message 96885.  

Here is a link for people that trust me

https://1drv.ms/u/s!AsVDg7OAm7-whqEqBXKHuOie0UoBKA?e=VHwBAP
ID: 96886 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Brian Nixon

Send message
Joined: 12 Apr 20
Posts: 293
Credit: 8,323,249
RAC: 15
Message 96890 - Posted: 30 May 2020, 16:30:55 UTC
Last modified: 30 May 2020, 16:39:57 UTC

Adding a new certificate should not be necessary, as the required COMODO entry should already be present in ca-bundle.crt. You should only need to remove the expired one, as Gylling wrote. You shouldn’t even need to restart BOINC.

Background information: Sectigo AddTrust External CA Root Expiring May 30, 2020
ID: 96890 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Sid Celery

Send message
Joined: 11 Feb 08
Posts: 1644
Credit: 29,660,939
RAC: 20,722
Message 96902 - Posted: 30 May 2020, 19:40:22 UTC - in response to Message 96886.  

Here is a link for people that trust me

https://1drv.ms/u/s!AsVDg7OAm7-whqEqBXKHuOie0UoBKA?e=VHwBAP

This worked for me on both my desktop and laptop, but when I tried to go there on my Android phone the file wouldn't install - saying something like "no certificate to install"

How would I go about it on a phone please?
ID: 96902 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Peter Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 730
Credit: 5,404,916
RAC: 1,211
Message 96903 - Posted: 30 May 2020, 19:46:00 UTC - in response to Message 96902.  

Here is a link for people that trust me

https://1drv.ms/u/s!AsVDg7OAm7-whqEqBXKHuOie0UoBKA?e=VHwBAP

This worked for me on both my desktop and laptop, but when I tried to go there on my Android phone the file wouldn't install - saying something like "no certificate to install"

How would I go about it on a phone please?


Should be possible, but someone with more technical knowledge than me needs to interpret this:
https://cheapsslsecurity.com/blog/install-ssl-certificate-on-android/
ID: 96903 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Curt3g

Send message
Joined: 30 Mar 20
Posts: 4
Credit: 1,908,126
RAC: 0
Message 96906 - Posted: 30 May 2020, 20:14:51 UTC - in response to Message 96882.  

I analyzed the ca-bundle.crt file and found out that AddTrust External Root certificate expired today.
I removed the expired certificate part from the file and now everything works normal for me again.

Here is a guide to a quick fix:
Backup all your sensitive data first, This is only tested on 1 computer so far.
Exit BOINC
Open file manager and go to C:ProgramFilesBOINC or wherever you have installed BOINC.
Make a backup copy of ca-bundle.crt just in case my instuctions screw up something.
Right click on ca-bundle.crt and open it with Notepad
Scroll down to AddTrust External Root, Below this is the expired certificate.
Delete everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- including the begin and end lines.
Save the file
Start BOINC and try again.

Please let me know if this works or not.



Worked like a charm. Thanks much!
ID: 96906 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Jim1348

Send message
Joined: 19 Jan 06
Posts: 596
Credit: 43,427,598
RAC: 42,358
Message 96909 - Posted: 30 May 2020, 20:38:37 UTC - in response to Message 96906.  
Last modified: 30 May 2020, 20:40:59 UTC

On Linux, it is a bit more involved.
The general discussion is here: https://boinc.berkeley.edu/forum_thread.php?id=13758

The procedure that worked for me on Ubuntu 18.04.4:
(1) Download this file: https://crt.sh/?d=1720081
(2) Place "1720081.crt" in Home directory (e.g., move from desktop)
(3) sudo mv 1720081.crt /usr/local/share/ca-certificates
(4) sudo update-ca-certificates

It updates apparently OK, but it has not been tested with an actual upload yet.
Good luck.

Alternative: The procedure by Gylling also worked for me, insofar as I can see,
and might be simpler.
https://boinc.bakerlab.org/rosetta/forum_thread.php?id=14006#96882
ID: 96909 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
bunnybooboo

Send message
Joined: 15 Apr 20
Posts: 8
Credit: 66,579
RAC: 0
Message 96910 - Posted: 30 May 2020, 20:45:47 UTC - in response to Message 96903.  
Last modified: 30 May 2020, 20:46:28 UTC

Presumably this will rectify after midnight in each user's timezone? In Android 9 (Pie) the following DID NOT WORK:

1) Settings >> General >> Lock screen & security >> Advanced / Encryption & credentials >> Trusted credentials
2) Select AddTrust AB (AddTrust External CA Root)
3) Note that this cert expires 30 May 2020
4) Press DISABLE
5) Restart device
6) Restart BOINC

At least for me this does not rectify the uploads hanging. There is a RESET option when selecting the Rosetta@home project in the Android app, but I'm reluctant to select this as I could lose the work I'm attempting to upload. Setting the time/date to tomorrow (E.g. selecting timezone for Sydney) also did not resolve.
ID: 96910 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Tim

Send message
Joined: 11 May 20
Posts: 1
Credit: 170,711
RAC: 0
Message 96911 - Posted: 30 May 2020, 20:48:44 UTC - in response to Message 96906.  

Thanks, that worked for me.
PC-User Win10 x64
BOINC Version 7.16.5
ID: 96911 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Sid Celery

Send message
Joined: 11 Feb 08
Posts: 1644
Credit: 29,660,939
RAC: 20,722
Message 96921 - Posted: 30 May 2020, 22:04:52 UTC - in response to Message 96903.  

Here is a link for people that trust me

https://1drv.ms/u/s!AsVDg7OAm7-whqEqBXKHuOie0UoBKA?e=VHwBAP

This worked for me on both my desktop and laptop, but when I tried to go there on my Android phone the file wouldn't install - saying something like "no certificate to install"

How would I go about it on a phone please?


Should be possible, but someone with more technical knowledge than me needs to interpret this:
https://cheapsslsecurity.com/blog/install-ssl-certificate-on-android/

I tried to follow the instructions and it wouldn't install from device storage (no certificate to install again)
I tried to simply disable the AddTrust AB certificate and no good

Then I navigated to the Boinc forum page on my phone, clicked on the direct link to the new file and it offered to install, then said it was successfully installed.
But Rosetta still said no.
Just rebooted and no dice again
Ugh
ID: 96921 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
1 · 2 · 3 · 4 . . . 9 · Next

Message boards : Number crunching : Peer certificate cannot be authenticated with given CA certificates



©2021 University of Washington
https://www.bakerlab.org