Peer certificate cannot be authenticated with given CA certificates

Message boards : Number crunching : Peer certificate cannot be authenticated with given CA certificates

To post messages, you must log in.

Previous · 1 · 2 · 3 · 4 · 5 . . . 9 · Next

AuthorMessage
Profile Grant (SSSF)

Send message
Joined: 28 Mar 20
Posts: 1467
Credit: 14,316,187
RAC: 16,257
Message 96923 - Posted: 30 May 2020, 22:21:40 UTC - in response to Message 96882.  

I analyzed the ca-bundle.crt file and found out that AddTrust External Root certificate expired today.
I removed the expired certificate part from the file and now everything works normal for me again.

Here is a guide to a quick fix:
Backup all your sensitive data first, This is only tested on 1 computer so far.
Exit BOINC
Open file manager and go to C:ProgramFilesBOINC or wherever you have installed BOINC.
Make a backup copy of ca-bundle.crt just in case my instuctions screw up something.
Right click on ca-bundle.crt and open it with Notepad
Scroll down to AddTrust External Root, Below this is the expired certificate.
Delete everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- including the begin and end lines.
Save the file
Start BOINC and try again.

Please let me know if this works or not.
Didn't have permission to edit file, so copied file to another location, deleted certificate as above, saved & moved back to BOINC directory, still unable to upload or download.
One system is on HTTP, the other is on HTTPS addresses.
Grant
Darwin NT
ID: 96923 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 1600
Credit: 9,531,864
RAC: 248
Message 96924 - Posted: 30 May 2020, 22:26:02 UTC - in response to Message 96923.  
Last modified: 30 May 2020, 22:27:07 UTC

I analyzed the ca-bundle.crt file and found out that AddTrust External Root certificate expired today.
I removed the expired certificate part from the file and now everything works normal for me again.

Here is a guide to a quick fix:
Backup all your sensitive data first, This is only tested on 1 computer so far.
Exit BOINC
Open file manager and go to C:ProgramFilesBOINC or wherever you have installed BOINC.
Make a backup copy of ca-bundle.crt just in case my instuctions screw up something.
Right click on ca-bundle.crt and open it with Notepad
Scroll down to AddTrust External Root, Below this is the expired certificate.
Delete everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- including the begin and end lines.
Save the file
Start BOINC and try again.

Please let me know if this works or not.
Didn't have permission to edit file, so copied file to another location, deleted certificate as above, saved & moved back to BOINC directory, still unable to upload or download.
One system is on HTTP, the other is on HTTPS addresses.


Mine works, but I pasted the new bit over it from https://crt.sh/?d=1720081

Those Windows permissions are really stupid. It tells me I don't have permission, then asks me if I want to grant myself permission (!!). But it doesn't ask that when saving from notepad. Doubly stupid.
ID: 96924 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
mechWarrior242

Send message
Joined: 30 Mar 17
Posts: 1
Credit: 8,498,715
RAC: 0
Message 96925 - Posted: 30 May 2020, 22:30:56 UTC - in response to Message 96882.  

Thanks for the post!
Works like a charm.
ID: 96925 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Sid Celery

Send message
Joined: 11 Feb 08
Posts: 1965
Credit: 38,162,917
RAC: 9,188
Message 96926 - Posted: 30 May 2020, 22:32:39 UTC - in response to Message 96923.  

I analyzed the ca-bundle.crt file and found out that AddTrust External Root certificate expired today.
I removed the expired certificate part from the file and now everything works normal for me again.

Here is a guide to a quick fix:
Backup all your sensitive data first, This is only tested on 1 computer so far.
Exit BOINC
Open file manager and go to C:ProgramFilesBOINC or wherever you have installed BOINC.
Make a backup copy of ca-bundle.crt just in case my instuctions screw up something.
Right click on ca-bundle.crt and open it with Notepad
Scroll down to AddTrust External Root, Below this is the expired certificate.
Delete everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- including the begin and end lines.
Save the file
Start BOINC and try again.

Please let me know if this works or not.
Didn't have permission to edit file, so copied file to another location, deleted certificate as above, saved & moved back to BOINC directory, still unable to upload or download.
One system is on HTTP, the other is on HTTPS addresses.

Fine on my W7 desktop, same as you on my W10 laptop.
I had to confirm I was administrator (I was). Saved the downloaded file elsewhere, copied it to the Boinc folder and it allowed me to replace the old file (no idea why). And on the W10 laptop that was sufficient.
I've got a feeling I was just lucky now.
ID: 96926 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Grant (SSSF)

Send message
Joined: 28 Mar 20
Posts: 1467
Credit: 14,316,187
RAC: 16,257
Message 96927 - Posted: 30 May 2020, 22:32:46 UTC - in response to Message 96924.  
Last modified: 30 May 2020, 22:33:22 UTC

Mine works, but I pasted the new bit over it from https://crt.sh/?d=1720081
Ta, after no joy with my editing work i used the link Toby had supplied & that worked- thanks Toby.
Replaced the file, Retried transfers, and after a few seconds things started working again.



Those Windows permissions are really stupid. It tells me I don't have permission, then asks me if I want to grant myself permission (!!). But it doesn't ask that when saving from notepad. Doubly stupid.
That's for sure.
Grant
Darwin NT
ID: 96927 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Markelonius

Send message
Joined: 4 Apr 20
Posts: 7
Credit: 2,405,021
RAC: 100
Message 96931 - Posted: 30 May 2020, 22:58:47 UTC - in response to Message 96882.  
Last modified: 30 May 2020, 23:09:38 UTC

I analyzed the ca-bundle.crt file and found out that AddTrust External Root certificate expired today.
I removed the expired certificate part from the file and now everything works normal for me again.

Here is a guide to a quick fix:
Backup all your sensitive data first, This is only tested on 1 computer so far.
Exit BOINC
Open file manager and go to C:ProgramFilesBOINC or wherever you have installed BOINC.
Make a backup copy of ca-bundle.crt just in case my instuctions screw up something.
Right click on ca-bundle.crt and open it with Notepad
Scroll down to AddTrust External Root, Below this is the expired certificate.
Delete everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- including the begin and end lines.
Save the file
Start BOINC and try again.

Please let me know if this works or not.


This worked fine for me, R@H is uploading and downloading again. THANK YOU Gylling!

I did the following (Windows 10):
run command prompt as administrator
cd "/Program Files/BOINC" (using backslashes, which I can't seem to make display OK)
copy ca-bundle.crt ca-bundle.crt.bak
notepad ca-bundle.crt
Ctrl+F External
Delete the following:
AddTrust External Root
======================
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----

Save and exit Notepad
Close command prompt
Go to BOINC Manager
Suspend Rosetta@Home project
Close BOINC Manager
Reopen BOINC Manager
Resume Rosetta@Home project
Select Tools, Retry Pending Transfers from menu (advanced view active - you may need to select View, Advanced View first)[/code]
ID: 96931 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Sir Antony Magnus
Avatar

Send message
Joined: 28 Nov 05
Posts: 31
Credit: 526,750
RAC: 0
Message 96938 - Posted: 31 May 2020, 0:41:41 UTC

Thanks for the fix, worked on Windows 10 BOINC 7.16.5.

Question is after having edited the file in such a way what exactly are we doing in terms of certifications? It would be nice if some project admins would clarify, or offer an ability to replace said file here at the Rosetta site. Also does the edit affect other projects, if so is it negatively?

Do not like the idea of meddling with files, I am not exactly clueless but I don't usually do such things.

Regards,

Antony
ID: 96938 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Mad_Max

Send message
Joined: 31 Dec 09
Posts: 207
Credit: 23,094,662
RAC: 13,103
Message 96941 - Posted: 31 May 2020, 0:58:03 UTC

Editing ca-bundle.crt fixed upload/download error.
Thanks for the hint!

Although I do not understand why such a problem arose at all!
Only last week I installed the most recent version of BOINC - and it experienced the same problem. I also had to edit the certificate file.
Such things should be fixed by BOINC programmers centrally, rather than manually editing certificate file by each user.
ID: 96941 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Brian Nixon

Send message
Joined: 12 Apr 20
Posts: 293
Credit: 8,432,366
RAC: 0
Message 96942 - Posted: 31 May 2020, 1:12:07 UTC - in response to Message 96938.  

Sir Antony Magnus wrote:
what exactly are we doing in terms of certifications?

By removing an expired certificate, all we’re doing is preventing BOINC attempting to use it to secure its communications with the project servers. We’re not adding anything, so we are not starting to trust any entity in the secure chain that we didn’t trust before.
ID: 96942 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
KaguraMea

Send message
Joined: 17 Nov 18
Posts: 1
Credit: 287,195
RAC: 3,305
Message 96944 - Posted: 31 May 2020, 1:42:50 UTC - in response to Message 96882.  

It worked! Thanks!
ID: 96944 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Tomcat雄猫

Send message
Joined: 20 Dec 14
Posts: 180
Credit: 5,364,639
RAC: 0
Message 96950 - Posted: 31 May 2020, 2:45:33 UTC
Last modified: 31 May 2020, 2:45:55 UTC

I was wondering why my Rosetta tasks weren't uploading. I used Toby's patched file and it worked for me (didn't even need to restart BOINC for the fix to work. The same should apply to those who edited the file themselves, just save the changes and retry the transfers).
I hope BOINC gets an update very quickly that fixes this issue for those who are tech-illiterate, I see this becoming a problem.
ID: 96950 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Mad_Max

Send message
Joined: 31 Dec 09
Posts: 207
Credit: 23,094,662
RAC: 13,103
Message 96951 - Posted: 31 May 2020, 3:35:41 UTC

Yes, no need to restart anything.

After replacing (or editing) cert file just press retry (on "Transfers" tab) and Update (on "Projects" tab) is enough to fully resume normal work.
Although full BOINC restart will work too of course.
ID: 96951 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Tomcat雄猫

Send message
Joined: 20 Dec 14
Posts: 180
Credit: 5,364,639
RAC: 0
Message 96952 - Posted: 31 May 2020, 4:08:54 UTC - in response to Message 96910.  
Last modified: 31 May 2020, 4:32:16 UTC

Presumably this will rectify after midnight in each user's timezone? In Android 9 (Pie) the following DID NOT WORK:

1) Settings >> General >> Lock screen & security >> Advanced / Encryption & credentials >> Trusted credentials
2) Select AddTrust AB (AddTrust External CA Root)
3) Note that this cert expires 30 May 2020
4) Press DISABLE
5) Restart device
6) Restart BOINC

At least for me this does not rectify the uploads hanging. There is a RESET option when selecting the Rosetta@home project in the Android app, but I'm reluctant to select this as I could lose the work I'm attempting to upload. Setting the time/date to tomorrow (E.g. selecting timezone for Sydney) also did not resolve.


I'm on Android 8.0 and it didn't work for me. In the end, I was forced to abort all tasks and let some others timeout. This is not good. Fortunately, I have a really small cache.
I even tried disabling all the AddTrust AB certificates. No dice. I can't even re-add Rosetta after removing it (that probably means RESET won't work). I think one needs to remove those expired credentials outright to fix this (I don't think you can remove single credentials from Android).

Welp, I guess that's two Android devices down for me. One because of issues with BOINC and Android 9.0, plus the fact that I don't charge that device enough to meet the deadlines. One because of this certificate expiring.

I hope this gets resolved before we get a massive wave of tasks timing out.
ID: 96952 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile vaughan

Send message
Joined: 17 Sep 05
Posts: 4
Credit: 21,510,517
RAC: 1,513
Message 96954 - Posted: 31 May 2020, 4:32:59 UTC

run command prompt as administrator

Easier said than done: you have to go Windows key+R then Ctrl+Shift+Enter together

cd "/Program Files/BOINC" (using backslashes, which I can't seem to make display OK)
copy ca-bundle.crt ca-bundle.crt.bak

This didn't work as I get access denied.

WTF - why isn't the Rosetta admin fixing this snafu?
ID: 96954 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Tomcat雄猫

Send message
Joined: 20 Dec 14
Posts: 180
Credit: 5,364,639
RAC: 0
Message 96955 - Posted: 31 May 2020, 4:48:30 UTC - in response to Message 96954.  
Last modified: 31 May 2020, 4:56:52 UTC

run command prompt as administrator

Easier said than done: you have to go Windows key+R then Ctrl+Shift+Enter together

cd "/Program Files/BOINC" (using backslashes, which I can't seem to make display OK)
copy ca-bundle.crt ca-bundle.crt.bak

This didn't work as I get access denied.

WTF - why isn't the Rosetta admin fixing this snafu?


I think this is an issue with BOINC, not Rosetta. LHC@home is also affected, as well as NumberFields@Home.
My Mac is doing fine so far, which is rather interesting.
ID: 96955 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
ficba

Send message
Joined: 20 Nov 14
Posts: 2
Credit: 3,180,155
RAC: 0
Message 96966 - Posted: 31 May 2020, 8:04:57 UTC

this worked for me - have had to do it on all my rigs
ID: 96966 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Sid Celery

Send message
Joined: 11 Feb 08
Posts: 1965
Credit: 38,162,917
RAC: 9,188
Message 96969 - Posted: 31 May 2020, 8:42:10 UTC

Alongside the issues here, which most of us here are solving on PCs though not on Android, the project front page <had been> showing maybe 780k completed tasks in the last 24hrs
About 21hrs later now it's only showing about 340k completed in the last 24hrs and will continue to drop for a few hours more. Maybe to 300k or even less.

This certificate having already expired, I'm not sure what anyone at Rosetta can do to push a solution to people who don't view the forums at all, let alone this topic. let alone if they've got the ability to implement a solution.

The most obvious route may be to put a Notice out through the Boinc Manager itself, though someone will have to prepare an idiot-proof set of instructions to do so.

The only other thing I can think of is for people here who are in teams to contact their other Rosetta team members and advise them how to solve the immediate problem.

Anyone else with any ideas before Admin and Mod.Sense get back to us with some clever solution of their own?
ID: 96969 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Kissagogo27

Send message
Joined: 31 Mar 20
Posts: 83
Credit: 2,592,316
RAC: 2,321
Message 96972 - Posted: 31 May 2020, 9:10:20 UTC

hi, Deleting the expired certificat with notepad+ even with Boinc running works well, Thanks a lot ( W7 32b)
ID: 96972 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Brian Nixon

Send message
Joined: 12 Apr 20
Posts: 293
Credit: 8,432,366
RAC: 0
Message 96979 - Posted: 31 May 2020, 10:58:41 UTC - in response to Message 96969.  
Last modified: 31 May 2020, 11:01:44 UTC

Sid Celery wrote:
I'm not sure what anyone at Rosetta can do

They might be able to change the servers’ SSL certificates to ones signed by CAs that aren’t affected by this client problem.

put a Notice out through the Boinc Manager

There might be a chicken-and-egg problem there: if the notices are fetched via HTTPS, and HTTPS isn’t working…
ID: 96979 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Mr P Hucker
Avatar

Send message
Joined: 12 Aug 06
Posts: 1600
Credit: 9,531,864
RAC: 248
Message 96981 - Posted: 31 May 2020, 11:48:49 UTC - in response to Message 96952.  

Presumably this will rectify after midnight in each user's timezone? In Android 9 (Pie) the following DID NOT WORK:

1) Settings >> General >> Lock screen & security >> Advanced / Encryption & credentials >> Trusted credentials
2) Select AddTrust AB (AddTrust External CA Root)
3) Note that this cert expires 30 May 2020
4) Press DISABLE
5) Restart device
6) Restart BOINC

At least for me this does not rectify the uploads hanging. There is a RESET option when selecting the Rosetta@home project in the Android app, but I'm reluctant to select this as I could lose the work I'm attempting to upload. Setting the time/date to tomorrow (E.g. selecting timezone for Sydney) also did not resolve.


I'm on Android 8.0 and it didn't work for me. In the end, I was forced to abort all tasks and let some others timeout. This is not good. Fortunately, I have a really small cache.
I even tried disabling all the AddTrust AB certificates. No dice. I can't even re-add Rosetta after removing it (that probably means RESET won't work). I think one needs to remove those expired credentials outright to fix this (I don't think you can remove single credentials from Android).

Welp, I guess that's two Android devices down for me. One because of issues with BOINC and Android 9.0, plus the fact that I don't charge that device enough to meet the deadlines. One because of this certificate expiring.

I hope this gets resolved before we get a massive wave of tasks timing out.


It only affects some projects, my Androids are doing other project work instead. I only know of LHC, Rosetta, and Numberfields needing the certificate.
ID: 96981 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Previous · 1 · 2 · 3 · 4 · 5 . . . 9 · Next

Message boards : Number crunching : Peer certificate cannot be authenticated with given CA certificates



©2024 University of Washington
https://www.bakerlab.org