Message boards : Number crunching : Peer certificate cannot be authenticated with given CA certificates
Previous · 1 · 2 · 3 · 4 · 5 . . . 9 · Next
Author | Message |
---|---|
Grant (SSSF) Send message Joined: 28 Mar 20 Posts: 1684 Credit: 17,950,321 RAC: 23,118 |
I analyzed the ca-bundle.crt file and found out that AddTrust External Root certificate expired today.Didn't have permission to edit file, so copied file to another location, deleted certificate as above, saved & moved back to BOINC directory, still unable to upload or download. One system is on HTTP, the other is on HTTPS addresses. Grant Darwin NT |
Mr P Hucker Send message Joined: 12 Aug 06 Posts: 1600 Credit: 11,845,183 RAC: 9,025 |
I analyzed the ca-bundle.crt file and found out that AddTrust External Root certificate expired today.Didn't have permission to edit file, so copied file to another location, deleted certificate as above, saved & moved back to BOINC directory, still unable to upload or download. Mine works, but I pasted the new bit over it from https://crt.sh/?d=1720081 Those Windows permissions are really stupid. It tells me I don't have permission, then asks me if I want to grant myself permission (!!). But it doesn't ask that when saving from notepad. Doubly stupid. |
mechWarrior242 Send message Joined: 30 Mar 17 Posts: 1 Credit: 8,498,715 RAC: 0 |
Thanks for the post! Works like a charm. |
Sid Celery Send message Joined: 11 Feb 08 Posts: 2125 Credit: 41,249,734 RAC: 9,368 |
I analyzed the ca-bundle.crt file and found out that AddTrust External Root certificate expired today.Didn't have permission to edit file, so copied file to another location, deleted certificate as above, saved & moved back to BOINC directory, still unable to upload or download. Fine on my W7 desktop, same as you on my W10 laptop. I had to confirm I was administrator (I was). Saved the downloaded file elsewhere, copied it to the Boinc folder and it allowed me to replace the old file (no idea why). And on the W10 laptop that was sufficient. I've got a feeling I was just lucky now. |
Grant (SSSF) Send message Joined: 28 Mar 20 Posts: 1684 Credit: 17,950,321 RAC: 23,118 |
Mine works, but I pasted the new bit over it from https://crt.sh/?d=1720081Ta, after no joy with my editing work i used the link Toby had supplied & that worked- thanks Toby. Replaced the file, Retried transfers, and after a few seconds things started working again. Those Windows permissions are really stupid. It tells me I don't have permission, then asks me if I want to grant myself permission (!!). But it doesn't ask that when saving from notepad. Doubly stupid.That's for sure. Grant Darwin NT |
Markelonius Send message Joined: 4 Apr 20 Posts: 7 Credit: 2,405,021 RAC: 0 |
I analyzed the ca-bundle.crt file and found out that AddTrust External Root certificate expired today. This worked fine for me, R@H is uploading and downloading again. THANK YOU Gylling! I did the following (Windows 10): run command prompt as administrator cd "/Program Files/BOINC" (using backslashes, which I can't seem to make display OK) copy ca-bundle.crt ca-bundle.crt.bak notepad ca-bundle.crt Ctrl+F External Delete the following: AddTrust External Root ====================== -----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE----- Save and exit Notepad Close command prompt Go to BOINC Manager Suspend Rosetta@Home project Close BOINC Manager Reopen BOINC Manager Resume Rosetta@Home project Select Tools, Retry Pending Transfers from menu (advanced view active - you may need to select View, Advanced View first)[/code] |
Sir Antony Magnus Send message Joined: 28 Nov 05 Posts: 31 Credit: 526,750 RAC: 0 |
Thanks for the fix, worked on Windows 10 BOINC 7.16.5. Question is after having edited the file in such a way what exactly are we doing in terms of certifications? It would be nice if some project admins would clarify, or offer an ability to replace said file here at the Rosetta site. Also does the edit affect other projects, if so is it negatively? Do not like the idea of meddling with files, I am not exactly clueless but I don't usually do such things. Regards, Antony |
Mad_Max Send message Joined: 31 Dec 09 Posts: 209 Credit: 26,072,151 RAC: 16,660 |
Editing ca-bundle.crt fixed upload/download error. Thanks for the hint! Although I do not understand why such a problem arose at all! Only last week I installed the most recent version of BOINC - and it experienced the same problem. I also had to edit the certificate file. Such things should be fixed by BOINC programmers centrally, rather than manually editing certificate file by each user. |
Brian Nixon Send message Joined: 12 Apr 20 Posts: 293 Credit: 8,432,366 RAC: 0 |
Sir Antony Magnus wrote: what exactly are we doing in terms of certifications? By removing an expired certificate, all we’re doing is preventing BOINC attempting to use it to secure its communications with the project servers. We’re not adding anything, so we are not starting to trust any entity in the secure chain that we didn’t trust before. |
KaguraMea Send message Joined: 17 Nov 18 Posts: 1 Credit: 302,558 RAC: 0 |
It worked! Thanks! |
Tomcat雄猫 Send message Joined: 20 Dec 14 Posts: 180 Credit: 5,386,173 RAC: 0 |
I was wondering why my Rosetta tasks weren't uploading. I used Toby's patched file and it worked for me (didn't even need to restart BOINC for the fix to work. The same should apply to those who edited the file themselves, just save the changes and retry the transfers). I hope BOINC gets an update very quickly that fixes this issue for those who are tech-illiterate, I see this becoming a problem. |
Mad_Max Send message Joined: 31 Dec 09 Posts: 209 Credit: 26,072,151 RAC: 16,660 |
Yes, no need to restart anything. After replacing (or editing) cert file just press retry (on "Transfers" tab) and Update (on "Projects" tab) is enough to fully resume normal work. Although full BOINC restart will work too of course. |
Tomcat雄猫 Send message Joined: 20 Dec 14 Posts: 180 Credit: 5,386,173 RAC: 0 |
Presumably this will rectify after midnight in each user's timezone? In Android 9 (Pie) the following DID NOT WORK: I'm on Android 8.0 and it didn't work for me. In the end, I was forced to abort all tasks and let some others timeout. This is not good. Fortunately, I have a really small cache. I even tried disabling all the AddTrust AB certificates. No dice. I can't even re-add Rosetta after removing it (that probably means RESET won't work). I think one needs to remove those expired credentials outright to fix this (I don't think you can remove single credentials from Android). Welp, I guess that's two Android devices down for me. One because of issues with BOINC and Android 9.0, plus the fact that I don't charge that device enough to meet the deadlines. One because of this certificate expiring. I hope this gets resolved before we get a massive wave of tasks timing out. |
vaughan Send message Joined: 17 Sep 05 Posts: 4 Credit: 21,706,428 RAC: 218 |
run command prompt as administrator Easier said than done: you have to go Windows key+R then Ctrl+Shift+Enter together cd "/Program Files/BOINC" (using backslashes, which I can't seem to make display OK) copy ca-bundle.crt ca-bundle.crt.bak This didn't work as I get access denied. WTF - why isn't the Rosetta admin fixing this snafu? |
Tomcat雄猫 Send message Joined: 20 Dec 14 Posts: 180 Credit: 5,386,173 RAC: 0 |
run command prompt as administrator I think this is an issue with BOINC, not Rosetta. LHC@home is also affected, as well as NumberFields@Home. My Mac is doing fine so far, which is rather interesting. |
ficba Send message Joined: 20 Nov 14 Posts: 2 Credit: 3,180,155 RAC: 0 |
this worked for me - have had to do it on all my rigs |
Sid Celery Send message Joined: 11 Feb 08 Posts: 2125 Credit: 41,249,734 RAC: 9,368 |
Alongside the issues here, which most of us here are solving on PCs though not on Android, the project front page <had been> showing maybe 780k completed tasks in the last 24hrs About 21hrs later now it's only showing about 340k completed in the last 24hrs and will continue to drop for a few hours more. Maybe to 300k or even less. This certificate having already expired, I'm not sure what anyone at Rosetta can do to push a solution to people who don't view the forums at all, let alone this topic. let alone if they've got the ability to implement a solution. The most obvious route may be to put a Notice out through the Boinc Manager itself, though someone will have to prepare an idiot-proof set of instructions to do so. The only other thing I can think of is for people here who are in teams to contact their other Rosetta team members and advise them how to solve the immediate problem. Anyone else with any ideas before Admin and Mod.Sense get back to us with some clever solution of their own? |
Kissagogo27 Send message Joined: 31 Mar 20 Posts: 86 Credit: 2,931,734 RAC: 2,750 |
hi, Deleting the expired certificat with notepad+ even with Boinc running works well, Thanks a lot ( W7 32b) |
Brian Nixon Send message Joined: 12 Apr 20 Posts: 293 Credit: 8,432,366 RAC: 0 |
Sid Celery wrote: I'm not sure what anyone at Rosetta can do They might be able to change the servers’ SSL certificates to ones signed by CAs that aren’t affected by this client problem. put a Notice out through the Boinc Manager There might be a chicken-and-egg problem there: if the notices are fetched via HTTPS, and HTTPS isn’t working… |
Mr P Hucker Send message Joined: 12 Aug 06 Posts: 1600 Credit: 11,845,183 RAC: 9,025 |
Presumably this will rectify after midnight in each user's timezone? In Android 9 (Pie) the following DID NOT WORK: It only affects some projects, my Androids are doing other project work instead. I only know of LHC, Rosetta, and Numberfields needing the certificate. |
Message boards :
Number crunching :
Peer certificate cannot be authenticated with given CA certificates
©2024 University of Washington
https://www.bakerlab.org