Problem with the SSL CA cert

Message boards : Number crunching : Problem with the SSL CA cert
Message board moderation

To post messages, you must log in.

1 · 2 · 3 · Next

AuthorMessage
Iztok s52d (and friends)

Send message
Joined: 12 Jan 01
Posts: 136
Credit: 393,469,375
RAC: 116
Slovenia
Message 1665413 - Posted: 14 Apr 2015, 23:05:28 UTC

Hi!

two boxes with boinc 6.10.58 can not connect after outage,
log said:

15-Apr-2015 00:59:58 [SETI@home] Reporting 124 completed tasks, requesting new tasks for GPU
15-Apr-2015 01:00:01 [---] Project communication failed: attempting access to reference site
15-Apr-2015 01:00:01 [SETI@home] Scheduler request failed: Problem with the SSL CA cert (path? access rights?)
15-Apr-2015 01:00:07 [---] Internet access OK - project servers may be temporarily down.


another 6.10.58 did OK.

This might be temporary, this might be something overlooked?

I tried boinc restart, no change.

73
s52d
ID: 1665413 · Report as offensive
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14649
Credit: 200,643,578
RAC: 874
United Kingdom
Message 1665414 - Posted: 14 Apr 2015, 23:14:58 UTC - in response to Message 1665413.  

There was a problem at GPUGrid recently with an outdated ca-bundle.crt file - it's supplied by BOINC, and installed in the BOINC program directory. The ca-bundle.crt from a newer BOINC can be dropped in as a direct replacement

See: https://www.gpugrid.net/forum_thread.php?id=3846&nowrap=true#40528
(Crunch3r was wrong - you don't even have to re-start BOINC)
ID: 1665414 · Report as offensive
Iztok s52d (and friends)

Send message
Joined: 12 Jan 01
Posts: 136
Credit: 393,469,375
RAC: 116
Slovenia
Message 1665417 - Posted: 14 Apr 2015, 23:19:46 UTC - in response to Message 1665413.  

ID: 1665417 · Report as offensive
boinc127
Volunteer tester

Send message
Joined: 22 Mar 11
Posts: 5
Credit: 1,466,027
RAC: 0
United States
Message 1665420 - Posted: 14 Apr 2015, 23:26:59 UTC

I'm currently having an issue with uploading work for World Community Grid...


04.14.2015 18.23.29 | World Community Grid | update requested by user
04.14.2015 18.23.34 | World Community Grid | Sending scheduler request: Requested by user.
04.14.2015 18.23.34 | World Community Grid | Reporting 7 completed tasks
04.14.2015 18.23.34 | World Community Grid | Not requesting tasks: "no new tasks" requested via Manager
04.14.2015 18.23.35 | | Project communication failed: attempting access to reference site
04.14.2015 18.23.35 | World Community Grid | Scheduler request failed: SSL connect error
04.14.2015 18.23.37 | | Internet access OK - project servers may be temporarily down.

Maybe its a similar SSL error?
ID: 1665420 · Report as offensive
Profile HAL9000
Volunteer tester
Avatar

Send message
Joined: 11 Sep 99
Posts: 6534
Credit: 196,805,888
RAC: 57
United States
Message 1665430 - Posted: 14 Apr 2015, 23:55:57 UTC - in response to Message 1665414.  

There was a problem at GPUGrid recently with an outdated ca-bundle.crt file - it's supplied by BOINC, and installed in the BOINC program directory. The ca-bundle.crt from a newer BOINC can be dropped in as a direct replacement

See: https://www.gpugrid.net/forum_thread.php?id=3846&nowrap=true#40528
(Crunch3r was wrong - you don't even have to re-start BOINC)

That sort of kills the "set and forget" aspect of BOINC. Seems like something important to communicating with projects should be sent to the client in some way.
SETI@home classic workunits: 93,865 CPU time: 863,447 hours
Join the [url=http://tinyurl.com/8y46zvu]BP6/VP6 User Group[
ID: 1665430 · Report as offensive
Iztok s52d (and friends)

Send message
Joined: 12 Jan 01
Posts: 136
Credit: 393,469,375
RAC: 116
Slovenia
Message 1665433 - Posted: 15 Apr 2015, 0:03:51 UTC - in response to Message 1665414.  

Thanks!


There was a problem at GPUGrid recently with an outdated ca-bundle.crt file - it's supplied by BOINC, and installed in the BOINC program directory. The ca-bundle.crt from a newer BOINC can be dropped in as a direct replacement

See: https://www.gpugrid.net/forum_thread.php?id=3846&nowrap=true#40528
(Crunch3r was wrong - you don't even have to re-start BOINC)


Linux here, slackware. Old kernel (reason for old boinc client).
tryed newer ca-bundle.crt, tried to update
/usr/share/apps/kssl/ca-bundle.crt
/usr/share/ncat/ca-bundle.crt
/usr/share/curl/ca-bundle.crt

and /home/boinc/BOINC and /home/boinc/boinc, of course.

now it is a bit difefrent error:

15-Apr-2015 01:56:46 [SETI@home] Reporting 130 completed tasks, requesting new tasks for CPU and GPU
15-Apr-2015 01:56:49 [---] Project communication failed: attempting access to reference site
15-Apr-2015 01:56:49 [SETI@home] Scheduler request failed: SSL connect error
15-Apr-2015 01:56:50 [---] Internet access OK - project servers may be temporarily down.


It smells like some library confusion: same boinc version works fine on another PC. So it is not standard boinc problem.

PC will get restart in teh morning: this helps to resolve some library issues.

BR, GN
s52d
ID: 1665433 · Report as offensive
Profile ivan
Volunteer tester
Avatar

Send message
Joined: 5 Mar 01
Posts: 783
Credit: 348,560,338
RAC: 223
United Kingdom
Message 1665439 - Posted: 15 Apr 2015, 0:11:18 UTC - in response to Message 1665414.  
Last modified: 15 Apr 2015, 0:12:06 UTC

There was a problem at GPUGrid recently with an outdated ca-bundle.crt file - it's supplied by BOINC, and installed in the BOINC program directory. The ca-bundle.crt from a newer BOINC can be dropped in as a direct replacement

See: https://www.gpugrid.net/forum_thread.php?id=3846&nowrap=true#40528
(Crunch3r was wrong - you don't even have to re-start BOINC)

Thanks, Richard; I had two Linux machines at work that were suffering the problem and the download fixed them. There's another Win10 machine in my office not reported in yet tonight, but I can't log-on to it from here to check why.
ID: 1665439 · Report as offensive
Iztok s52d (and friends)

Send message
Joined: 12 Jan 01
Posts: 136
Credit: 393,469,375
RAC: 116
Slovenia
Message 1665447 - Posted: 15 Apr 2015, 0:25:11 UTC - in response to Message 1665433.  

Sigh.
Restart, and no help.

Einstein updated fine.

GN
s52d


Thanks!


There was a problem at GPUGrid recently with an outdated ca-bundle.crt file - it's supplied by BOINC, and installed in the BOINC program directory. The ca-bundle.crt from a newer BOINC can be dropped in as a direct replacement

See: https://www.gpugrid.net/forum_thread.php?id=3846&nowrap=true#40528
(Crunch3r was wrong - you don't even have to re-start BOINC)


now it is a bit difefrent error:

15-Apr-2015 01:56:46 [SETI@home] Reporting 130 completed tasks, requesting new tasks for CPU and GPU
15-Apr-2015 01:56:49 [---] Project communication failed: attempting access to reference site
15-Apr-2015 01:56:49 [SETI@home] Scheduler request failed: SSL connect error
15-Apr-2015 01:56:50 [---] Internet access OK - project servers may be temporarily down.


BR, GN
s52d
ID: 1665447 · Report as offensive
Profile ivan
Volunteer tester
Avatar

Send message
Joined: 5 Mar 01
Posts: 783
Credit: 348,560,338
RAC: 223
United Kingdom
Message 1665457 - Posted: 15 Apr 2015, 0:50:51 UTC - in response to Message 1665439.  

There was a problem at GPUGrid recently with an outdated ca-bundle.crt file - it's supplied by BOINC, and installed in the BOINC program directory. The ca-bundle.crt from a newer BOINC can be dropped in as a direct replacement

See: https://www.gpugrid.net/forum_thread.php?id=3846&nowrap=true#40528
(Crunch3r was wrong - you don't even have to re-start BOINC)

Thanks, Richard; I had two Linux machines at work that were suffering the problem and the download fixed them. There's another Win10 machine in my office not reported in yet tonight, but I can't log-on to it from here to check why.

OK, it's reported in on its own, so all my machines are current after the maintenance break.
ID: 1665457 · Report as offensive
OTS
Volunteer tester

Send message
Joined: 6 Jan 08
Posts: 369
Credit: 20,533,537
RAC: 0
United States
Message 1665463 - Posted: 15 Apr 2015, 1:20:41 UTC - in response to Message 1665414.  

There was a problem at GPUGrid recently with an outdated ca-bundle.crt file - it's supplied by BOINC, and installed in the BOINC program directory. The ca-bundle.crt from a newer BOINC can be dropped in as a direct replacement

See: https://www.gpugrid.net/forum_thread.php?id=3846&nowrap=true#40528
(Crunch3r was wrong - you don't even have to re-start BOINC)



I had the same

“Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates’

and

“Internet access OK - project servers may be temporarily down”

error with boinc 7.0.65 and the ca-bundle.crt file dated 28Mar13. I copied one dated 16Sep14 from boinc 7.4.22 into the running boinc directory and at the very next update all the recently uploaded files were acknowledged and things seem back to normal.

Thanks for the heads up.
ID: 1665463 · Report as offensive
Iztok s52d (and friends)

Send message
Joined: 12 Jan 01
Posts: 136
Credit: 393,469,375
RAC: 116
Slovenia
Message 1665526 - Posted: 15 Apr 2015, 5:09:49 UTC - in response to Message 1665447.  

summary: not yet working. Problem started yesterday after outage.

old linux, old BOINC, SSL.

BR
s52d

findings so far:

BOINC wiki, good description:

https://boinc.berkeley.edu/trac/wiki/Error/Scheduler%20request%20failed

if there is no ca-bundle.crt file, error is:
[SETI@home] Scheduler request failed: Problem with the SSL CA cert (path? access rights?)

if there is very old one:
-rw-r--r-- 1 boinc boinc 238100 Sep 9 2010 ca-bundle.crt

problem comes to:
[SETI@home] Scheduler request failed: Peer certificate cannot be authenticated with known CA certificates

latest a-bundle.crt in BOINC:

[SETI@home] Scheduler request failed: SSL connect error

As this is probably just a step into solution ...
curl --version shows SSL and https. I have one box with older curl,
boinc 6.4.5 and it works.

This one has BOINC 6.10.58,

curl --version

curl 7.21.4 (x86_64-unknown-linux-gnu) libcurl/7.21.4 OpenSSL/0.9.8n zlib/1.2.5 libidn/1.19
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtp
Features: IDN IPv6 Largefile NTLM SSL libz

custom kernel 2.6.37.6 (but I have not seen any reference to kernel related to this problem)
ID: 1665526 · Report as offensive
Iztok s52d (and friends)

Send message
Joined: 12 Jan 01
Posts: 136
Credit: 393,469,375
RAC: 116
Slovenia
Message 1665662 - Posted: 15 Apr 2015, 16:00:12 UTC - in response to Message 1665526.  

Summary: is there an option to turn off SSL towards servers?

64 bit old boinc (6.6/6.10) does not work with SSL towards setiathome servers,
while 32 bit versions work.

BR
s52d



More experimenting:

Slackware LINUX 13.37, 4 years old. 64 bit, no 32 bit libraries (it is slackware).

Boinc 6.10.58 works, more modern not (libc etc).
Boinc 6.6.20: works as well.

But not towards seti servers, SSL fails (I tried with different ca-bundle.crt files).

funny: some even older 32 bit boinc works fine towards servers even without
a-bundle.crt!

libs are statically linked to boinc.


15-Apr-2015 00:55:35 [---] Starting BOINC client version 6.10.58 for x86_64-pc-linux-gnu
15-Apr-2015 00:55:35 [---] Config: use at most 3 CPUs
15-Apr-2015 00:55:35 [---] Libraries: libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.5 c-ares/1.5.1
15-Apr-2015 00:55:35 [---] Data directory: /home/boinc/boinc
15-Apr-2015 00:55:35 [---] Processor: 8 GenuineIntel Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz [Family 6 Model 42 Step
15-Apr-2015 00:55:35 [---] Using 3 CPUs
15-Apr-2015 00:55:35 [---] Processor: 8.00 MB cache
15-Apr-2015 00:55:35 [---] Processor features: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse
15-Apr-2015 00:55:35 [---] OS: Linux: 2.6.37.6i
15-Apr-2015 00:55:35 [---] Memory: 15.67 GB physical, 4.00 GB virtual
15-Apr-2015 00:55:35 [---] Disk: 1.79 TB total, 158.68 GB free
15-Apr-2015 00:55:35 [---] Local time is UTC +2 hours
15-Apr-2015 00:55:36 [---] NVIDIA GPU 0: GeForce GTX 570 (driver version unknown, CUDA version 6050, compute capabil
15-Apr-2015 00:55:36 [SETI@home] Found app_info.xml; using anonymous platform
ID: 1665662 · Report as offensive
Profile Oz
Avatar

Send message
Joined: 6 Jun 99
Posts: 233
Credit: 200,655,462
RAC: 212
United States
Message 1665706 - Posted: 15 Apr 2015, 18:30:28 UTC

updated my cabundle. crt - the link would not let me download it, still no joy - how do I fix this?
Member of the 20 Year Club



ID: 1665706 · Report as offensive
OTS
Volunteer tester

Send message
Joined: 6 Jan 08
Posts: 369
Credit: 20,533,537
RAC: 0
United States
Message 1665715 - Posted: 15 Apr 2015, 18:50:39 UTC - in response to Message 1665706.  

updated my cabundle. crt - the link would not let me download it, still no joy - how do I fix this?


I am little confused as that sounds contradictory. Couldn't download what? And if by "it" you mean the cabundle.crt, how could you update it as the first three words indicate if you couldn't download it?
ID: 1665715 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15691
Credit: 84,761,841
RAC: 28
United States
Message 1665834 - Posted: 16 Apr 2015, 0:36:26 UTC
Last modified: 16 Apr 2015, 0:41:33 UTC

Just noticed one of my domain controllers (still forced to run BOINC 5.10.45) is getting the same error. I'll have to try the fix Richard suggested. Agreed on the blown "set-it-and-forget-it". :/


[Edit]Hmm... I just copied the ca-bundle.crt from my 7.4.42 install over to the DC and now I'm getting "Scheduler request failed: SSL connect error". Suggests an issue with older BOINC clients using a newer SSL type? This could be a show stopper for older BOINC clients.
ID: 1665834 · Report as offensive
Profile BilBg
Volunteer tester
Avatar

Send message
Joined: 27 May 07
Posts: 3720
Credit: 9,385,827
RAC: 0
Bulgaria
Message 1665843 - Posted: 16 Apr 2015, 1:16:00 UTC - in response to Message 1665834.  

You may try to copy also ssleay32.dll , libeay32.dll

P.S.
On BOINC 6.10.58 / Windows XP:
I don't have any such Messages in stdoutdae.txt (search for "SSL " and "certificate")

What makes/forces BOINC on some computers to use SSL?
 


- ALF - "Find out what you don't do well ..... then don't do it!" :)
 
ID: 1665843 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15691
Credit: 84,761,841
RAC: 28
United States
Message 1665851 - Posted: 16 Apr 2015, 1:45:38 UTC - in response to Message 1665843.  
Last modified: 16 Apr 2015, 1:49:47 UTC

Nope. Copied ssleay32.dll and libeay32.dll from BOINC 7.4.42 to the DC (which required stopping BOINC to release the file locks), then attempted to restart BOINC and it crashed. Restored previous version of libeay32.dll and ssleay32.dll from secondary DC (also running BOINC 5.10.45).. back to same error.

[Edit] So I copied the ca-bundle.crt from my secondary DC (which is not experiencing the problem as of yet) to my main DC, and now I'm right back to the original error message:

4/15/2015 8:51:01 PM | SETI@home | Sending scheduler request: To report completed tasks. Requesting 2764800 seconds of work, reporting 75 completed tasks
4/15/2015 8:51:02 PM | | Project communication failed: attempting access to reference site
4/15/2015 8:51:03 PM | | Access to reference site succeeded - project servers may be temporarily down.
4/15/2015 8:51:06 PM | SETI@home | Scheduler request failed: Peer certificate cannot be authenticated with known CA certificates
ID: 1665851 · Report as offensive
Profile Jord
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 15184
Credit: 4,362,181
RAC: 3
Netherlands
Message 1666028 - Posted: 16 Apr 2015, 17:46:20 UTC

Since no one else seems to have asked the project admin, I did. :)
Seti switched to using HTTPS for scheduler requests a while ago to avoid sending authenticators in cleartext.

For the moment the admins have turned it back to HTTP since this now causes the troubles with older clients. They'll look for a different way to protect the innocent... errr.. :)
ID: 1666028 · Report as offensive
Iztok s52d (and friends)

Send message
Joined: 12 Jan 01
Posts: 136
Credit: 393,469,375
RAC: 116
Slovenia
Message 1666048 - Posted: 16 Apr 2015, 18:29:12 UTC - in response to Message 1666028.  

Thanks!

Just noticed it works fine.

BR
s52d






Since no one else seems to have asked the project admin, I did. :)
Seti switched to using HTTPS for scheduler requests a while ago to avoid sending authenticators in cleartext.

For the moment the admins have turned it back to HTTP since this now causes the troubles with older clients. They'll look for a different way to protect the innocent... errr.. :)
ID: 1666048 · Report as offensive
Profile Jord
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 15184
Credit: 4,362,181
RAC: 3
Netherlands
Message 1666070 - Posted: 16 Apr 2015, 19:43:24 UTC

From Rom Walton:
It probably has to do more with what is supported in the specific version of OpenSSL included with BOINC than the CA Bundle.

Backwards compatibility has been in decline on the web with Heartbleed and Freak being discovered. It would not surprise me if older BOINC clients were having problems connecting to up-to-date BOINC servers over SSL.

ID: 1666070 · Report as offensive
1 · 2 · 3 · Next

Message boards : Number crunching : Problem with the SSL CA cert


 
©2024 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.