Message boards :
Number crunching :
Problem with the SSL CA cert
Message board moderation
Author | Message |
---|---|
Iztok s52d (and friends) Send message Joined: 12 Jan 01 Posts: 136 Credit: 393,469,375 RAC: 116 |
Hi! two boxes with boinc 6.10.58 can not connect after outage, log said: 15-Apr-2015 00:59:58 [SETI@home] Reporting 124 completed tasks, requesting new tasks for GPU 15-Apr-2015 01:00:01 [---] Project communication failed: attempting access to reference site 15-Apr-2015 01:00:01 [SETI@home] Scheduler request failed: Problem with the SSL CA cert (path? access rights?) 15-Apr-2015 01:00:07 [---] Internet access OK - project servers may be temporarily down. another 6.10.58 did OK. This might be temporary, this might be something overlooked? I tried boinc restart, no change. 73 s52d |
Richard Haselgrove Send message Joined: 4 Jul 99 Posts: 14650 Credit: 200,643,578 RAC: 874 |
There was a problem at GPUGrid recently with an outdated ca-bundle.crt file - it's supplied by BOINC, and installed in the BOINC program directory. The ca-bundle.crt from a newer BOINC can be dropped in as a direct replacement See: https://www.gpugrid.net/forum_thread.php?id=3846&nowrap=true#40528 (Crunch3r was wrong - you don't even have to re-start BOINC) |
Iztok s52d (and friends) Send message Joined: 12 Jan 01 Posts: 136 Credit: 393,469,375 RAC: 116 |
After some googling, seems it happens with appache + paypal. few people fixed it by restarting appache, some have to fix some links, some updated nss-* libraries. http://kiteplans.info/2015/01/15/solved-bug-centos-yum-rpm-broken-by-nss-softokn-3-14-3-19-el6_6-update-error-rpmts_hdrfromfdno-error-rpmdbnextiterator-header-v3-rsasha1-signature-key-id-bad/comment-page-1/ http://stackoverflow.com/questions/7179216/php-problem-with-the-ssl-ca-cert-path-access-rights BR s52d |
boinc127 Send message Joined: 22 Mar 11 Posts: 5 Credit: 1,466,027 RAC: 0 |
I'm currently having an issue with uploading work for World Community Grid... 04.14.2015 18.23.29 | World Community Grid | update requested by user 04.14.2015 18.23.34 | World Community Grid | Sending scheduler request: Requested by user. 04.14.2015 18.23.34 | World Community Grid | Reporting 7 completed tasks 04.14.2015 18.23.34 | World Community Grid | Not requesting tasks: "no new tasks" requested via Manager 04.14.2015 18.23.35 | | Project communication failed: attempting access to reference site 04.14.2015 18.23.35 | World Community Grid | Scheduler request failed: SSL connect error 04.14.2015 18.23.37 | | Internet access OK - project servers may be temporarily down. Maybe its a similar SSL error? |
HAL9000 Send message Joined: 11 Sep 99 Posts: 6534 Credit: 196,805,888 RAC: 57 |
There was a problem at GPUGrid recently with an outdated ca-bundle.crt file - it's supplied by BOINC, and installed in the BOINC program directory. The ca-bundle.crt from a newer BOINC can be dropped in as a direct replacement That sort of kills the "set and forget" aspect of BOINC. Seems like something important to communicating with projects should be sent to the client in some way. SETI@home classic workunits: 93,865 CPU time: 863,447 hours Join the [url=http://tinyurl.com/8y46zvu]BP6/VP6 User Group[ |
Iztok s52d (and friends) Send message Joined: 12 Jan 01 Posts: 136 Credit: 393,469,375 RAC: 116 |
Thanks! There was a problem at GPUGrid recently with an outdated ca-bundle.crt file - it's supplied by BOINC, and installed in the BOINC program directory. The ca-bundle.crt from a newer BOINC can be dropped in as a direct replacement Linux here, slackware. Old kernel (reason for old boinc client). tryed newer ca-bundle.crt, tried to update /usr/share/apps/kssl/ca-bundle.crt /usr/share/ncat/ca-bundle.crt /usr/share/curl/ca-bundle.crt and /home/boinc/BOINC and /home/boinc/boinc, of course. now it is a bit difefrent error: 15-Apr-2015 01:56:46 [SETI@home] Reporting 130 completed tasks, requesting new tasks for CPU and GPU 15-Apr-2015 01:56:49 [---] Project communication failed: attempting access to reference site 15-Apr-2015 01:56:49 [SETI@home] Scheduler request failed: SSL connect error 15-Apr-2015 01:56:50 [---] Internet access OK - project servers may be temporarily down. It smells like some library confusion: same boinc version works fine on another PC. So it is not standard boinc problem. PC will get restart in teh morning: this helps to resolve some library issues. BR, GN s52d |
ivan Send message Joined: 5 Mar 01 Posts: 783 Credit: 348,560,338 RAC: 223 |
There was a problem at GPUGrid recently with an outdated ca-bundle.crt file - it's supplied by BOINC, and installed in the BOINC program directory. The ca-bundle.crt from a newer BOINC can be dropped in as a direct replacement Thanks, Richard; I had two Linux machines at work that were suffering the problem and the download fixed them. There's another Win10 machine in my office not reported in yet tonight, but I can't log-on to it from here to check why. |
Iztok s52d (and friends) Send message Joined: 12 Jan 01 Posts: 136 Credit: 393,469,375 RAC: 116 |
Sigh. Restart, and no help. Einstein updated fine. GN s52d Thanks! |
ivan Send message Joined: 5 Mar 01 Posts: 783 Credit: 348,560,338 RAC: 223 |
There was a problem at GPUGrid recently with an outdated ca-bundle.crt file - it's supplied by BOINC, and installed in the BOINC program directory. The ca-bundle.crt from a newer BOINC can be dropped in as a direct replacement OK, it's reported in on its own, so all my machines are current after the maintenance break. |
OTS Send message Joined: 6 Jan 08 Posts: 369 Credit: 20,533,537 RAC: 0 |
There was a problem at GPUGrid recently with an outdated ca-bundle.crt file - it's supplied by BOINC, and installed in the BOINC program directory. The ca-bundle.crt from a newer BOINC can be dropped in as a direct replacement I had the same “Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates’ and “Internet access OK - project servers may be temporarily down†error with boinc 7.0.65 and the ca-bundle.crt file dated 28Mar13. I copied one dated 16Sep14 from boinc 7.4.22 into the running boinc directory and at the very next update all the recently uploaded files were acknowledged and things seem back to normal. Thanks for the heads up. |
Iztok s52d (and friends) Send message Joined: 12 Jan 01 Posts: 136 Credit: 393,469,375 RAC: 116 |
summary: not yet working. Problem started yesterday after outage. old linux, old BOINC, SSL. BR s52d findings so far: BOINC wiki, good description: https://boinc.berkeley.edu/trac/wiki/Error/Scheduler%20request%20failed if there is no ca-bundle.crt file, error is: [SETI@home] Scheduler request failed: Problem with the SSL CA cert (path? access rights?) if there is very old one: -rw-r--r-- 1 boinc boinc 238100 Sep 9 2010 ca-bundle.crt problem comes to: [SETI@home] Scheduler request failed: Peer certificate cannot be authenticated with known CA certificates latest a-bundle.crt in BOINC: [SETI@home] Scheduler request failed: SSL connect error As this is probably just a step into solution ... curl --version shows SSL and https. I have one box with older curl, boinc 6.4.5 and it works. This one has BOINC 6.10.58, curl --version curl 7.21.4 (x86_64-unknown-linux-gnu) libcurl/7.21.4 OpenSSL/0.9.8n zlib/1.2.5 libidn/1.19 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtp Features: IDN IPv6 Largefile NTLM SSL libz custom kernel 2.6.37.6 (but I have not seen any reference to kernel related to this problem) |
Iztok s52d (and friends) Send message Joined: 12 Jan 01 Posts: 136 Credit: 393,469,375 RAC: 116 |
Summary: is there an option to turn off SSL towards servers? 64 bit old boinc (6.6/6.10) does not work with SSL towards setiathome servers, while 32 bit versions work. BR s52d More experimenting: Slackware LINUX 13.37, 4 years old. 64 bit, no 32 bit libraries (it is slackware). Boinc 6.10.58 works, more modern not (libc etc). Boinc 6.6.20: works as well. But not towards seti servers, SSL fails (I tried with different ca-bundle.crt files). funny: some even older 32 bit boinc works fine towards servers even without a-bundle.crt! libs are statically linked to boinc. 15-Apr-2015 00:55:35 [---] Starting BOINC client version 6.10.58 for x86_64-pc-linux-gnu 15-Apr-2015 00:55:35 [---] Config: use at most 3 CPUs 15-Apr-2015 00:55:35 [---] Libraries: libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.5 c-ares/1.5.1 15-Apr-2015 00:55:35 [---] Data directory: /home/boinc/boinc 15-Apr-2015 00:55:35 [---] Processor: 8 GenuineIntel Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz [Family 6 Model 42 Step 15-Apr-2015 00:55:35 [---] Using 3 CPUs 15-Apr-2015 00:55:35 [---] Processor: 8.00 MB cache 15-Apr-2015 00:55:35 [---] Processor features: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse 15-Apr-2015 00:55:35 [---] OS: Linux: 2.6.37.6i 15-Apr-2015 00:55:35 [---] Memory: 15.67 GB physical, 4.00 GB virtual 15-Apr-2015 00:55:35 [---] Disk: 1.79 TB total, 158.68 GB free 15-Apr-2015 00:55:35 [---] Local time is UTC +2 hours 15-Apr-2015 00:55:36 [---] NVIDIA GPU 0: GeForce GTX 570 (driver version unknown, CUDA version 6050, compute capabil 15-Apr-2015 00:55:36 [SETI@home] Found app_info.xml; using anonymous platform |
Oz Send message Joined: 6 Jun 99 Posts: 233 Credit: 200,655,462 RAC: 212 |
updated my cabundle. crt - the link would not let me download it, still no joy - how do I fix this? Member of the 20 Year Club |
OTS Send message Joined: 6 Jan 08 Posts: 369 Credit: 20,533,537 RAC: 0 |
updated my cabundle. crt - the link would not let me download it, still no joy - how do I fix this? I am little confused as that sounds contradictory. Couldn't download what? And if by "it" you mean the cabundle.crt, how could you update it as the first three words indicate if you couldn't download it? |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
Just noticed one of my domain controllers (still forced to run BOINC 5.10.45) is getting the same error. I'll have to try the fix Richard suggested. Agreed on the blown "set-it-and-forget-it". :/ [Edit]Hmm... I just copied the ca-bundle.crt from my 7.4.42 install over to the DC and now I'm getting "Scheduler request failed: SSL connect error". Suggests an issue with older BOINC clients using a newer SSL type? This could be a show stopper for older BOINC clients. |
BilBg Send message Joined: 27 May 07 Posts: 3720 Credit: 9,385,827 RAC: 0 |
You may try to copy also ssleay32.dll , libeay32.dll P.S. On BOINC 6.10.58 / Windows XP: I don't have any such Messages in stdoutdae.txt (search for "SSL " and "certificate") What makes/forces BOINC on some computers to use SSL? Â - ALF - "Find out what you don't do well ..... then don't do it!" :) Â |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
Nope. Copied ssleay32.dll and libeay32.dll from BOINC 7.4.42 to the DC (which required stopping BOINC to release the file locks), then attempted to restart BOINC and it crashed. Restored previous version of libeay32.dll and ssleay32.dll from secondary DC (also running BOINC 5.10.45).. back to same error. [Edit] So I copied the ca-bundle.crt from my secondary DC (which is not experiencing the problem as of yet) to my main DC, and now I'm right back to the original error message: 4/15/2015 8:51:01 PM | SETI@home | Sending scheduler request: To report completed tasks. Requesting 2764800 seconds of work, reporting 75 completed tasks 4/15/2015 8:51:02 PM | | Project communication failed: attempting access to reference site 4/15/2015 8:51:03 PM | | Access to reference site succeeded - project servers may be temporarily down. 4/15/2015 8:51:06 PM | SETI@home | Scheduler request failed: Peer certificate cannot be authenticated with known CA certificates |
Jord Send message Joined: 9 Jun 99 Posts: 15184 Credit: 4,362,181 RAC: 3 |
Since no one else seems to have asked the project admin, I did. :) Seti switched to using HTTPS for scheduler requests a while ago to avoid sending authenticators in cleartext. For the moment the admins have turned it back to HTTP since this now causes the troubles with older clients. They'll look for a different way to protect the innocent... errr.. :) |
Iztok s52d (and friends) Send message Joined: 12 Jan 01 Posts: 136 Credit: 393,469,375 RAC: 116 |
Thanks! Just noticed it works fine. BR s52d Since no one else seems to have asked the project admin, I did. :) |
Jord Send message Joined: 9 Jun 99 Posts: 15184 Credit: 4,362,181 RAC: 3 |
From Rom Walton: It probably has to do more with what is supported in the specific version of OpenSSL included with BOINC than the CA Bundle. Backwards compatibility has been in decline on the web with Heartbleed and Freak being discovered. It would not surprise me if older BOINC clients were having problems connecting to up-to-date BOINC servers over SSL. |
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.