So now what?

I had a problem very similar to this on my Mint hosts. That problem went away when I installed the libnsspem library.

sudo apt-get install libnsspem

As I recall it, the http_debug output in my case complained that it couldn't find libnsspem.so, so it may not have been exactly the same as your problem...

Tried that just now, as well. No change.

---

Linux laptop:
record uptime: 1511d 20h 19m (ended due to the power brick giving-up)

I don't know if it means anything, but in my googling, I found a boinc forum post from 2009 where someone was asking about this very thing for WCG, and one of the devs replied and said that the cert WCG relies-on is good until "2019".

Maybe we've reached the point in "2019" for that particular cert, perhaps? I know we're not WCG, but it seems to line up.

BOINC grasped that particular nettle in January 2018, and updated the certificate bundle ('ca-bundle.crt') sent to Windows users - and, I think, Android users too. It was a developer from WCG who took the lead on #2326, so I don't think we're expecting any equivalent of the millenium bug in 2019.

But that doesn't solve the problem of bringing Linux system-level certificates up to 2019 standards.

BOINC grasped that particular nettle in January 2018, and updated the certificate bundle ('ca-bundle.crt') sent to Windows users - and, I think, Android users too. It was a developer from WCG who took the lead on #2326, so I don't think we're expecting any equivalent of the millenium bug in 2019.

But that doesn't solve the problem of bringing Linux system-level certificates up to 2019 standards.

Well I copied the text from https://github.com/BOINC/boinc/blob/master/curl/ca-bundle.crt and saved it as ca-bundle.crt and dropped it into the data directory on the linux machine. Same error:

[http_debug] [ID#1] Info: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm

What else can I do/try?

---

Linux laptop:
record uptime: 1511d 20h 19m (ended due to the power brick giving-up)

Well I copied the text from https://github.com/BOINC/boinc/blob/master/curl/ca-bundle.crt and saved it as ca-bundle.crt and dropped it into the data directory on the linux machine. Same error:

[http_debug] [ID#1] Info: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm

What else can I do/try?

I can't help with a magic script, but I can try to help narrow down the problem.

ca-bundle.crt is actually - I was surprised to find out - a plain text file. You can open it in any text editor and read the description, and the names of each included certificate. It starts:

## Certificate data from Mozilla as of: Fri Jan 26 21:30:21 2018 GMT
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt). This file can be found in the mozilla source tree:
## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
##
## It contains the certificates in PEM format and therefore
## can be directly used with curl / libcurl / php_curl, or with
## an Apache+mod_ssl webserver for SSL client authentication.
## Just configure this file as the SSLCACertificateFile.
##
## Conversion done with mk-ca-bundle.pl version 1.27.
## SHA256: a3ac15b98179dd2f3c5de076d10b1d53048754372f7207c2f327510cdd78fbd8

The individual certificates themselves are, of course, encrypted. It rather sounds as if Cosmic_Ocean's problem doesn't lie with the certificates themselves, but with the tool needed to decrypt them.

The individual certificates themselves are, of course, encrypted. It rather sounds as if Cosmic_Ocean's problem doesn't lie with the certificates themselves, but with the tool needed to decrypt them.

He runs Boinc version 6.10.58, that may just be too old...?

---

He runs Boinc version 6.10.58, that may just be too old...?

I'm sure I've advised users of older BOINCs to update certificate bundles, and it's worked with the new files. This one is different.

He runs Boinc version 6.10.58, that may just be too old...?

I'm sure I've advised users of older BOINCs to update certificate bundles, and it's worked with the new files. This one is different.

Yes, I've looked around, and it seems the standard fix for the ASN1_item_verify error is to update openssl to version 0.9.8o.
Have you tried that, Cosmic?

[Edit: I checked on one of my Mint hosts, and 'openssl version' says 1.1.1]

---

He runs Boinc version 6.10.58, that may just be too old...?

I'm sure I've advised users of older BOINCs to update certificate bundles, and it's worked with the new files. This one is different.

Yes, I've looked around, and it seems the standard fix for the ASN1_item_verify error is to update openssl to version 0.9.8o.
Have you tried that, Cosmic?

[Edit: I checked on one of my Mint hosts, and 'openssl version' says 1.1.1]

root@taurus:~# openssl version
OpenSSL 1.1.1  11 Sep 2018
root@taurus:~#

but... this line from the startup of boinc:

2019-09-17 04:15:58 Libraries: libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.11 c-ares/1.5.1

So how do I get boinc to use openssl/1.1.1 instead? I remember getting a Windows client to use a newer version of curl before by doing something, but I don't remember what I did to get it to do that.


also, for reference..

2019-09-17 04:15:58 Starting BOINC client version 6.10.58 for x86_64-pc-linux-gnu
2019-09-17 04:15:58 Data directory: /var/lib/boinc-client
2019-09-17 04:15:58 OS: Linux: 4.15.0-62-generic

---

Linux laptop:
record uptime: 1511d 20h 19m (ended due to the power brick giving-up)

but... this line from the startup of boinc:

2019-09-17 04:15:58 Libraries: libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.11 c-ares/1.5.1

So how do I get boinc to use openssl/1.1.1 instead? I remember getting a Windows client to use a newer version of curl before by doing something, but I don't remember what I did to get it to do that.

So there's the core of the problem. Boinc uses 0.9.8g where it should use something newer. Now all we need is a good solution!

---

So how do I get boinc to use openssl/1.1.1 instead? I remember getting a Windows client to use a newer version of curl before by doing something, but I don't remember what I did to get it to do that.

I think I remember how I did it with Windows.. in c:\program files\boinc (where the BOINC software itself is installed), there are DLLs for those libraries.

But in linux.. the core software is in the data directory where all the xml files are and it relies on system variables and references for the libraries.

So.. I need to try to figure out why it is falling-back to 0.9.8g and fix that reference, I guess.

---

Linux laptop:
record uptime: 1511d 20h 19m (ended due to the power brick giving-up)

Not a good sign, on the server status page

Database/file status

Warning: number_format() expects parameter 1 to be double, string given in /disks/carolyn/b/home/boincadm/projects/sah/html/seti_boinc_html/sah_status.php on line 604 Warning: number_format() expects parameter 1 to be double, string given in /disks/carolyn/b/home/boincadm/projects/sah/html/seti_boinc_html/sah_status.php on line 606 Warning: number_format() expects parameter 1 to be double, string given in /disks/carolyn/b/home/boincadm/projects/sah/html/seti_boinc_html/sah_status.php on line 608

And the "Results received in last hour " line is blank.

---

Grant
Darwin NT

And the "Results received in last hour " line is blank.

As are the result turnround times, as a result of the number formatting failures in the warning messages.

And now it's been posted about, it's Ok again.

---

Grant
Darwin NT

It seems that the phantom tinkerer has been tinkering again. The BOINC website (housed in the same rack cabinets as the SETI servers) has been intermittently 'down for maintenance' since about midnight, Berkeley time - affecting only the database of messages, not downloads, wiki pages, etc.

The "randomness" of the BOINC message board must be perfectly synchronised with me trying to access the BOINC message boards as they have been saying "down for maintenance" since I first looked at about 07:00 (BST) today.
The Phantom Phiddler must has done his/her thing then gone home for the night without checking the thing had actually worked, or rolling back to a known working state.

---

Bob Smith
Member of Seti PIPPS (Pluto is a Planet Protest Society)
Somewhere in the (un)known Universe?

Since no one appears to have his email address, I have emailed him from my Eype beach. Let's see if we get a reaction.

---

It did come back online briefly somewhere around 3am PST, because I retrieved a PM sent at 0:33:53 UTC (but still no email notification). The PM answered a question I had asked on the open message board, but the sender said he was using a PM to reply because "Tried to answer your question but the program did not allow". I'm being very careful not to refresh the PM page because I need to tie back that answer with the original post which prompted my question.

For PST, read PDT.

BOINC message boards still "down for maintenance"... Guess there has been too much hair burning and howling over there that the servers have come to an early death.

---

BOINC message boards still "down for maintenance"... Guess there has been too much hair burning and howling over there that the servers have come to an early death.

What else would you suggest for us to do in order to bring it back?

---