Wordcommunitygrid Message "Peer certificate cannot be authenticated with known CA certificates."

Bug #246205 reported by Christian Rüger
170
This bug affects 24 people
Affects Status Importance Assigned to Milestone
boinc (Debian)
Fix Released
Unknown
boinc (Ubuntu)
High
Unassigned
Nominated for Karmic by Alexandre Maciel
Nominated for Lucid by Neil Perry
Intrepid
Undecided
Unassigned
Jaunty
High
Unassigned
ca-certificates (Ubuntu)
Medium
Unassigned
Nominated for Karmic by Alexandre Maciel
Nominated for Lucid by Neil Perry
Intrepid
Undecided
Unassigned
Jaunty
Medium
Unassigned

Bug Description

Tested 6.2.7-1 on a clean intrepid alpha, updated via apt-get yesterday.

Wordcommunitygrid Message "Peer certificate cannot be authenticated with known CA certificates."
http://boinc.berkeley.edu/trac/wiki/Error/Scheduler%20request%20failed
After replacing the symbolic link in /var/lib/boinc-client/ with the file ca-bundle.crt from the latest Berkeley Build 6.2.11 it works.

WORKAROUNDS:
There are two workarounds.
1. Install updated ca-certificates package, e.g. from blueyed's PPA:
  https://launchpad.net/~blueyed/+archive?field.name_filter=ca-certificates

2. or install the upstream ca-bundle.crt file for BOINC:
  1. cd /var/lib/boinc-client
  2. sudo mv ca-bundle.crt{,.bak}
  3. sudo wget http://boinc.berkeley.edu/trac/export/16195/trunk/boinc/curl/ca-bundle.crt -O ca-bundle.crt.upstream
  4. sudo cp -a ca-bundle.crt{.upstream,}

Revision history for this message
Christian Rüger (grid) wrote :
Christian Rüger (grid)
description: updated
description: updated
Christian Rüger (grid)
description: updated
description: updated
Revision history for this message
Frank S. Thomas (fst) wrote : Re: [Bug 246205] [NEW] no authentification with CA certificates

On Monday 07 July 2008 12:10, =?utf-8?q?Christian_R=C3=BCger?= wrote:
> The size of the Boinc manager window is not stored after closing. I
> guess there was a ticket on Berkeley trac, 6.2.12 should work.

Do you know the ticket number?

> Wordcommunitygrid Message "Peer certificate cannot be authenticated with
> known CA certificates."

Which version of the ca-certificate package do you have installed?

Cheers,
Frank

Revision history for this message
Christian Rüger (grid) wrote : Re: no authentification with CA certificates

> Do you know the ticket number?
Sorry. I did not found a ticket, it was reported in one of the Berkeley Boinc Mailinglist.

I did not install an extra package, only boinc-client and boinc-manager. The symlink to a file in /etc is set by the apt installer.
Remember, the file ca-bundle.crt from the Berkeley .sh (http://boinc.berkeley.edu/dl/ ) is old, many keys expire in the year 2008.

Revision history for this message
Shirish Agarwal (shirishag75) wrote :

Hi all,
 I'm also having the same issue. I did a clean install of boinc 6.2.12-1 and still get the same issue at WCG (World Community Grid)

Looking forward for correction.

Revision history for this message
Gunni (fgunni) wrote :

Had the same problem. I removed the symlink and copied the ca-bundle.crt from my hardy install and now it works.

Revision history for this message
Shirish Agarwal (shirishag75) wrote :

I hope this gets fixed in the next release.

Changed in boinc:
status: New → Confirmed
Revision history for this message
Shirish Agarwal (shirishag75) wrote :

Guys it would be actually nice if somebody makes an update and fixes it (preferably b4 alpha 6) so if somebody does it would be cool.

Revision history for this message
Shirish Agarwal (shirishag75) wrote :

one can find an outdated file at

 http://boinc.berkeley.edu/trac/browser/trunk/boinc/curl/

It would be nice if somebody can fix that link as well.

I also put up the same bug-report at

http://boinc.berkeley.edu/dev/forum_thread.php?id=3114

but haven't got any answer till date :(

Revision history for this message
Shirish Agarwal (shirishag75) wrote :

I asked somebody named MTughan on #boinc on freenode and got his ca-bundle.crt

His ca-bundle.crt got an md5sum of 8648ec353cd43cf250ad89fa2504db9a

while the one which one is mine is c2b20ecae79f4c6d2e12c2a0a216c4c8

His ca-bundle.crt is from a mac machine.

I have moved the ca-bundle.crt to /var/lib/boinc-client/ca-bundle.crt with the real file while the old one which is a symlink is kept as ca-bundle.crt which links to /etc/ssl/certs/ca-certificates.crt

Revision history for this message
Joseph (joenmtl) wrote :

I got the same problem attaching to a WorldCommunityGrid project. In order to get around the certificate error, I had to manually drop a downloaded ca-bundle.crt file into /var/lib/boinc-client from this site:
  http://boinc.berkeley.edu/trac/browser/trunk/boinc/curl/ca-bundle.crt?format=raw

A quick diff shows that the new certificate has these new ones (First line after BEGIN and truncated to 60 characters):

MIIC8zCCAlygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBszELMAkGA1UEBhMC
MIICETCCAXoCAU4wDQYJKoZIhvcNAQEEBQAwUTELMAkGA1UEBhMCSlAxHzAd
MIICIzCCAYwCAU8wDQYJKoZIhvcNAQEEBQAwWjELMAkGA1UEBhMCSlAxHzAd
MIICIzCCAZACBQJBAAAWMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVT
MIICjjCCAfegAwIBAgIBBjANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJE
MIICkDCCAfkCAgCNMA0GCSqGSIb3DQEBBAUAMIGPMQswCQYDVQQGEwJVUzEn
MIICMTCCAZoCBQKmAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVT
MIICUDCCAbkCAgGbMA0GCSqGSIb3DQEBBAUAMHAxCzAJBgNVBAYTAlVTMRgw
MIICUDCCAbkCAgGXMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlVTMRgw
MIIDAjCCAmsCEDnKVIn+UCIy/jLZ2/sbhBkwDQYJKoZIhvcNAQEFBQAwgcEx
MIIDAzCCAmygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBuzELMAkGA1UEBhMC
MIID+DCCAuACEQDQHkCLAAACfAAAAAcAAAABMA0GCSqGSIb3DQEBBQUAMIG5
MIID+DCCAuCgAwIBAgIRANAeQJAAACdLAAAAAQAAAAQwDQYJKoZIhvcNAQEF
MIIDIzCCAoygAwIBAgIENeHvHjANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQG
MIIDnjCCAoagAwIBAgILAgAAAAAA1ni50a8wDQYJKoZIhvcNAQEEBQAwVzEL
MIIDrDCCApSgAwIBAgILAgAAAAAA1ni41sMwDQYJKoZIhvcNAQEEBQAwVzEL
MIIDrDCCApSgAwIBAgILAgAAAAAA1ni4jY0wDQYJKoZIhvcNAQEEBQAwVzEL
MIIDrDCCApSgAwIBAgILAgAAAAAA1ni4N88wDQYJKoZIhvcNAQEEBQAwVzEL
MIIDRzCCArCgAwIBAgIENm3FGDANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQG
MIIDtjCCAp6gAwIBAgICAbYwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UEBhMC
MIIDTTCCAragAwIBAgIENm6ibzANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQG
MIIDVTCCAj0CAgGoMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlVTMRgw
MIIEAjCCAuoCEQDQHkCKAAACfAAAAAMAAAABMA0GCSqGSIb3DQEBBQUAMIG+
MIIEBDCCAuygAwIBAgICAIUwDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNVBAYT
MIIENTCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBvDELMAkGA1UEBhMC
MIIENTCCA56gAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBvDELMAkGA1UEBhMC
MIIENTCCA56gAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBvDELMAkGA1UEBhMC
MIIENTCCA56gAwIBAgIBBTANBgkqhkiG9w0BAQQFADCBvDELMAkGA1UEBhMC
MIIRIjCCCQoCAQAwDQYJKoZIhvcNAQEFBQAwVzEPMA0GA1UEChMGVGhhd3Rl

Revision history for this message
Shirish Agarwal (shirishag75) wrote :

Here's the one which I have with the md5sum :-

 ll /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 216373 2008-06-03 19:26 /etc/ssl/certs/ca-certificates.crt

 ll /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 216373 2008-06-03 19:26 /etc/ssl/certs/ca-certificates.crt

This one was modified or done on 2008-06-03

Revision history for this message
Shirish Agarwal (shirishag75) wrote :

Sorry the next should have been

shirish@Mugglewille:~$ md5sum /etc/ssl/certs/ca-certificates.crt
c2b20ecae79f4c6d2e12c2a0a216c4c8 /etc/ssl/certs/ca-certificates.crt

Revision history for this message
Daniel Hahler (blueyed) wrote :

I can confirm this now, too.
Using boinc 6.2.12-1 and ca-certificates 20080514-0ubuntu1 on Ubuntu Intrepid.

I've done "dpkg-reconfigure ca-certificates", but all certs were enabled already and it made no difference after restarting boinc-client.

It looks like WCG has a new certificate, from a new issuer ("Entrust.net Secure Server CA"), which is included in the upstream boinc package, but not in ca-certificates.

I've extracted the "Entrust.net Secure Server CA" from BOINC's cert bundle, pasted it into /usr/share/ca-certificates/entrust.crt" and then activated it from "dpkg-reconfigure ca-certificates".
Now, the data could be uploaded to WCG successfully again.

Changed in boinc:
importance: Undecided → High
status: Confirmed → Triaged
Revision history for this message
Daniel Hahler (blueyed) wrote : Re: "Entrust.net Secure Server CA" certificate missing for WCG

Sorry for misinformation above:
/usr/share/ca-certificates/mozilla/Entrust.net_Secure_Server_CA.crt is present in Ubuntu (Hardy and Intrepid)

I've tried debugging this by removing certificates from /etc/ssl/certs/ca-certificates.crt and it worked. So somehow I've thought it may be related to the size of the combined cert bundle, but OTOH I could make it work yesterday by adding another one to the chain.

So, I would say it's some odd behavior in libcurl..?! At least that's where the CURLE_SSL_CACERT ("Peer certificate cannot be authenticated with known CA certificates") error comes from.

For reference, Intrepid has libcurl3 version 7.18.2-1ubuntu3 and it fails with BOINC 6.2.14, which I've just built in pbuilder, too.

Daniel Hahler (blueyed)
description: updated
Revision history for this message
Shirish Agarwal (shirishag75) wrote :

Hi all,
      the workaround works atleast for me.

shirish@Mugglewille-desktop:/var/lib/boinc-client$ ll
total 2284
-rw-r--r-- 1 boinc boinc 2051 2008-10-17 09:30 account_www.worldcommunitygrid.org.xml
-rw-r--r-- 1 boinc boinc 18154 2008-10-14 00:47 all_projects_list.xml
-rw-r--r-- 1 root root 238049 2007-01-16 03:09 ca-bundle.crt
lrwxrwxrwx 1 root root 34 2008-10-14 00:47 ca-bundle.crt.bak -> /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 238049 2007-01-16 03:09 ca-bundle.crt.upstream
lrwxrwxrwx 1 root root 31 2008-10-17 09:27 cc_config.xml -> /etc/boinc-client/cc_config.xml
-rw-r--r-- 1 boinc boinc 42360 2008-10-17 09:48 client_state_prev.xml
-rw-r--r-- 1 boinc boinc 42385 2008-10-17 09:51 client_state.xml
-rw-r--r-- 1 boinc boinc 8281 2008-10-14 00:53 get_current_version.xml
-rw-r--r-- 1 boinc boinc 580 2008-10-14 00:48 get_project_config.xml
lrwxrwxrwx 1 root root 43 2008-10-17 09:27 global_prefs_override.xml -> /etc/boinc-client/global_prefs_override.xml
-rw-r--r-- 1 boinc boinc 1268 2008-10-17 09:30 global_prefs.xml
lrwxrwxrwx 1 root root 34 2008-10-17 09:27 gui_rpc_auth.cfg -> /etc/boinc-client/gui_rpc_auth.cfg
-rw-r--r-- 1 boinc boinc 0 2008-10-17 09:27 lockfile
-rw-r--r-- 1 boinc boinc 142 2008-10-14 00:53 lookup_account.xml
-rw-r--r-- 1 boinc boinc 7133 2008-10-17 09:29 lookup_website.html
-rw-r--r-- 1 boinc boinc 33719 2008-10-14 00:53 master_www.worldcommunitygrid.org.xml
drwxrwx--x 3 boinc boinc 4096 2008-10-14 00:53 projects
lrwxrwxrwx 1 root root 34 2008-10-17 09:27 remote_hosts.cfg -> /etc/boinc-client/remote_hosts.cfg
-rw-r--r-- 1 boinc boinc 27540 2008-10-17 09:37 sched_reply_www.worldcommunitygrid.org.xml
-rw-r--r-- 1 boinc boinc 5724 2008-10-17 09:37 sched_request_www.worldcommunitygrid.org.xml
drwxrwx--x 3 boinc boinc 4096 2008-10-17 09:48 slots
-rw-r--r-- 1 boinc boinc 423 2008-10-17 09:37 statistics_www.worldcommunitygrid.org.xml
-rw-r--r-- 1 boinc boinc 0 2008-10-14 00:47 stderrdae.txt
-rw-r--r-- 1 boinc boinc 21272 2008-10-17 09:48 stdoutdae.txt
-rw-r--r-- 1 boinc boinc 1579904 2008-10-17 09:48 temp.xml
-rw-r--r-- 1 boinc boinc 437 2008-10-17 09:47 time_stats_log

There is a bug though with that workaround, what it does is blocks your network usage with some time restriction. It happened with me.

Revision history for this message
Shirish Agarwal (shirishag75) wrote :

I meant in boinc itself , network usage to chat to the project. Although that is easily changed.

Revision history for this message
Rafael Belmonte (eaglescreen) wrote :

I am experimenting this bug with ca-certificates 20080514-0ubuntu1.
Installing ca-certificates 20080809 from Debian unstable fixes the bug for me.

Revision history for this message
Daniel Hahler (blueyed) wrote :

I can confirm that ca-certificates 20080809 from Debian fixes this (whatever the reason might be).
I've filed a sync request at bug 290485.

Changed in ca-certificates:
status: New → Triaged
Revision history for this message
dino99 (9d9) wrote :

ugrading from hardy 32bits to intrepid 32bits result in wcg (boinc project) trouble: it can't upload and download work.
After some research, i have done this:
- cd /var/lib/boinc-client ( do a locate ca-bundle if this address is not yours )
- sudo wget http://boinc.berkeley.edu/trac/browser/trunk/boinc/curl/ca-bundle.crt?format=raw
- sudo cp -a ca-bundle.crt{?format=raw,}
- reboot
- sudo dpkg -S /var/lib/boinc-client/ca-bundle.crt

then i open boinc manager and can upload every waiting work and download new one

hope this can help

Daniel Hahler (blueyed)
description: updated
Revision history for this message
Shirish Agarwal (shirishag75) wrote :

dino99 a slightly more precise way of doing the same thing.

- cd /var/lib/boinc-client ( do a locate ca-bundle.crt if this address is not yours )
- sudo mv ca-bundle.crt ca-bundle.crt.old (or original or whatever)
- sudo wget http://boinc.berkeley.edu/trac/browser/trunk/boinc/curl/ca-bundle.crt?format=raw
- sudo mv ca-bundle.crt{?format=raw,} ca-bundle.crt
- sudo cp -a ca-bundle.crt
- reboot
- sudo dpkg -S /var/lib/boinc-client/ca-bundle.crt

what do you think of this?

Revision history for this message
Rhubarb (cam-daw) wrote :

Shirsh, that doesn't quite work for me. A few commands there are invalid and don't work.
But, the good news is that I did get it working this way:

cd /var/lib/boinc-client/
sudo mv ca-bundle.crt ca-bundle.crt.old
sudo wget http://boinc.berkeley.edu/trac/browser/trunk/boinc/curl/ca-bundle.crt?format=raw
sudo mv ca-bundle.crt?format=raw ca-bundle.crt

Then reboot, you may need to detach from wcg in the boinc manager, then (re)attach to WCG.

Revision history for this message
Shirish Agarwal (shirishag75) wrote : Re: [Bug 246205] Re: Wordcommunitygrid Message "Peer certificate cannot be authenticated with known CA certificates."

I'm glad the workaround works for you :)

I actually don't know what

- sudo cp -a ca-bundle.crt does , it was copied as somebody said something.

For me the above instructions were all I needed.
--
          Regards,
          Shirish Agarwal
  This email is licensed under http://creativecommons.org/licenses/by-nc/3.0/

http://flossexperiences.wordpress.com

065C 6D79 A68C E7EA 52B3 8D70 950D 53FB 729A 8B17

Revision history for this message
p3car (peter-carlsson50) wrote :

Rhubarb,

you probably don't need to reboot.
I stopped the boinc-client,

 sudo /etc/init.d/boinc-client stop

before copying the ca-bundle file, and then i restarted boinc-client

sudo /etc/init.d/boinc-client start

The client then immidiately contacted the world community grid project and downloaded a new task.

/Peter

Revision history for this message
chris_debian (cjhandrew) wrote :

I can confirm that the following worked on a dual processor amd64:

sudo /etc/init.d/boinc-client stop

cd /var/lib/boinc-client/
sudo mv ca-bundle.crt ca-bundle.crt.old
sudo wget http://boinc.berkeley.edu/trac/browser/trunk/boinc/curl/ca-bundle.crt?format=raw
sudo mv ca-bundle.crt?format=raw ca-bundle.crt

sudo /etc/init.d/boinc-client start

Thanks for the workarounds, everyone.

Cheers,

Chris.

Revision history for this message
thekip (thekip) wrote :

I've the exact same problem, the workaround above

[code]
cd /var/lib/boinc-client/
sudo mv ca-bundle.crt ca-bundle.crt.bak
sudo wget http://boinc.berkeley.edu/trac/export/16195/trunk/boinc/curl/ca-bundle.crt -O ca-bundle.crt
[/code]

worked for me :). Thanks for that one.

Besides, why is there a pre release of boinc-manager in the repositories?

Revision history for this message
toeside (toesidecarve) wrote :

Same issue on a fresh install of 8.10 64-bit. Rhubarb's solution worked for me, although I just did a File | Exit from the BOINC Manager, ran the commands, then restarted BOINC Manager. No reboot required.

I have the same question as thekip, the Synaptic Package Manger installs 6.2.12 which is a development version. A production release, 6.2.15, is available on the BOINC site, it would seem that version should be the one coming down in the package manager.

Revision history for this message
Shirish Agarwal (shirishag75) wrote :

Hi Toeside,
Ubuntu doesn't package boinc. It syncs with the good work done by
Debian. The last time we synced was in July something for 6.2.12 . Now
Debian has got 6.2.14 in unstable (where some changes have been
cherry-picked from 6.2.16 version) and 6.2.18 in experimental (but
which requires updates to wxwidgets from 2.6 to wxwidgets 2.8) . So
most probably the thing which will happen is in the next sync cycle
(of Jaunty) we should get automatially synced and then most probably
we could ask for a backport. Although AFAIK wxwidgets is one which
usually has some problem or the other. One of the other things to find
out would be perhaps how many other applications use the wxwidgets
library, which I have no idea about (or even idea how to go about
knowing about that in the first place) . But if both these things are
known then some progress can be made.

--
          Regards,
          Shirish Agarwal
  This email is licensed under http://creativecommons.org/licenses/by-nc/3.0/

http://flossexperiences.wordpress.com

065C 6D79 A68C E7EA 52B3 8D70 950D 53FB 729A 8B17

Revision history for this message
Christopher Berner (cberner) wrote :

same issue for me in Intrepid, but the solution posted by chris_andrew fixed it for me.

Revision history for this message
Shirish Agarwal (shirishag75) wrote :

Hi all,
 The fix is now in Jaunty and have given a request to backport to
Intrepid as well.

https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/294255

so if it is seen by the developers and successfully backported it
would be cool. So now we have just to wait and watch. Those who want,
can and should subscribe to that bug and also click on that this bug
affects me too (on the top) . The rest is upto the ubuntu-backports
team whom I have not asked as of yet.
--
          Regards,
          Shirish Agarwal
  This email is licensed under http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
065C 6D79 A68C E7EA 52B3 8D70 950D 53FB 729A 8B17

Daniel Hahler (blueyed)
Changed in ca-certificates:
importance: Undecided → Medium
Revision history for this message
Márcio Vinícius (marcioviniciusmp) wrote :

It has TWO workarounds, why the hell it still isn't fixed in repositories?
(Sorry, i'm not developer or programmer. I have no idea of how much work it calls on)

Revision history for this message
Daniel Hahler (blueyed) wrote :

Subscribing ubuntu-sru and proposing to get ca-certificates 20080809 into Intrepid.
I cannot say why, but it fixes the authentication problems with boinc.

If this does not accepted, I'll propose to get a boinc package into intrepid-updates, which ships the upstream ca-bundle.crt file.

Revision history for this message
Daniel Hahler (blueyed) wrote :

Setting status on ca-certificates back to New for SRU process.

Changed in ca-certificates:
status: Triaged → New
Revision history for this message
Martin Pitt (pitti) wrote :

http://launchpadlibrarian.net/19404912/ca-certificates_20080514-0ubuntu1_20080809.diff.gz has a lot of packaging and structural changes which are inadequate for an SRU.

Updating boinc to include the bundle would be bearable, but maybe you can just update the new ca-bundle in ca-certificates itself, without the other packaging changes?

Revision history for this message
Daniel Hahler (blueyed) wrote :

Martin, I cannot say why the new ca-certificates packages fixes this bug; I've just looked at the source package changes of ca-certificates-20080514-0ubuntu1 and ca-certificates-20080809.

AFAIK, ca-bundle.crt ("the bundle") gets generated by the package (on installation).. so I don't know how to only update the new ca-bundle in ca-certificates itself..

So, from your point it appears to be more feasible to update the boinc package and ship the upstream certificate bundle in it, yes?

Revision history for this message
James Westby (james-w) wrote :

Hi,

Daniel, could you please test which of the two real changes in Debian
have fixed this.

The first was the addition of the French Government's certificates. These
are at

cert_igca_rsa.crt
cert_igca_dsa.crt

if you remove them with the updated package installed does it still work?

The second is the addition of

cacert.org.crt

if you remove that does it still work?

Thanks,

James

Revision history for this message
Daniel Hahler (blueyed) wrote :

James,
deactivating
  cert_igca_rsa.crt and
  cert_igca_dsa.crt
in ca-certificates 20080809 (using "dpkg-reconfigure ca-certificates") causes this failure (for me).

I need to disable both of them, only disabling them alone still works.

Revision history for this message
James Westby (james-w) wrote :

Hi,

Thanks for testing Daniel, could you please try preparing an SRU just adding those
two files and the necessary plumbing to install them?

Thanks,

James

Revision history for this message
Daniel Hahler (blueyed) wrote :

I've done that.
Please see the attached debdiff, which would need sponsoring anyway.

I've merged the change in debian/config for CERTS_LIST, but it appears to get generated from debian/config.in anyway. (Looks like debian/config should get removed in the "clean" target?!)

I've verified that this patch fixes this bug, by installing the built package. After that, I've reinstalled the version from Intrepid and it failed again. Re-installing this package then fixed it again.

Revision history for this message
Daniel Hahler (blueyed) wrote :

The strange thing however is that there was no problem in Hardy, which was missing those certs, too.
So, I still cannot say what the exact problem is, but I can confirm that adding those certs fixes it.
Maybe it depends on the boinc version being used?
However, I propose fixing it by adding those certificates for Intrepid.

Revision history for this message
Martin Pitt (pitti) wrote :

Why got the CERTS_LIST totally reordered in the patch? Otherwise it looks okay to me. However, please provide references in the changelog where these certificates come from.

Also, for this kind of fix it is really important to get it fixed upstream/in Debian ASAP, too, to make sure that everyone is using the same certificates and develops/tests their other packages accordingly. Can you please submit relevant upstream bugs and link them here? Thanks!

Changed in boinc:
status: Triaged → Invalid
status: New → Invalid
Revision history for this message
Daniel Hahler (blueyed) wrote :

Fixes in Jaunty, which has version 20080809 already.

Changed in ca-certificates:
status: New → Fix Released
Revision history for this message
Daniel Hahler (blueyed) wrote :

Martin, CERTRS_LIST in debian/config appears to get autogenerated during build (using "find . -type f -name '*.crt' -print"; see my comment above regarding the "clean" target).
Also, there is a reference in the changelog: the certs come from the version in Debian/Jaunty.
Therefore it should be fixed in Debian already. lenny/testing has 20080809 (where those certs are taken from).

Revision history for this message
Martin Pitt (pitti) wrote :

Accepted into intrepid-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in ca-certificates:
status: New → Fix Committed
Revision history for this message
Daniel Hahler (blueyed) wrote :

I confirm that the updated package from intrepid-proposed fixed it for me.

Whoever is experiencing this problem, please test the update from intrepid-proposed and provide feedback here.

Revision history for this message
Bruce Cowan (bruce89-deactivatedaccount) wrote :

The package from -proposed fixes the problem for me.

Revision history for this message
shanen (Shannon Jacobs) (shanen) wrote :

Mostly just noting that I ran into this too, and think it should have a high priority for repair. Many, or perhaps most people will never even notice that it's hung up.

I also wish someone would modify the misleading directions. Being too enthusiastic, I used the version that said to detach from the project, and it appears that the detach step wasn't needed--though it did through away some finished work.

I'm still not certain it is fully working until it gets through a couple of complete cycles--and is not broken when the actual patch comes down. Speaking from the IBM food chain, I think IBM is really sincere about supporting Linux, but this is the kind of thing that helps nudge against Ubuntu.

Revision history for this message
Shirish Agarwal (shirishag75) wrote :

Confirm that the ca-certificates also works for me from intrepid-proposed as well.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20080514-0ubuntu1.1

---------------
ca-certificates (20080514-0ubuntu1.1) intrepid-proposed; urgency=low

  * Include gouv.fr certificates from version 20080809 to fix authentication
    problems with BOINC (LP: #246205)
    - debian/config
    - gouv.fr/cert_igca_dsa.crt, gouv.fr/cert_igca_rsa.crt, gouv.fr/Makefile
    - Makefile

 -- Daniel Hahler <email address hidden> Wed, 19 Nov 2008 01:02:49 +0100

Changed in ca-certificates:
status: Fix Committed → Fix Released
Revision history for this message
Sven Sternberger (sven-sternberger) wrote :

I have fresh installed karmic 64bit, and boinc 6.4.5
The problem is exactly the same.

The workarouan as described above worked.
I replaced the symlink of ca-bundle.crt with
a copy from the website.

Now it works!

Revision history for this message
gsoundsgood (gsoundsgood) wrote :

same here on karmic...I have tried workaround 2, and it works.

Revision history for this message
Pete Stephenson (heypete) wrote :

Confirm bug on Karmic x64 and BOINC 6.4.5.

Have not done any sort of workaround; will wait for ca-certificates to be updated.

Revision history for this message
Alexandre Maciel (amaciel81) wrote :

Hi,

This bug backs in my Karmic 32 bits too.

Workarounds worked to me too.

Best regards,
Alexandre

Revision history for this message
Jay (cowb0y) wrote :

After upgrading from Kubuntu i386 8.04 directly to 9.10, this bug affects me. 2nd workaround works.

Revision history for this message
TLE (k-nielsen81) wrote :

I am also affected by this bug on Karmic. Is someone working on fixing it for Karmic?

Regards Kenneth

Revision history for this message
nmsalgueiro (nmsalgueiro) wrote :

Using Karmic 64bit here: I applied solution #1 above (the file from #2 was unavailable) and it worked. It's a bit strange this bug is still around 1.5 years later, though.

Regards,
Nuno

Revision history for this message
TLE (k-nielsen81) wrote :

Hear hear

Revision history for this message
Daniel Hahler (blueyed) wrote :

I cannot confirm this bug in Lucid - but even when I move the /var/lib/boinc-client/ca-bundle.crt link away, it can still connect to WCG ?!

@Neil: you've nominated it for Lucid: are you experiencing it there?

I'll look into fixing this (again).
It's likely that something in ca-certificates broke it again and therefore it's important to know if others experience this bug in Lucid.

The proper fix might be to not ship/install a symlink in the boinc package, but rather keep the certificates file provided by upstream.

(btw: noise in bugs makes them harder to fix)

Revision history for this message
Daniel Hahler (blueyed) wrote :

Ok, the reason why it works with ca-bundle.crt removed is that boinc/curl uses /etc/ssl/certs/ca-certificates.crt then by default.

You can test whether you have the required cert installed using the following command (in a shell):
  curl -s -I https://secure.worldcommunitygrid.org/ > /dev/null ; echo $?
It should say "0".

The required certs appear to be:
mozilla/Entrust.net_Secure_Server_CA.crt
mozilla/Entrust_Root_Certification_Authority.crt

Please check with "sudo dpkg-reconfigure ca-certificates" if you have those enabled.

Also, make sure that you have no stale /var/lib/boinc-client/ca-bundle.crt file lying around (it should be a symlink - or you could remove it). You could check this using:
  curl -s --capath /var/lib/boinc-client/ --cacert ca-bundle.crt -I https://secure.worldcommunitygrid.org/ > /dev/null ; echo $?

Please provide feedback here, if you are experiencing the problem currently, and include your distribution, if you had/have the certs installed (now) and how the "curl" commands mentioned above fail.

Changed in ca-certificates (Ubuntu):
status: Fix Released → Fix Committed
Steve Langasek (vorlon)
Changed in ca-certificates (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Jordan Hall (jordan-hall) wrote :

I had the same problem with 64-bit Ubuntu 10.04.

Resolved by download the CA bundle from the following URL.

http://boinc.berkeley.edu/trac/browser/trunk/boinc/curl/ca-bundle.crt?format=raw

Related information: http://boinc.berkeley.edu/trac/wiki/Error/Scheduler%20request%20failed

Would it be best to repackage the existing BOINC package with this CA Bundle?

Changed in boinc (Debian):
status: Unknown → Incomplete
Changed in boinc (Debian):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.