HTTPS error: "Peer certificate cannot be authenticated with given CA certificates"

StefanR5R

Elite Member
Dec 10, 2016
5,459
7,718
136
Since May 30, some older(?) BOINC installations are no longer able to access several projects with HTTPS URLs — e.g. LHC@home, NumberFields@home, Rosetta@home. The reason is the expiry of the "AddTrust External CA Root" certificate.

Some hints how to fix this are given in post 98900 by walli in thread "Peer certificate cannot be authenticated with given CA certificates" at the BOINC forum. The precise steps to implement the fix differ between operating systems. The BOINC forum thread generally does not have recipes which you could apply right away. You need to find where on your system the "AddTrust External CA Root" certificate is stored, and probably delete it. (Or perhaps replace it with one of the two newer root certificates; but just deleting the expired certificate should be the right thing to do in many cases.)

Edit,
several reports of what people tried in vain, and a few reports of what people tried successfully can be found in the thread "Peer certificate cannot be authenticated with given CA certificates" of the Rosetta@home message board.

Edit 2,
"reports what people tried" -> "reports of what people tried" — better? :-)
 
Last edited:
  • Like
Reactions: Assimilator1

Assimilator1

Elite Member
Nov 4, 1999
24,120
507
126
'That people tried' ;).

I'm going to try deleting it, got this problem with Rosetta & LHC. Running out of WUs now!

[update] Deleting the cert worked for me :) (Win 10).
 
Last edited:
  • Like
Reactions: Endgame124

VirtualLarry

No Lifer
Aug 25, 2001
56,229
9,990
126
Does WCG, or the newest version of BOINC have this problem? I just installed the newest version of BOINC, and already had WCG "subscribed", so I did "allow tasks", after going to WCG web site, selecting COVID-19 project, and doing "Update project" in the client.
 

StefanR5R

Elite Member
Dec 10, 2016
5,459
7,718
136
WCG is not affected.

So far the known affected projects are LHC@home, NumberFields@home, and Rosetta@home via its new https://boinc.bakerlab.org/rosetta/ URL. Any BOINC scheduler request fails if your client or host has got the expired certificate. Depending on projects, file transfers may fail too.

Edit, according to the Rosetta@home message board, Rosetta is no longer affected. Users assume that site admins replaced the server certificate.

Edit 2, *if* you experience any request failures or transfer failures in BOINC, you can add
<cc_config>
<log_flags>
<http_debug>1</http_debug>​
</log_flags>
<cc_config>
in cc_config.xml, reload the config, and then see in the log whether or not the reason for the failures is due to an expired certificate.

On Windows, the SSL certificates are part of the BOINC installation. There is no update for BOINC available yet which has a fix.

On Linux, BOINC uses SSL certificates of the Linux distribution. It depends on the distribution whether or not BOINC has got this problem.

I don't know which of these two ways are implemented on Android. Whichever it is, a manual local fix is reportedly only possible on "rooted" phones.

I also don't know how this works on Mac OS X. I saw one Mac user posting that his host is alright. This indicates that BOINC uses system certificates on Mac, and that relevant OS X releases have proper certificates.

Edit 3, there is a new BOINC release for Windows x86-64, version 7.16.7 from May 28, made available for download on May 31. Release notes have not been updated yet, therefore I don't know whether this release has a fixed certificate file.
 
Last edited:

StefanR5R

Elite Member
Dec 10, 2016
5,459
7,718
136

Markfw

Moderator Emeritus, Elite Member
May 16, 2002
25,483
14,434
136
Silly question, how do I know I have this problem or not ? It looks like all my machines are running.
 

StefanR5R

Elite Member
Dec 10, 2016
5,459
7,718
136
how do I know I have this problem or not ? It looks like all my machines are running.
Only two projects remain at which this problem is known to exist: LHC@home and NumberFields@home. Perhaps other projects are affected too, but it can only be ones which use HTTPS and have only few users (and therefore we haven't heard any problem reports yet).

If you don't care about these ones, you can ignore this issue.

But if you care, or just don't want this problem to linger around on your hosts:
  • Your Windows hosts are affected if you have a BOINC version older than v7.16.7, which was just released two days ago.
  • Your Linux hosts are affected if they are unable to perform a project update to LHC@home or NumberFields@home. Only a few older (but among them, still actively maintained) Linux distributions are affected.
  • From what I remember, you don't have Android hosts or Macs.

----------------

The NumberFields admin issued a news item:
On May 31 Eric Driver said:
Expired SSL certificates in BOINC Client -- User Action Required

This was discussed in another thread, and it just occurred to me I should post a news item with more explicit instructions.

The issue is that the BOINC client comes bundled with SSL certificates and these expired earlier today. Here are the basic steps to fix the problem. (Note: this works on linux and I see no reason why it shouldn't work on Windows too.)
1. Download the new "ca-bundle.crt" file from here:
https://1drv.ms/u/s!AsVDg7OAm7-whqEqBXKHuOie0UoBKA?e=VHwBAP
2. Replace the old ca-bundle.crt file with the new one (it should be in your BOINC root directory).

Instead of this ca-bundle.crt file which was provided early by a user, take this one from the official BOINC source repository, commit 6e6c05f3e2d7:
https://raw.githubusercontent.com/B...5c911f9af59667270aaf6af6fe/curl/ca-bundle.crt
 
Last edited: