Boinc client do not use correct certificates. Boinc have been running on my setup four weeks but now World Community Grid uploads fail because that project must validate uploads by certificates. My post is the second at https://secure.worldcommunitygrid.org/forums/wcg/viewpostinthread?post=477923 Have not digged into it further than that yet. This system is updated from mga4 where bionc was installed but not running due to other bugs. Do not remember seeing this problem before despite having run WCG projects on mandriva...mageia3 for years (except a pause last half year) More info and links to discussions and fixes on other distros: http://www.worldcommunitygrid.org/forums/wcg/viewthread?thread=15682 Other FAQ: https://secure.worldcommunitygrid.org/forums/wcg/viewthread_thread,21501 Reproducible: Steps to Reproduce:
Adding Chris and David who were last working on it, i think. The same source was used for mga4 (?), so MGA4TOO probably needed When i write this 7.2.42 is the last stable released for Linux but is from february, so i suggest checking again when this bug is worked upon to get the newest.
CC: (none) => dirteat, luigiwalserWhiteboard: (none) => MGA4TOO
Boinc seem to by default use the systems /etc/pki/tls/certs/ca-bundle.crt from the mageia rootcerts package, currently of version: 1:20141117.00-1.mga5 So i guess we either need to update or make changes to it, or install another file specifically for boinc. So maybe this is a bug for the rootcerts package ? Some related info and question on rootcerts bug: https://bugs.mageia.org/show_bug.cgi?id=11398#c3 There is no ca-bundle.crt in boinc data directory, but if i place a file named like that there ( by default data = /var/lib/boinc/ ) it tries to use it. However the links to ca-bundle.crt i the links i gave is not working anymore. So, any idea of where to get one suitable, or we should change the rootcerts package? Excerpt of log (it tries two simultaneous connections therefor some lines appears twice): sön 7 dec 2014 12:23:05 | World Community Grid | [http] [ID#11] Info: Hostname was found in DNS cache sön 7 dec 2014 12:23:05 | World Community Grid | [http] [ID#11] Info: Trying 198.20.8.241... sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#10] Info: Connected to grid.worldcommunitygrid.org (198.20.8.241) port 443 (#11) sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#10] Info: successfully set certificate verify locations: sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#10] Info: CAfile: /etc/pki/tls/certs/ca-bundle.crt sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#10] Info: CApath: none sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#10] Info: SSLv3, TLS handshake, Client hello (1): sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#11] Info: Connected to grid.worldcommunitygrid.org (198.20.8.241) port 443 (#12) sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#11] Info: successfully set certificate verify locations: sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#11] Info: CAfile: /etc/pki/tls/certs/ca-bundle.crt sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#11] Info: CApath: none sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#11] Info: SSLv3, TLS handshake, Client hello (1): sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#10] Info: SSLv3, TLS handshake, Server hello (2): sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#10] Info: SSLv3, TLS handshake, CERT (11): sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#10] Info: SSLv3, TLS alert, Server hello (2): sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#10] Info: SSL certificate problem: self signed certificate in certificate chain sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#10] Info: Closing connection 11 sön 7 dec 2014 12:23:06 | World Community Grid | [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#11] Info: SSLv3, TLS handshake, Server hello (2): sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#11] Info: SSLv3, TLS handshake, CERT (11): sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#11] Info: SSLv3, TLS alert, Server hello (2): sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#11] Info: SSL certificate problem: self signed certificate in certificate chain sön 7 dec 2014 12:23:06 | World Community Grid | [http] [ID#11] Info: Closing connection 12 sön 7 dec 2014 12:23:06 | World Community Grid | [http] HTTP error: Peer certificate cannot be authenticated with given CA certificates
WORKAROUND for now: 1) Get the official package from boinc - it is a self extracting script. http://boinc.berkeley.edu/download_all.php 2) chmod +x it, and run it as normal user, and it creates subdir BOINC containing ca-bundle.crt 3) as root, cp ca-bundle.crt /var/lib/boinc/ 4) in boinc manager transfer tab, click a stalled transfer and button Retry. (no need to restart) Clean up downloaded and packed up files from 1) and 2)
Whiteboard: MGA4TOO => MGA4TOO WORKAROUND
Same here. I just found out the cure independently. The BOINC trac says to download ca-bundle.crt, but the link there is out of date. I had a client package I was gouing to use. Copied the ca-bundle.crt from there into /var/lib/boinc and restarted the client. It connected to WCG immediately. Only WCG is affected, because only WCG requires a secure connection. See: http://boinc.berkeley.edu/trac/wiki/Error/Scheduler%20request%20failed
CC: (none) => laidlaws
Whiteboard: MGA4TOO WORKAROUND => MGA4TOO MGA5TOO WORKAROUND
Is this bug still valid? If so, in which Mga version (5 and/or cauldron)?
CC: (none) => marja11Whiteboard: MGA4TOO MGA5TOO WORKAROUND => MGA5TOO, WORKAROUNDKeywords: (none) => NEEDINFOAssignee: bugsquad => pkg-bugs
I can't really answer that as I keep the ca-bundle.crt I mentioned in Comment 4. I believe that there is a copy of ca-bundle.crt in the current RPMs. The problem with starting boincmgr is still there in Mga6: boinc, --redirectio, --launched_by_manager) failed with error 2! That must be a different bug? I have a desktop icon that runs the workaround.
Running the same install as in #14 : still just runs after upgrade to mga6, so at least the workaround still works. More specifically: projects WordCommunityGrid and Rosetta works, but GPUGRID nowadays always fail verification/certificate. I just disabled the project. I guess updates cert is needed, which can be had manually like before. But i guess the real fix would be to link to certificate that mageia rpm:s keep updated? Citing David W about another package: "the package should install a symlink to the system one in /etc/pki/tls/certs." https://bugs.mageia.org/show_bug.cgi?id=17279#c24 - Maybe BOINC package could do the same?
@Doug: Here on Plasma, cauldron, my desktop icon start link successfully use: boincmgr -n localhost -d /var/lib/boinc I have forgot if that is original or modified by me
I tried now: First backing up my old .crt file from comment 3 # mv /var/lib/boinc/ca-bundle.crt /var/lib/boinc/ca-bundle.crt_old Then linking in the cert file provided by mageia rpm: # ln -s /etc/pki/tls/certs/ca-bundle.crt /var/lib/boinc/ca-bundle.crt Then i rebooted, and it works the same; works on some projects, but still for project GPUGRID: mån 17 okt 2016 11:48:11 | GPUGRID | [error] Unable to verify acemd.848-65.bin using certificates I will probably investigate further, but not soonish.
(In reply to Morgan Leijström from comment #8) > @Doug: > Here on Plasma, cauldron, my desktop icon start link successfully use: > > boincmgr -n localhost -d /var/lib/boinc > > I have forgot if that is original or modified by me I used the boincmgr command in a terminal. That failed. The command in my desktop launcher is the same as yours. I can't recall where this was worked out. I thought it was in a different bug report. Maybe it wasn't.
(In reply to Morgan Leijström from comment #7) > Running the same install as in #14 : still just runs after upgrade to mga6, > so at least the workaround still works. > > More specifically: projects WordCommunityGrid and Rosetta works, but GPUGRID > nowadays always fail verification/certificate. I just disabled the project. > I guess updates cert is needed, which can be had manually like before. > > But i guess the real fix would be to link to certificate that mageia rpm:s > keep updated? > > Citing David W about another package: "the package should install a symlink > to the system one in /etc/pki/tls/certs." > https://bugs.mageia.org/show_bug.cgi?id=17279#c24 > > - Maybe BOINC package could do the same? That should work. My original fix was to copy the default Mageia file, and that worked.
Hm weird Tried project Bitcoin Utopia and for that too (as well as GPUGRID), BOINC say verification fails due to cert for all downloaded files. I still have linked the cert file provided by mageia rpm: # ln -s /etc/pki/tls/certs/ca-bundle.crt /var/lib/boinc/ca-bundle.crt Both projects worked when running on mga5 and that solution
Some years ago, I copied a cert file from the BOINC site directly into /var/lib/boinc. I have never updated it, but it still works for World Community Grid.
I should have added: I think that there is a cert file in the BOINC download. Can't we have the RPM put that into /var/lib/boinc and avoid all compatibility issues?
I tried now with the BOINC contained cert file like in my comment#3, extracted from from https://boinc.berkeley.edu/dl/boinc_7.4.22_x86_64-pc-linux-gnu.sh Both that one and the Mageia cert file give same result: For World Community Grid both works. For Bitcoin Utopia and GPUGRID none of them works. Weird. Have anybody any cert file working for the two latter projects?
In that case, it has to be an upstream bug. I don't run either of the other two. Could you perhaps take it up with the projects themselves?
Personally i do not care to push this more; My CPU is fully loaded by WCG, GPUGRID used to be often out of work units anyway, and i have more moral problems with Bitcoin than with traditional money so i only used it for testing. I will wait for a fresh BOINC 7.6+ version for Linux.
Keywords: NEEDINFO => (none)
Just a note: It also fail similarly for Rosetta, while it worked on mga5 a half year ago. So probably it is not the projects, more likely BOINC or something BOINC-mga6 related.
Looking at the contents of ca-bundle.crt, it is as its name suggests, a bundle of certificates collected from various sources. If some projects don't work, maybe they are using a certificate that isn't in the bundle?
Yes, the file needs to be updated when required, e.g.: http://serverfault.com/questions/394815/how-to-update-curl-ca-bundle-on-redhat In that case, your ca-bundle is probably newer than mine, Morgan, and should work better. I tried GPUGRID. It started sending messages immediately, and it claims that it has plenty of work units. But so far, it hasn't sent me the framework files even, much less any work units.
I just looked around my computer. I have ca-bundle.crt files in many different places, and they are all of different sizes. The "official" one at /etc/pki/tls/certs/ is the largest. Somebody on one forum said that symlinks don't work. Maybe a hard link will?
OK, i made a copy instead of link: cp -a /etc/pki/tls/certs/ca-bundle.crt /var/lib/boinc/ca-bundle.crt + reboot -> same as before. Then i deleted /var/lib/boinc/ca-bundle.crt + reboot -> same as before!! (WCG is validated OK, the other not) Sooo... it is using another ca-bundle.crt file from somewhere else in the system? I find: file:///usr/share/ncat/ca-bundle.crt <--252,4 KiByte file:///etc/pki/tls/certs/ca-bundle.crt <--the best probably, 1000,8 KiByte file:///usr/share/apps/kssl/ca-bundle.crt <-- seem to be same as above file:///usr/share/kf5/kssl/ca-bundle.crt <-- small 168,7 KiByte The original provided in bundle from BOINC site is 252,4 KiByte
Now i have replaced /usr/share/ncat/ca-bundle.crt /usr/share/kf5/kssl/ca-bundle.crt with copies of /etc/pki/tls/certs/ca-bundle.crt and rebooted, still same result... Maybe something else is needed to validate certificate for some projects? (or maybe WCG do not need validation by certificate at all so that is why it works) Do i miss some required system package / file...? (did a bumpy online upgrade mga5->6 a half year ago...)
Now i uninstalled all four boinc* packages, installed them again, rebooted: same
I am using a different setup for boinc which works usually: one built from source and installed into /home/<uid>/.boinc/BOINC and the file ca-bundle.crt lives in *this* directory together with the boinc executable "boincmgr" which starts by running the script "run_manager". So perhaps the path seen by these latter two is where the .crt file must be placed in. Indeed their ca-bundle.crt has a size of 228,549 bytes HTH
Update: I noticed also WCG beta project fail checking certificate since some time, so i opted out of it. Other World Community Grid projects still works.
Without having done anything about this since above, (except regular updates), yesterday by chance i reenabled projects GPUGRID and rosetta, and no complaints on certificates, they just roll along :) A well, we will see next fresh install, probably after sta2
Reading through this multi-bug, if you have troubles with certificates, or you need it, it is available on github at: https://github.com/BOINC/boinc/blob/master/curl/ca-bundle.crt Get the certificate (dec2015) and put it in your base boinc directory: (I moved boinc to /opt/BOINC) and used links from /var/lib/boinc->/opt/BOINC) [boinc@genesis ~]$ ls -l /opt/BOINC/ca-bundle.crt -rw-rw-r-- 1 boinc boinc 228549 Dec 24 16:08 /opt/BOINC/ca-bundle.crt [boinc@genesis ~]$ md5sum /opt/BOINC/ca-bundle.crt 1a0e0ddbd847ef8a42e433a8413a39f4 /opt/BOINC/ca-bundle.crt The World Grid certificate is updated as of 2017july - see: https://www.worldcommunitygrid.org/about_us/viewNewsArticle.do?articleId=531 (just an FYI - I did not follow further since I'm not running World Grid, but based on this info, it probably means that the certificate from github is outdated and you need to build/merge new info).
CC: (none) => digital
adding further self-help details.... https://einsteinathome.org/content/attention-when-updating-debian-stable-jessie-or-ubuntu-1404-lts-trusty
The updated certificates referred to in the link in Comment 28 are those used by WCG's own Web server, not the ones in the Boinc client, which come from the Boinc site. I am still using a ca-bundle.crt dated Dec 2016.
As here are other BOINC users in this thread, here i just pus a heads up to: Bug 22860 - BOINC do not adhere to maximum ram setting -> applications get oom-killed Bug 22810 - Boinc do not adapt to computer being used = problems running it in case you don know it already ;) Of course if you know workarounds, say! :)
Installed boinc 7.2.42 (x64) and hit the execvp . Googling found the missing ca-bundle.crt file in https://boinc.berkeley.edu/trac/wiki/Error/Scheduler%20request%20failed Launching the boincmgr still produces two of these errors, but the third one I had disappeared and the boincmgr does its job. But according to this site, its their own fault.
CC: (none) => herman.viaene
Two comments, Herman: Firstly, only the IBM server needs those links. But IBM has all the most interesting projects. Secondly, I have ca-bundle.crt in various places: /home/doug/firestorm/bin/ca-bundle.crt /home/doug/firestorm/bin/win32/ca-bundle.crt /home/doug/firestorm.backup-2018-08-13/bin/win32/ca-bundle.crt /usr/share/kf5/kssl/ca-bundle.crt /usr/share/ncat/ca-bundle.crt /var/lib/boinc/ca-bundle.crt Firestorm is a Second Life client, and its copy is not available to other programs. Neither is any of the others. It sounds as though the file should be included in LD_LIBARY_PATH, but I don't know enough to be sure. My LD_LIBARY_PATH variable is empty. I still have a copy of ca-bundle.crt (copied from one of the above) in /var/lib/boinc (the last entry in the list.)
@ Doug I don't have that firestorm, but I have (before adding the file to boinc) /etc/pki/tls/certs/ca-bundle.crt /usr/share/apps/kssl/ca-bundle.crt /usr/share/kf5/kssl/ca-bundle.crt /usr/share/ncat/ca-bundle.crt I think we would expect to pick up the stuff from /etc??? Copying that one should have the same beneficial effect. But I preferred to pick the file from the berkeley site. But anyway, the site states explicitely "The reason for the error is that a file (ca-bundle.crt) was omitted from the release." So I estimate they know their product and if they say the file should be in /var/lib/boinc, I'm not going to contradict them.
I think we would expect to pick up the stuff from /etc??? Any of the ones in /etc/ should do the trick, but the system can't find them. Copy any one to /var/lib/boinc, and change its ownership to boinc:boinc. An RPM upgrade may remove it, but it doesn't remove your jobs-in-progress, and upgrades are fairly rare, anyway. I have a folder with backups for files that I may need to put back.
If anyone would like to use the compiled-by-me boinc_7.9.0_x86_64-pc-linux-gnu.sh which puts needed stuff free of rpm in ~/.boinc and works on Cauldron: email me. The size is 27 Mb but I could arrange to post it in my web space... When it stops working I compile a new version from source.
CC: (none) => dvgevers
I note that on fresh install of Mageia 7 it just works. boinc-client-7.14.2-3.mga7.src.rpm I have not digged into why it do, but i mark this bug resolved for now.
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Really, it should always have "just worked." I am probably still using my old ca-bundle.crt, and should update it. I have seen several upgrades of ca-bundle.crt come down. Looking at your Comment 22, none of the paths you list seem to be paths for libraries, but maybe I am wrong. I still have the issue with launching boinc. I must still use the workaround in Comment 8, but that is another story. boinc-client can be set to start on every boot.