Attention when updating Debian stable (Jessie) or Ubuntu 14.04 LTS (Trusty)
27 Jan 2016 13:49:47 UTC
Topic 198396
(moderation:
Edit June 6 2016:
I was informed that with the update to Debian Jessie 8.5 on June 4th a new OpenSSL version was introduced that fixes the problem with certificate validation. You can now unhold the ca-certificates package and update to 8.5 like this:
apt-get update aptitude unhold ca-certificates apt-get upgrade
Original post:
Please be aware that the current update of the ca-certificates package to 20141019+deb8u1 (introduced January 5th 2016) on Debian 7 and 20160104ubuntu0.14.04.1 (introduced February 8th 2016) on Ubuntu 14.04 LTS will break the connectivity of your BOINC Client with Einstein@Home (and WorldCommunityGrid). You see this message in the Client Event Log:
Quote:
Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
We already filed a bug report with the package maintainer and hope to get this solved with a new update.
In the meantime please hold the package in the last good version (2041019 for Debian) via the command:aptitude hold ca-certificates
You can see the currently installed version with:aptitude show ca-certificates
If you are already affected by this you can downgrade like I described here.
Attention when updating Debian stable (Jessie) or Ubuntu 14.04 L
)
If you already have the newest ca-certificates you need to downgrade like this:
Please make sure you have the package downloaded before purging!
Hi, another option
)
Hi,
another option is:
echo ca-certificates hold | dpkg --set-seletions
When the failure with the certificates is fixed you have to enter the command:
echo ca-certificates install | dpkg --set-selections
regards
Veit
Hello! When do you think the
)
Hello!
When do you think the new valid certificate will be installed on the einstein@home servers?
Thanks
RE: When do you think the
)
This is not a problem with the server certificates as they are valid and current. The problem is that our server certificates are signed by two different root certificates. One of those has been removed with a ca-certificates update in Debian Jessie. This would have not been a problem because only one valid root certificate is required so your computers can verify our server certificate. Unfortunately there is a bug in the openssl version in Debian Jessie that is used to verify the server certificates. This bug causes the verification to fail instantly when a root certificate is missing and openssl doesn't check the alternative root certificate.
We can't change this in the server side so we have to wait until a new version of ca-certificates is released that contains the removed root certificate again. This is currently tested as there are problems with reintroducing removed certificates in the ca-certificates package.
Thank you for your
)
Thank you for your reply!
I'll wait for debian releases a fix.
I have too much computer to manually make a return to the previous version of ca-certificates.
I hope it will not be too long to wait!
Mike
This also affects Ubuntu
)
This also affects Ubuntu 14.04 LTS. A bug report is filed and we still wait for a solution by the Debian package maintainer (which will then be used on Ubuntu also).
If you need a workaround for Ubuntu please let me know.Ubuntu already updated the
)
Ubuntu already updated the affected libssl package on February 24th. Please update your system and try again if you have problems connecting to Einstein@home.
RE: Ubuntu already updated
)
After first trying your workaround, I then found this post. After an apt-get update and then upgrade, I only saw the certificates upgrade, but tried to update E@H again...
3/1/2016 7:42:03 AM | Einstein@Home | Sending scheduler request: Requested by user.
3/1/2016 7:42:03 AM | Einstein@Home | Requesting new tasks for CPU
3/1/2016 7:42:05 AM | | Project communication failed: attempting access to reference site
3/1/2016 7:42:05 AM | Einstein@Home | Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
3/1/2016 7:42:08 AM | | Internet access OK - project servers may be temporarily down.
So... no, with 14.04 updated as best I know how, it's still broken.
Edit: For now, I've downgraded to the 20141019 certificates again, but this system isn't being used for anything "production" yet, so I'll be glad to try anything you'd like if it will help.
That's strange. Try curl
)
That's strange. Try
curl https://einsteinathome.orgthis should download the front page and display the raw html in your console or an error if it is still not working.If it is not working please post the output of
openssl versionandcurl --version.RE: curl
)
Yes, after updating the certificates, I tried this and did get the raw html of the front page.
However, after this I tried a project update again and got:
3/1/2016 8:56:26 AM | Einstein@Home | Sending scheduler request: Requested by user.
3/1/2016 8:56:26 AM | Einstein@Home | Requesting new tasks for CPU
3/1/2016 8:56:28 AM | | Project communication failed: attempting access to reference site
3/1/2016 8:56:28 AM | Einstein@Home | Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
3/1/2016 8:56:30 AM | | Internet access OK - project servers may be temporarily down.
OpenSSL 1.0.1f 6 Jan 2014
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP