Can't contact EAH Servers - Peer Certificate Cannot be Authenticated...

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 950
Credit: 25,167,626
RAC: 1

For the record: I tracked

For the record: I tracked this down to at least two bug reports for OpenSSL, which confirm that a fix is available as of v1.0.2:

https://rt.openssl.org/Ticket/Display.html?id=3637
https://rt.openssl.org/Ticket/Display.html?id=3621

(login explained here)

We're also pursuing to get this fixed in Debian Jessie itself...

Oliver

 

Einstein@Home Project

KF7IJZ
KF7IJZ
Joined: 27 Feb 15
Posts: 110
Credit: 6,108,311
RAC: 0

Thank you all for your

Thank you all for your attention to this. I really appreciate the diagnosis. Unfortunately, even if they fix it in Jessie, it will likely be a while before it will roll in to Raspbian Jessie.

I was getting ready to do a series of videos on how to build your own EAH Boinc Clusters using the Pi 2 and Pi Zero. I had started to do this in October, back when I was following claggy's instructions for building boinc on Wheezy. When Jessie came out, I thought that would be awesome because it was so much easier to apt-get install boinc-client than compiling software, thus making it more accessible to people. It looks like I could still do that if people use stock jessie, but now I have to teach them to not upgrade ca-certificates or openssl! Maybe I can try to do an image on stretch, but I have to figureo ut how to get a working stretch system myself first (I know more than most at Linux, but still have a lot to learn, especially when it comes to troubleshooting).

The Pi Zero is very interesting because while it takes twice as long / core, the total cost of ownership is significantly less than the Pi 2. The micro sd card and a usb cable are a wash, as they are needed for each platform. A USB hub and some way for your master Zero to get to the internet is all that's needed to build a cluster that scales rather handily thanks to the USB Ethernet Gadget mode (http://pi.gbaman.info/?p=699. My ultimate goal is to get as many Pi Zeros online as possible while also adding a Pi 2 node to my Pi 2 cluster as often as I can. You can see the original Pi Zero prototype cluster here: https://twitter.com/KF7IJZ/status/689206463970041857

So thanks again for the work. Is there anything I can track on another website to see the status of these fixes? Should I try to inform the Raspbian people? Is there anything else I can do to help?

My YouTube Channel: https://www.youtube.com/user/KF7IJZ
Follow me on Twitter: https://twitter.com/KF7IJZ

Christian Beer
Christian Beer
Joined: 9 Feb 05
Posts: 595
Credit: 133,854,196
RAC: 272,609

RE: Thank you all for your

Quote:
Thank you all for your attention to this. I really appreciate the diagnosis. Unfortunately, even if they fix it in Jessie, it will likely be a while before it will roll in to Raspbian Jessie.


I don't know how the Raspbian and Debian repositories are interconnected. If you know of a way to speed this up please let me know. The ca-certificates package was migrated rather quickly so I hope that a new version that is maybe flagged urgent is quicker.

Quote:
I was getting ready to do a series of videos on how to build your own EAH Boinc Clusters using the Pi 2 and Pi Zero. I had started to do this in October, back when I was following claggy's instructions for building boinc on Wheezy. When Jessie came out, I thought that would be awesome because it was so much easier to apt-get install boinc-client than compiling software, thus making it more accessible to people. It looks like I could still do that if people use stock jessie, but now I have to teach them to not upgrade ca-certificates or openssl! Maybe I can try to do an image on stretch, but I have to figureo ut how to get a working stretch system myself first (I know more than most at Linux, but still have a lot to learn, especially when it comes to troubleshooting).


I added a rebuild of BRP for Stretch on armhf to my todolist. I don't have an ETA, but I'm working on getting this libc problem solved that was mentioned earlier.

Quote:
So thanks again for the work. Is there anything I can track on another website to see the status of these fixes? Should I try to inform the Raspbian people? Is there anything else I can do to help?


The most relevant Debian bugs are these two: 812708 and 812488. I think Raspbian just takes the package from Debian so we have to make them aware when there is a new version (hopefully).

KF7IJZ
KF7IJZ
Joined: 27 Feb 15
Posts: 110
Credit: 6,108,311
RAC: 0

Raspbian Bug Here - Please go

Raspbian Bug Here - Please go up vote! https://bugs.launchpad.net/raspbian/+bug/1538821

My YouTube Channel: https://www.youtube.com/user/KF7IJZ
Follow me on Twitter: https://twitter.com/KF7IJZ

Raspberry Pi - Brian
Raspberry Pi - Brian
Joined: 23 Nov 15
Posts: 3
Credit: 176,188
RAC: 0

RE: Edit: Here is what I

Quote:

Edit: Here is what I did to get the missing certificate back. Please make sure you have the package downloaded before purging!

$ wget http://snapshot.debian.org/archive/debian/20141020T103752Z/pool/main/c/ca-certificates/ca-certificates_20141019_all.deb
$ sudo dpkg --purge --force-depends ca-certificates
$ sudo dpkg -i ca-certificates_20141019_all.deb

This patch worked for me. (I was unable to attach the project)

Expanding the edge of Science.

vdvogt
vdvogt
Joined: 25 Jul 09
Posts: 5
Credit: 3,382,271
RAC: 0

Hi Brian, i had written your

Hi Brian,
i had written your three lines as bash script to get back to the old certificate.
But because I run unattended-upgrades I have to run it every second day.

Is there an option to keep the right certificate?

And how do I get notice when the new certificate which work correct is published?

regards
Veit

Christian Beer
Christian Beer
Joined: 9 Feb 05
Posts: 595
Credit: 133,854,196
RAC: 272,609

RE: Is there an option to

Quote:

Is there an option to keep the right certificate?

And how do I get notice when the new certificate which work correct is published?


Yes there is: Attention when updating Debian stable (Jessie)

I will probably announce the resolution in the same technical news item. So far it seems there is no consensus on what to do among the Debian maintainers involved.

KF7IJZ
KF7IJZ
Joined: 27 Feb 15
Posts: 110
Credit: 6,108,311
RAC: 0

Raspbian updated the Jessie

Raspbian updated the Jessie image to 20160209 last week, so the image now comes with the bad ca-certificates package. New users attempting to run boinc must now downgrade as course of business or use an archive of Jessie 20151121.

My YouTube Channel: https://www.youtube.com/user/KF7IJZ
Follow me on Twitter: https://twitter.com/KF7IJZ

vdvogt
vdvogt
Joined: 25 Jul 09
Posts: 5
Credit: 3,382,271
RAC: 0

Hi, i have stopped

Hi,

i have stopped updating the certificates with

echo ca-certificates hold | dpkg --set-selections

Will we be noticed when the failure is fixed?

regards
Veit

Christian Beer
Christian Beer
Joined: 9 Feb 05
Posts: 595
Credit: 133,854,196
RAC: 272,609

I will update the technical

I will update the technical News Item as soon as the Debian maintainers fixed it. There is nothing we can do about the issue apart from nagging them about it.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.