Due to Google removing trust for Symantec certificates, we need to update our SSL certificate. This will happen on Monday (Apr 16). The new certificate will ensure compatibility with new webbrowsers, but BOINC clients older than v7.4 may no longer be able to connect. If at all possible, please update your BOINC client. If you are deliberately using an older BOINC client, please ensure that the "ca-bundle.crt" file is updated (instructions will be issued).
Behind the scenes we are trying to get a certificate that works with older clients as well as new browsers, but currently that doesn't seem to work out.
Update: Changed date to Monday April 16th 2018. Google will update Chrome on Tuesday April 17th.
Copyright © 2024 Einstein@Home. All rights reserved.
Comments
A current ca-bundle.crt file
)
A current ca-bundle.crt file can be downloaded from the BOINC source tree at github.
The BOINC clients of most Linux distros link the local ca-bundle.crt to the system's file (usually /etc/ssl/certs/ca-certificates.crt), these should get updated automatically.
On OSX you'll find the file in BOINC's data directory (/Library/Application Support/BOINC Data), on Windows in the program directory of the BOINC Client.
BM
To follow up: In Windows,
)
To follow up:
In Windows, the directory the ca-bundle.crt file is located in (C:\Program Files\BOINC) or sometimes (C:\Program Files (x86)\BOINC).
Please don't hesitate to ask any questions or report problems in the Problems and Bug Reports Forum.
Einstein@Home Project
Sorry to be dense, Bernd, but
)
Sorry to be dense, Bernd, but I just want to ensure I understood correctly: so for systems like PPC Macs and Raspberry Pi where there is no newer client (that I have seen) all we really need to do is ensure the ca.bundle.crt is updated and everything should be fine?
The "Raspberry Pi" is a
)
The "Raspberry Pi" is a hardware (ARM) platform, on which you may run different systems (like Android or Linux). In most cases you will have Linux running on it from some distro (like Raspbian), and then it should apply what I wrote earlier - the file is updated with the system and normally you shouldn't have to do anything. If /var/lib/boinc-client/ca-bundle.crt exists and is a symlink, then you should be fine.
If your client on MacOSX 10.5 PPC could connect to Einstein@Home so far (i.e. it does have a sufficiently recent OpenSSL version built in), then updating the ca-bundle.crt file should be enough.
BM
Monday (Apr 17)? Than it was
)
Monday (Apr 17)? Than it was either a year ago, or in the future.
It is the 16th next monday...
https://boincstats.com/signature/5/user/2177/project/sig.png
Dirk Broer wrote: Monday (Apr
)
2023
https://www.timeanddate.com/calendar/weekday-monday-17?ext=1
Sorry for the confusion.
)
Sorry for the confusion. We'll replace the certificate on Monday (16th), to prepare for the new version of Google Chrome which has been announced for the 17th (Tuesday).
BM
Just a small question. For
)
Just a small question. For volunteers choosing to install the latest ca-bundle.crt rather than updating the BOINC client, does the client need to be restarted or will it notice the new file next time there is a need for it?
Since I have a large number of hosts with AMD GPUs, some still using fglrx for OpenCL and some using amdgpu, and a whole range of different stages of updating with respect to my distro's repository, I'm reluctant to disturb what is currently running quite well by attempting to do a hurried client upgrade. I've written and tested a small bash script that will deploy the new bundle and save a backup copy of the old on every host on the LAN. It would be trivial to add a command to restart the client if that were needed as well.
I'd rather not do a restart if it's not necessary :-).
Cheers,
Gary.
Gary Roberts wrote: ...
)
By far most distros (and a reasonably recent) self-extracting installer link the BOINC client's certificate file to the system's one, so it gets updated with the system automatically and yu don't have to do anything else to keep it up-to-date.
If you really need to update t manually, I suspect the client will need too be restarted (this is a functionality of the curl library linked into the client, not of BOINC's own code).
BM
In general you should only
)
In general you should only need to update your client (or ca-bundle.crt file) if you are running a Windows or OSX client older than v7.4. Newer clients should work, and Linux clients should use the system's certificates file anyway.
BM
Update: it currently looks
)
Update: it currently looks like we can get a cross-signed certificate that will work with older clients as well as new browsers, but this will involve a bit of research and discussion with the issuer's support, so may take a few more days. For the time being, though, we will follow the original plan and replace the certificate today with the one we've got (that won't work with older clients).
BM
The distro I use doesn't
)
The distro I use doesn't package BOINC. Period. There may well be other distros in the same boat.
There have been a number of requests over the years (not by me) to the maintainers of my distro to package BOINC. All have been refused. Very few reasons other than 'crap software' were given but it hasn't been a problem for me since I've always used the Berkeley download page anyway. I have also built my own version of 7.6.33 which is installed on about 8 machines and working fine. At some point I will upgrade the rest of the fleet - just not right now! When I'm ready, I'll probably build something a bit more recent than 7.6.33.
Most of my hosts run 7.2.42 which is earlier than the v7.4 you mention. The install was done using the shell archive from Berkeley. There is no link to a system certificate file but I could easily create one manually. At this point with a tested and working script to deploy the new ca-bundle.crt file, I'll just deploy the file. If there are any issues, I'll just plan to restart the client to see if that fixes things. As a last resort, I might need to investigate an updated system certificate bundle and link to that. I don't imagine that will be necessary.
Thanks very much for your responses. I'm sorry to have bothered you and I hope all goes well for you with whatever you have to do at your end.
EDIT: Hadn't seen your last post until after posting the above.
Cheers,
Gary.
The certificates on our site
)
The certificates on our site have been updated.
BM
I've just checked a couple of
)
I've just checked a couple of hosts running 7.2.42 and, so far, they seem to be uploading results and downloading new work without any complaints. I think I might go home now since it's nearly 10:00PM here. I haven't had to restart any machines.
Most of my machines run with a KDE4 desktop. The upgrade to KDE Plasma 5 requires a clean install since the two are not compatible. I had done that over several months on about 15 machines and hadn't noticed that the KDE5 ISO image I'd been using didn't include rsync by default - something which was always included with KDE4 images. I had done my script testing on KDE4 machines so hadn't noticed the problem until the script got to the first KDE5 machine. Since I keep a fully updated copy of the repository on a USB hard drive, it was simple (but a bit time consuming) to rectify by installing rsync on all KDE5 machines. I'm lucky that I'd built in a fair bit of 'pause on error' functionality into the script so this allowed me to fix the problem before allowing the script to proceed and finish the job.
Thanks once again for your help.
Cheers,
Gary.
Gary, if there is no
)
Gary, if there is no 'ca-bundle.crt' file in BOINC's data directory, then the curl in the (Linux) BOINC client should use the system's setting. You don't need to create or update such a fie then.
BM
Jonathan Jeckell wrote:Sorry
)
For my Pi 2 that was running the default OS that came with it there was no new BOINC version in the repository. I think it was like 7.0 something. Really old.
I updated awhile back to a newer Raspian version which had 7.6.33 in its repository. It's not the latest available but beyond 7.4. Yoyo updated the bin BOINC version awhile back which forced me to update.
http://www.rechenkraft.net/yoyo/show_host_detail.php?hostid=421945
Hola, he descargado un poco
)
Hola, he descargado un poco el primer paquete que me han enviado, pues bien la pregunta es como cambio mi nombre de usuario? como también ver mis créditos? perdon por escribir en español ya que solo se ingles basico. gracias
Sorry to be dense but I'm not
)
Sorry to be dense but I'm not a computer scientist or software engineer. I have no idea how to do this update. I don't see any instructions anywhere. I use a Mac Book Pro and run High Sierra 10.13.4. Please provide detailed instructions.
7.2.42 which is still the
)
7.2.42 which is still the official Linux release on OpenSuSE used to work, but I now have downloaded 7.8.3 on my 2 Linux boxes with SuSE Leap 42.3.
Tullio
John Nelson_2 wrote:I use a
)
Please note that the update described is targeting "power-users" who want/need to run an outdated version of BOINC. Standard user should always just install/run the latest BOINC version available for their platform.
Apart from that, in the case of macOS the recommended way to do a certificate update is by using the dedicated "Certificate updater" BOINC provides. This avoids file ownership issues specific to the sandboxed macOS version of BOINC. Don't worry about the stated macOS version limitation. On newer versions of macOS you just need to open it via right-click -> "Open" and confirm the warning instead of just double-clicking it: for macOS backwards-compatibility the updater can't be signed, as required by newer macOS versions.
Cheers,
Oliver
Einstein@Home Project
Finally got mine to work. The
)
Finally got mine to work. The BOINC directory had a ca-bundle.crt file, in it, but it was from 2010?
Search system and found a number of ca-bundle.crt files, but they all seemed to link eventually to the file below. Renamed the ca-bundle.crt file, and then created a link to the file and then the einstein connected and downloaded files and work units again.
This is from a Fedora 27 fully updated systems.
mv ca-bundle.crt ca-bundle.crt.org
ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ca-bundle.crt
So ... I updated the
)
So ... I updated the certificate on my old OSX 10.5 PPC G4 using the "boinc certificate updater" package. But, I keep getting "communication deferred .." when boinc tries to connect to get the scheduler list. I tried resetting the project, reinstalling boinc, updating the certificate again. No go. Here is the machine that worked fine till late March ..
https://einsteinathome.org/host/12247173
Any suggestions?