Can't contact EAH Servers - Peer Certificate Cannot be Authenticated...

Christian Beer
Christian Beer
Joined: 9 Feb 05
Posts: 595
Credit: 184979835
RAC: 328017

The ca-bundle.crt that comes

The ca-bundle.crt that comes with the Client is only used on Windows. On Linux and Mac the system certificate stores are used. To confirm this please try curl -v like this (I'm on Stretch):

$ curl -v https://scheduler.einsteinathome.org/EinsteinAtHome_cgi/cgi
*   Trying 130.75.116.40...
* Connected to scheduler.einsteinathome.org (130.75.116.40) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 696 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*        server certificate verification OK
*        server certificate status verification SKIPPED
*        common name: www.einsteinathome.org (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: C=US,ST=Wisconsin,L=Milwaukee,O=University of Wisconsin-Milwaukee,OU=Physics,CN=www.einsteinathome.org
*        start date: Fri, 11 Dec 2015 00:00:00 GMT
*        expire date: Mon, 10 Dec 2018 23:59:59 GMT
*        issuer: C=US,O=thawte\, Inc.,CN=thawte SSL CA - G2
*        compression: NULL
* ALPN, server did not agree to a protocol
> GET /EinsteinAtHome_cgi/cgi HTTP/1.1
> Host: scheduler.einsteinathome.org
> User-Agent: curl/7.46.0
> Accept: */*
> 

611
http://einstein.phys.uwm.edu/
60.000000
Error in request message: no start tag
Einstein@Home

* Connection #0 to host scheduler.einsteinathome.org left intact

I think that either curl doesn't use the correct certificate store or the update of the store was broken.

KF7IJZ
KF7IJZ
Joined: 27 Feb 15
Posts: 110
Credit: 6108311
RAC: 0

RE: begin EDIT$ curl

Quote:

begin EDIT
$ curl https://einstein10.aei.uni-hannover.de/EinsteinAtHome_cgi/cgi

611
http://einstein.phys.uwm.edu/
60.000000
Error in request message: no start tag
Einstein@Home

end EDIT

I tried curl on this address and it worked manually. I then added it to global config and it did not work.

My YouTube Channel: https://www.youtube.com/user/KF7IJZ
Follow me on Twitter: https://twitter.com/KF7IJZ

KF7IJZ
KF7IJZ
Joined: 27 Feb 15
Posts: 110
Credit: 6108311
RAC: 0

RE: The ca-bundle.crt that

Quote:

The ca-bundle.crt that comes with the Client is only used on Windows. On Linux and Mac the system certificate stores are used. To confirm this please try curl -v like this (I'm on Stretch):

*snip*

I think that either curl doesn't use the correct certificate store or the update of the store was broken.

pi@rpi0-0:~ $ curl -v https://scheduler.einsteinathome.org/EinsteinAtHome_cgi/cgi
* Hostname was NOT found in DNS cache
*   Trying 130.75.116.40...
* Connected to scheduler.einsteinathome.org (130.75.116.40) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Since I can show BOINC/EAH working fine before doing an apt-get update/upgrade, I'm going to guess it came in the update, which I realize that is very unusual.

By chance, can anyone download the 11/21/2015-jessie lite image, install it, and do an apt-get update/upgrade to verify that the ca-certificates v20141019+deb8u1 gets installed and breaks boinc? I can reliably reproduce the error, but I'd like to see if someone else can.

I haven't tried stretch because again, I had heard that there was an issue as they were updating libc that broke the EAH application (read about this in the parallella thread).

My YouTube Channel: https://www.youtube.com/user/KF7IJZ
Follow me on Twitter: https://twitter.com/KF7IJZ

Christian Beer
Christian Beer
Joined: 9 Feb 05
Posts: 595
Credit: 184979835
RAC: 328017

RE: By chance, can anyone

Quote:

By chance, can anyone download the 11/21/2015-jessie lite image, install it, and do an apt-get update/upgrade to verify that the ca-certificates v20141019+deb8u1 gets installed and breaks boinc? I can reliably reproduce the error, but I'd like to see if someone else can.

I haven't tried stretch because again, I had heard that there was an issue as they were updating libc that broke the EAH application (read about this in the parallella thread).

I have an old Raspberry B that I can reformat and test on. In the meantime can you try to reconfigure the ca-certificates package using "dpkg-reconfigure ca-certificates". The curl installation needs to know about the CAfile and read in the certificates from there.

Another option is to go back to the working version and forbid the update of ca-certificates, then update and see if it works.

Edit: I would also like to see the "curl -v ..." output from a working rpi0-? installation just to compare the CAfile and CApath values.

floyd
floyd
Joined: 12 Sep 11
Posts: 133
Credit: 186610495
RAC: 0

RE: I tried curl on this

Quote:
I tried curl on this address

Meaning https://einstein10.aei.uni-hannover.de/EinsteinAtHome_cgi/cgi

Quote:
and it worked manually. I then added it to global config and it did not work.


Which leads me to the conclusion that you cannot compare the curl command line tool and BOINC. For me https://scheduler.einsteinathome.org/EinsteinAtHome_cgi/cgi does not work manually, with the same output as for KF7IJZ, but BOINC doesn't seem to care. On the other hand, https://einstein10.aei.uni-hannover.de/EinsteinAtHome_cgi/cgi does work manually and scheduler.einsteinathome.org is einstein10. I start to wonder whether BOINC behaves as it should, in my case connecting to a https server that can't be verified, in the other case not connecting when it should.

floyd
floyd
Joined: 12 Sep 11
Posts: 133
Credit: 186610495
RAC: 0

RE: In the meantime can you

Quote:
In the meantime can you try to reconfigure the ca-certificates package using "dpkg-reconfigure ca-certificates".


I don't dare try it without knowing the current configuration. What options would there be?

Quote:
The curl installation needs to know about the CAfile and read in the certificates from there.


Aren't the certificates from CAfile supposed to be present in CApath? Soft links actually, which makes me think of checking the real files.

Quote:
Another option is to go back to the working version and forbid the update of ca-certificates, then update and see if it works.


I was going to suggest the other way around, update the certificates only.

KF7IJZ
KF7IJZ
Joined: 27 Feb 15
Posts: 110
Credit: 6108311
RAC: 0

RE: Edit: I would also

Quote:

Edit: I would also like to see the "curl -v ..." output from a working rpi0-? installation just to compare the CAfile and CApath values.

Here's the output from rpi2-3, which is running stock jessie more or less.

First, the curl output

pi@rpi2-3:~ $ curl -v https://scheduler.einsteinathome.org/EinsteinAtHome_cgi/cg                                     i
* Hostname was NOT found in DNS cache
*   Trying 130.75.116.40...
* Connected to scheduler.einsteinathome.org (130.75.116.40) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*        subject: C=US; ST=Wisconsin; L=Milwaukee; O=University of Wisconsin-Mil                                     waukee; OU=Physics; CN=www.einsteinathome.org
*        start date: 2015-12-11 00:00:00 GMT
*        expire date: 2018-12-10 23:59:59 GMT
*        subjectAltName: scheduler.einsteinathome.org matched
*        issuer: C=US; O=thawte, Inc.; CN=thawte SSL CA - G2
*        SSL certificate verify ok.
> GET /EinsteinAtHome_cgi/cgi HTTP/1.1
> User-Agent: curl/7.38.0
> Host: scheduler.einsteinathome.org
> Accept: */*
>

611
http://einstein.phys.uwm.edu/
60.000000
Error in request message: no start tag
Einstein@Home

* Connection #0 to host scheduler.einsteinathome.org left intact

Next, ca-certificates version

pi@rpi2-3:~ $ sudo apt-cache policy ca-certificates
ca-certificates:
  Installed: 20141019
  Candidate: 20141019+deb8u1
  Version table:
     20141019+deb8u1 0
        500 http://mirrordirector.raspbian.org/raspbian/ jessie/main armhf Packages
 *** 20141019 0
        100 /var/lib/dpkg/status

I am interested in trying either forbidding an upgrade to ca-certificates or installing the version from the test stream.

Right now, the only node I don't really want to fool with rolling back is rpi0-0, which is currently broken due to ca-certs and is the master node w/ the correct network setup. I will try to get the testing version of ca-certs installed there though. I can blow the rest of my Zeros away and test whatever as I have time.

My YouTube Channel: https://www.youtube.com/user/KF7IJZ
Follow me on Twitter: https://twitter.com/KF7IJZ

KF7IJZ
KF7IJZ
Joined: 27 Feb 15
Posts: 110
Credit: 6108311
RAC: 0

So I added Raspbian Stretch

So I added Raspbian Stretch as an apt-source and selectively installed ONLY ca-certificates.

Running curl still gives the error.

Here's the version info:

pi@rpi0-0:/etc/apt/apt.conf.d $ sudo apt-cache policy ca-certificates
ca-certificates:
  Installed: 20160104
  Candidate: 20160104
  Version table:
 *** 20160104 0
        500 http://mirrordirector.raspbian.org/raspbian/ stretch/main armhf Packages
        100 /var/lib/dpkg/status
     20141019+deb8u1 0
        990 http://mirrordirector.raspbian.org/raspbian/ jessie/main armhf Packages

I was really surprised that this didn't work. I'm going to progressively upgrade components, starting with boinc-client next.

My YouTube Channel: https://www.youtube.com/user/KF7IJZ
Follow me on Twitter: https://twitter.com/KF7IJZ

MarkJ
MarkJ
Joined: 28 Feb 08
Posts: 437
Credit: 139002861
RAC: 1

This is one of my Pi2's

This is one of my Pi2's running Stretch

Quote:
sudo apt-cache policy ca-certificates
ca-certificates:
Installed: 20160104
Candidate: 20160104
Version table:
*** 20160104 500
500 http://mirrordirector.raspbian.org/raspbian stretch/main armhf Packages
100 /var/lib/dpkg/status


I am not sure why you're getting a 2014 version, Stretch should be recent.

My only B+ running Jessie is being offered the deb8u1 version from 2014, which I have currently declined to install due to the issues you're having. I might backup the SD card first and then try it.

Quote:
sudo apt-cache policy ca-certificates
ca-certificates:
Installed: 20141019
Candidate: 20141019+deb8u1
Version table:
20141019+deb8u1 0
500 http://mirrordirector.raspbian.org/raspbian/ jessie/main armhf Packages
*** 20141019 0
100 /var/lib/dpkg/status

I was the one who got the 1.06 BRP4 app failure when Stretch updated libc6. I didn't have a recent backup so had to reinstall Jessie. I sent a PM to Bikeman about it.

MarkJ
MarkJ
Joined: 28 Feb 08
Posts: 437
Credit: 139002861
RAC: 1

After updating it now can't

After updating it now can't connect. I would have to concur that whatever Debian put in there (or took out) breaks it.

Quote:

Einstein@Home 26-01-2016 12:08 PM update requested by user
Einstein@Home 26-01-2016 12:08 PM Sending scheduler request: Requested by user.
Einstein@Home 26-01-2016 12:08 PM Not requesting tasks: "no new tasks" requested via Manager
26-01-2016 12:08 PM Project communication failed: attempting access to reference site
Einstein@Home 26-01-2016 12:08 PM Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
26-01-2016 12:08 PM Internet access OK - project servers may be temporarily down.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.