Attention when updating Debian stable (Jessie) or Ubuntu 14.04 LTS (Trusty)

Christian Beer
Christian Beer
Joined: 9 Feb 05
Posts: 595
Credit: 188571536
RAC: 169566
Topic 198396

Edit June 6 2016:
I was informed that with the update to Debian Jessie 8.5 on June 4th a new OpenSSL version was introduced that fixes the problem with certificate validation. You can now unhold the ca-certificates package and update to 8.5 like this:

apt-get update
aptitude unhold ca-certificates
apt-get upgrade

Original post:
Please be aware that the current update of the ca-certificates package to 20141019+deb8u1 (introduced January 5th 2016) on Debian 7 and 20160104ubuntu0.14.04.1 (introduced February 8th 2016) on Ubuntu 14.04 LTS will break the connectivity of your BOINC Client with Einstein@Home (and WorldCommunityGrid). You see this message in the Client Event Log:

Quote:
Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates


We already filed a bug report with the package maintainer and hope to get this solved with a new update.

In the meantime please hold the package in the last good version (2041019 for Debian) via the command:
aptitude hold ca-certificates
You can see the currently installed version with:
aptitude show ca-certificates
If you are already affected by this you can downgrade like I described here.

Christian Beer
Christian Beer
Joined: 9 Feb 05
Posts: 595
Credit: 188571536
RAC: 169566

Attention when updating Debian stable (Jessie) or Ubuntu 14.04 L

If you already have the newest ca-certificates you need to downgrade like this:

Please make sure you have the package downloaded before purging!

$ wget http://snapshot.debian.org/archive/debian/20141020T103752Z/pool/main/c/ca-certificates/ca-certificates_20141019_all.deb
$ sudo dpkg --purge --force-depends ca-certificates
$ sudo dpkg -i ca-certificates_20141019_all.deb
vdvogt
vdvogt
Joined: 25 Jul 09
Posts: 5
Credit: 3382271
RAC: 0

Hi, another option

Hi,
another option is:

echo ca-certificates hold | dpkg --set-seletions

When the failure with the certificates is fixed you have to enter the command:

echo ca-certificates install | dpkg --set-selections

regards
Veit

USTL-FIL (Lille Fr)
USTL-FIL (Lille Fr)
Joined: 11 Apr 06
Posts: 2
Credit: 200046415
RAC: 56

Hello! When do you think the

Hello!
When do you think the new valid certificate will be installed on the einstein@home servers?
Thanks

Christian Beer
Christian Beer
Joined: 9 Feb 05
Posts: 595
Credit: 188571536
RAC: 169566

RE: When do you think the

Quote:
When do you think the new valid certificate will be installed on the einstein@home servers?


This is not a problem with the server certificates as they are valid and current. The problem is that our server certificates are signed by two different root certificates. One of those has been removed with a ca-certificates update in Debian Jessie. This would have not been a problem because only one valid root certificate is required so your computers can verify our server certificate. Unfortunately there is a bug in the openssl version in Debian Jessie that is used to verify the server certificates. This bug causes the verification to fail instantly when a root certificate is missing and openssl doesn't check the alternative root certificate.

We can't change this in the server side so we have to wait until a new version of ca-certificates is released that contains the removed root certificate again. This is currently tested as there are problems with reintroducing removed certificates in the ca-certificates package.

USTL-FIL (Lille Fr)
USTL-FIL (Lille Fr)
Joined: 11 Apr 06
Posts: 2
Credit: 200046415
RAC: 56

Thank you for your

Thank you for your reply!
I'll wait for debian releases a fix.
I have too much computer to manually make a return to the previous version of ca-certificates.
I hope it will not be too long to wait!
Mike

Christian Beer
Christian Beer
Joined: 9 Feb 05
Posts: 595
Credit: 188571536
RAC: 169566

This also affects Ubuntu

This also affects Ubuntu 14.04 LTS. A bug report is filed and we still wait for a solution by the Debian package maintainer (which will then be used on Ubuntu also). If you need a workaround for Ubuntu please let me know.

Christian Beer
Christian Beer
Joined: 9 Feb 05
Posts: 595
Credit: 188571536
RAC: 169566

Ubuntu already updated the

Ubuntu already updated the affected libssl package on February 24th. Please update your system and try again if you have problems connecting to Einstein@home.

Thunder
Thunder
Joined: 18 Jan 05
Posts: 138
Credit: 46754541
RAC: 0

RE: Ubuntu already updated

Quote:
Ubuntu already updated the affected libssl package on February 24th. Please update your system and try again if you have problems connecting to Einstein@home.

After first trying your workaround, I then found this post. After an apt-get update and then upgrade, I only saw the certificates upgrade, but tried to update E@H again...

3/1/2016 7:42:03 AM | Einstein@Home | Sending scheduler request: Requested by user.
3/1/2016 7:42:03 AM | Einstein@Home | Requesting new tasks for CPU
3/1/2016 7:42:05 AM | | Project communication failed: attempting access to reference site
3/1/2016 7:42:05 AM | Einstein@Home | Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
3/1/2016 7:42:08 AM | | Internet access OK - project servers may be temporarily down.

So... no, with 14.04 updated as best I know how, it's still broken.

Edit: For now, I've downgraded to the 20141019 certificates again, but this system isn't being used for anything "production" yet, so I'll be glad to try anything you'd like if it will help.

Christian Beer
Christian Beer
Joined: 9 Feb 05
Posts: 595
Credit: 188571536
RAC: 169566

That's strange. Try curl

That's strange. Try curl https://einsteinathome.org this should download the front page and display the raw html in your console or an error if it is still not working.

If it is not working please post the output of openssl version and curl --version.

Thunder
Thunder
Joined: 18 Jan 05
Posts: 138
Credit: 46754541
RAC: 0

RE: curl

Yes, after updating the certificates, I tried this and did get the raw html of the front page.

However, after this I tried a project update again and got:

3/1/2016 8:56:26 AM | Einstein@Home | Sending scheduler request: Requested by user.
3/1/2016 8:56:26 AM | Einstein@Home | Requesting new tasks for CPU
3/1/2016 8:56:28 AM | | Project communication failed: attempting access to reference site
3/1/2016 8:56:28 AM | Einstein@Home | Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
3/1/2016 8:56:30 AM | | Internet access OK - project servers may be temporarily down.

Quote:

If it is not working please post the output of openssl version and curl --version.

OpenSSL 1.0.1f 6 Jan 2014

curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.