Certificate update - please update old BOINC clients

Due to Google removing trust for Symantec certificates, we need to update our SSL certificate. This will happen on Monday (Apr 16). The new certificate will ensure compatibility with new webbrowsers, but BOINC clients older than v7.4 may no longer be able to connect. If at all possible, please update your BOINC client. If you are deliberately using an older BOINC client, please ensure that the "ca-bundle.crt" file is updated (instructions will be issued).

Behind the scenes we are trying to get a certificate that works with older clients as well as new browsers, but currently that doesn't seem to work out.

Update: Changed date to Monday April 16th 2018. Google will update Chrome on Tuesday April 17th.

Comments

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 4310
Credit: 250086029
RAC: 34948

A current ca-bundle.crt file

A current ca-bundle.crt file can be downloaded from the BOINC source tree at github.

The BOINC clients of most Linux distros link the local ca-bundle.crt to the system's file (usually /etc/ssl/certs/ca-certificates.crt), these should get updated automatically.

On OSX you'll find the file in BOINC's data directory (/Library/Application Support/BOINC Data), on Windows in the program directory of the BOINC Client.

BM

Shawn Kwang
Shawn Kwang
Joined: 3 Nov 15
Posts: 289
Credit: 3043055
RAC: 1557

To follow up: In Windows,

To follow up:

In Windows, the directory the ca-bundle.crt file is located in (C:\Program Files\BOINC) or sometimes (C:\Program Files (x86)\BOINC).

Please don't hesitate to ask any questions or report problems in the Problems and Bug Reports Forum

Einstein@Home Project

Jonathan Jeckell
Jonathan Jeckell
Joined: 11 Nov 04
Posts: 114
Credit: 1341965207
RAC: 782

Sorry to be dense, Bernd, but

Sorry to be dense, Bernd, but I just want to ensure I understood correctly: so for systems like PPC Macs and Raspberry Pi where there is no newer client (that I have seen) all we really need to do is ensure the ca.bundle.crt is updated and everything should be fine?

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 4310
Credit: 250086029
RAC: 34948

The "Raspberry Pi" is a

The "Raspberry Pi" is a hardware (ARM) platform, on which you may run different systems (like Android or Linux). In most cases you will have Linux running on it from some distro (like Raspbian), and then it should apply what I wrote earlier - the file is updated with the system and normally you shouldn't have to do anything. If /var/lib/boinc-client/ca-bundle.crt exists and is a symlink, then you should be fine.

If your client on MacOSX 10.5 PPC could connect to Einstein@Home so far (i.e. it does have a sufficiently recent OpenSSL version built in), then updating the ca-bundle.crt file should be enough.

BM

Dirk Broer
Dirk Broer
Joined: 10 Sep 05
Posts: 13
Credit: 33156876
RAC: 85042

 Monday (Apr 17)? Than it was

 Monday (Apr 17)? Than it was either a year ago, or in the future.

It is the 16th next monday... 

MAGIC Quantum Mechanic
MAGIC Quantum M...
Joined: 18 Jan 05
Posts: 1884
Credit: 1395364826
RAC: 1158813

Dirk Broer wrote: Monday (Apr

Dirk Broer wrote:

 Monday (Apr 17)? Than it was either a year ago, or in the future.

It is the 16th next monday... 

2023 Cool

 https://www.timeanddate.com/calendar/weekday-monday-17?ext=1

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 4310
Credit: 250086029
RAC: 34948

Sorry for the confusion.

Sorry for the confusion. We'll replace the certificate on Monday (16th), to prepare for the new version of Google Chrome which has been announced for the 17th (Tuesday).

BM

Gary Roberts
Gary Roberts
Moderator
Joined: 9 Feb 05
Posts: 5872
Credit: 117192682453
RAC: 35998150

Just a small question.  For

Just a small question.  For volunteers choosing to install the latest ca-bundle.crt rather than updating the BOINC client, does the client need to be restarted or will it notice the new file next time there is a need for it?

Since I have a large number of hosts with AMD GPUs, some still using fglrx for OpenCL and some using amdgpu, and a whole range of different stages of updating with respect to my distro's repository, I'm reluctant to disturb what is currently running quite well by attempting to do a hurried client upgrade.  I've written and tested a small bash script that will deploy the new bundle and save a backup copy of the old on every host on the LAN.  It would be trivial to add a command to restart the client if that were needed as well.

I'd rather not do a restart if it's not necessary :-).

 

Cheers,
Gary.

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 4310
Credit: 250086029
RAC: 34948

Gary Roberts wrote: ...

Gary Roberts wrote:
... different stages of updating with respect to my distro's repository ...

By far most distros (and a reasonably recent) self-extracting installer link the BOINC client's certificate file to the system's one, so it gets updated with the system automatically and yu don't have to do anything else to keep it up-to-date.

If you really need to update t manually, I suspect the client will need too be restarted (this is a functionality of the curl library linked into the client, not of BOINC's own code).

BM

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 4310
Credit: 250086029
RAC: 34948

In general you should only

In general you should only need to update your client (or ca-bundle.crt file) if you are running a Windows or OSX client older than v7.4. Newer clients should work, and Linux clients should use the system's certificates file anyway.

BM

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 4310
Credit: 250086029
RAC: 34948

Update: it currently looks

Update: it currently looks like we can get a cross-signed certificate that will work with older clients as well as new browsers, but this will involve a bit of research and discussion with the issuer's support, so may take a few more days. For the time being, though, we will follow the original plan and replace the certificate today with the one we've got (that won't work with older clients).

BM

Gary Roberts
Gary Roberts
Moderator
Joined: 9 Feb 05
Posts: 5872
Credit: 117192682453
RAC: 35998150

The distro I use doesn't

The distro I use doesn't package BOINC.  Period.  There may well be other distros in the same boat.

There have been a number of requests over the years (not by me) to the maintainers of my distro to package BOINC.  All have been refused.  Very few reasons other than 'crap software' were given but it hasn't been a problem for me since I've always used the Berkeley download page anyway.  I have also built my own version of 7.6.33 which is installed on about 8 machines and working fine.  At some point I will upgrade the rest of the fleet - just not right now!  When I'm ready, I'll probably build something a bit more recent than 7.6.33.

Most of my hosts run 7.2.42 which is earlier than the v7.4 you mention.  The install was done using the shell archive from Berkeley.  There is no link to a system certificate file but I could easily create one manually.  At this point with a tested and working script to deploy the new ca-bundle.crt file, I'll just deploy the file.  If there are any issues, I'll just plan to restart the client to see if that fixes things.  As a last resort, I might need to investigate an updated system certificate bundle and link to that.  I don't imagine that will be necessary.

Thanks very much for your responses.  I'm sorry to have bothered you and I hope all goes well for you with whatever you have to do at your end.

 EDIT:  Hadn't seen your last post until after posting the above.

 

Cheers,
Gary.

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 4310
Credit: 250086029
RAC: 34948

The certificates on our site

The certificates on our site have been updated.

BM

Gary Roberts
Gary Roberts
Moderator
Joined: 9 Feb 05
Posts: 5872
Credit: 117192682453
RAC: 35998150

I've just checked a couple of

I've just checked a couple of hosts running 7.2.42 and, so far, they seem to be uploading results and downloading new work without any complaints.  I think I might go home now since it's nearly 10:00PM here.  I haven't had to restart any machines.

Most of my machines run with a KDE4 desktop.  The upgrade to KDE Plasma 5 requires a clean install since the two are not compatible.  I had done that over several months on about 15 machines and hadn't noticed that the KDE5 ISO image I'd been using didn't include rsync by default - something which was always included with KDE4 images.  I had done my script testing on KDE4 machines so hadn't noticed the problem until the script got to the first KDE5 machine.  Since I keep a fully updated copy of the repository on a USB hard drive, it was simple (but a bit time consuming) to rectify by installing rsync on all KDE5 machines.  I'm lucky that I'd built in a fair bit of 'pause on error' functionality into the script so this allowed me to fix the problem before allowing the script to proceed and finish the job.

Thanks once again for your help.

 

Cheers,
Gary.

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 4310
Credit: 250086029
RAC: 34948

Gary, if there is no

Gary, if there is no 'ca-bundle.crt' file in BOINC's data directory, then the curl in the (Linux) BOINC client should use the system's setting. You don't need to create or update such a fie then.

BM

mmonnin
mmonnin
Joined: 29 May 16
Posts: 291
Credit: 3369576540
RAC: 3187723

Jonathan Jeckell wrote:Sorry

Jonathan Jeckell wrote:
Sorry to be dense, Bernd, but I just want to ensure I understood correctly: so for systems like PPC Macs and Raspberry Pi where there is no newer client (that I have seen) all we really need to do is ensure the ca.bundle.crt is updated and everything should be fine?

For my Pi 2 that was running the default OS that came with it there was no new BOINC version in the repository. I think it was like 7.0 something. Really old.

I updated awhile back to a newer Raspian version which had 7.6.33 in its repository. It's not the latest available but beyond 7.4. Yoyo updated the bin BOINC version awhile back which forced me to update.

http://www.rechenkraft.net/yoyo/show_host_detail.php?hostid=421945

MarioMaiaru
MarioMaiaru
Joined: 13 Apr 18
Posts: 1
Credit: 95555
RAC: 0

Hola, he descargado un poco

Hola, he descargado un poco el primer paquete que me han enviado, pues bien la pregunta es como cambio mi nombre de usuario? como también ver mis créditos?  perdon por escribir en español ya que solo se ingles basico. gracias

John Nelson
John Nelson
Joined: 21 Mar 18
Posts: 1
Credit: 4102430
RAC: 0

Sorry to be dense but I'm not

Sorry to be dense but I'm not a computer scientist or software engineer.  I have no idea how to do this update.  I don't see any instructions anywhere.  I use a Mac Book Pro and run High Sierra 10.13.4.  Please provide detailed instructions.

tullio
tullio
Joined: 22 Jan 05
Posts: 2118
Credit: 61407735
RAC: 0

7.2.42 which is still the

7.2.42 which is still the official Linux release on OpenSuSE used to work, but I now have downloaded 7.8.3 on my 2 Linux boxes with SuSE Leap 42.3.

Tullio

Oliver Behnke
Oliver Behnke
Moderator
Administrator
Joined: 4 Sep 07
Posts: 984
Credit: 25170813
RAC: 0

John Nelson_2 wrote:I use a

John Nelson_2 wrote:
I use a Mac Book Pro and run High Sierra 10.13.4.  Please provide detailed instructions.

Please note that the update described is targeting "power-users" who want/need to run an outdated version of BOINC. Standard user should always just install/run the latest BOINC version available for their platform.

Apart from that, in the case of macOS the recommended way to do a certificate update is by using the dedicated "Certificate updater" BOINC provides. This avoids file ownership issues specific to the sandboxed macOS version of BOINC. Don't worry about the stated macOS version limitation. On newer versions of macOS you just need to open it via right-click -> "Open" and confirm the warning instead of just double-clicking it: for macOS backwards-compatibility the updater can't be signed, as required by newer macOS versions.

Cheers,
Oliver

Einstein@Home Project

msetzerii
msetzerii
Joined: 24 May 06
Posts: 14
Credit: 310707867
RAC: 348784

Finally got mine to work. The

Finally got mine to work. The BOINC directory had a ca-bundle.crt file, in it, but it was from 2010?

Search system and found a number of ca-bundle.crt files, but they all seemed to link eventually to the file below. Renamed the ca-bundle.crt file, and then created a link to the file and then the einstein connected and downloaded files and work units again.

This is from a Fedora 27 fully updated systems.

 

mv ca-bundle.crt ca-bundle.crt.org
ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ca-bundle.crt

Gaurav Khanna
Gaurav Khanna
Joined: 8 Nov 04
Posts: 42
Credit: 30509943269
RAC: 381798

So ... I updated the

So ... I updated the certificate on my old OSX 10.5 PPC G4 using the "boinc certificate updater" package. But, I keep getting "communication deferred .." when boinc tries to connect to get the scheduler list. I tried resetting the project, reinstalling boinc, updating the certificate again. No go. Here is the machine that worked fine till late March ..

https://einsteinathome.org/host/12247173

Any suggestions?