Certificate update - please update old BOINC clients

Due to Google removing trust for Symantec certificates, we need to update our SSL certificate. This will happen on Monday (Apr 16). The new certificate will ensure compatibility with new webbrowsers, but BOINC clients older than v7.4 may no longer be able to connect. If at all possible, please update your BOINC client. If you are deliberately using an older BOINC client, please ensure that the "ca-bundle.crt" file is updated (instructions will be issued).

Behind the scenes we are trying to get a certificate that works with older clients as well as new browsers, but currently that doesn't seem to work out.

Update: Changed date to Monday April 16th 2018. Google will update Chrome on Tuesday April 17th.

Comments

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 3768
Credit: 159974230
RAC: 26433

A current ca-bundle.crt file

A current ca-bundle.crt file can be downloaded from the BOINC source tree at github.

The BOINC clients of most Linux distros link the local ca-bundle.crt to the system's file (usually /etc/ssl/certs/ca-certificates.crt), these should get updated automatically.

On OSX you'll find the file in BOINC's data directory (/Library/Application Support/BOINC Data), on Windows in the program directory of the BOINC Client.

BM

Shawn Kwang
Shawn Kwang
Moderator
Administrator
Joined: 3 Nov 15
Posts: 177
Credit: 469672
RAC: 415

To follow up: In Windows,

To follow up:

In Windows, the directory the ca-bundle.crt file is located in (C:\Program Files\BOINC) or sometimes (C:\Program Files (x86)\BOINC).

Please don't hesitate to ask any questions or report problems in the Problems and Bug Reports Forum

Einstein@Home Project

Jonathan Jeckell
Jonathan Jeckell
Joined: 11 Nov 04
Posts: 112
Credit: 298740673
RAC: 512163

Sorry to be dense, Bernd, but

Sorry to be dense, Bernd, but I just want to ensure I understood correctly: so for systems like PPC Macs and Raspberry Pi where there is no newer client (that I have seen) all we really need to do is ensure the ca.bundle.crt is updated and everything should be fine?

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 3768
Credit: 159974230
RAC: 26433

The "Raspberry Pi" is a

The "Raspberry Pi" is a hardware (ARM) platform, on which you may run different systems (like Android or Linux). In most cases you will have Linux running on it from some distro (like Raspbian), and then it should apply what I wrote earlier - the file is updated with the system and normally you shouldn't have to do anything. If /var/lib/boinc-client/ca-bundle.crt exists and is a symlink, then you should be fine.

If your client on MacOSX 10.5 PPC could connect to Einstein@Home so far (i.e. it does have a sufficiently recent OpenSSL version built in), then updating the ca-bundle.crt file should be enough.

BM

Dirk Broer
Dirk Broer
Joined: 10 Sep 05
Posts: 11
Credit: 11152577
RAC: 10715

 Monday (Apr 17)? Than it was

 Monday (Apr 17)? Than it was either a year ago, or in the future.

It is the 16th next monday... 

MAGIC Quantum Mechanic
MAGIC Quantum M...
Joined: 18 Jan 05
Posts: 1198
Credit: 340029817
RAC: 81539

Dirk Broer wrote: Monday (Apr

Dirk Broer wrote:

 Monday (Apr 17)? Than it was either a year ago, or in the future.

It is the 16th next monday... 

2023 Cool

 https://www.timeanddate.com/calendar/weekday-monday-17?ext=1

 

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 3768
Credit: 159974230
RAC: 26433

Sorry for the confusion.

Sorry for the confusion. We'll replace the certificate on Monday (16th), to prepare for the new version of Google Chrome which has been announced for the 17th (Tuesday).

BM

Gary Roberts
Gary Roberts
Moderator
Joined: 9 Feb 05
Posts: 4253
Credit: 12755827947
RAC: 25324640

Just a small question.  For

Just a small question.  For volunteers choosing to install the latest ca-bundle.crt rather than updating the BOINC client, does the client need to be restarted or will it notice the new file next time there is a need for it?

Since I have a large number of hosts with AMD GPUs, some still using fglrx for OpenCL and some using amdgpu, and a whole range of different stages of updating with respect to my distro's repository, I'm reluctant to disturb what is currently running quite well by attempting to do a hurried client upgrade.  I've written and tested a small bash script that will deploy the new bundle and save a backup copy of the old on every host on the LAN.  It would be trivial to add a command to restart the client if that were needed as well.

I'd rather not do a restart if it's not necessary :-).

 

Cheers,
Gary.

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 3768
Credit: 159974230
RAC: 26433

Gary Roberts wrote: ...

Gary Roberts wrote:
... different stages of updating with respect to my distro's repository ...

By far most distros (and a reasonably recent) self-extracting installer link the BOINC client's certificate file to the system's one, so it gets updated with the system automatically and yu don't have to do anything else to keep it up-to-date.

If you really need to update t manually, I suspect the client will need too be restarted (this is a functionality of the curl library linked into the client, not of BOINC's own code).

BM

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 3768
Credit: 159974230
RAC: 26433

In general you should only

In general you should only need to update your client (or ca-bundle.crt file) if you are running a Windows or OSX client older than v7.4. Newer clients should work, and Linux clients should use the system's certificates file anyway.

BM

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 3768
Credit: 159974230
RAC: 26433

Update: it currently looks

Update: it currently looks like we can get a cross-signed certificate that will work with older clients as well as new browsers, but this will involve a bit of research and discussion with the issuer's support, so may take a few more days. For the time being, though, we will follow the original plan and replace the certificate today with the one we've got (that won't work with older clients).

BM

Gary Roberts
Gary Roberts
Moderator
Joined: 9 Feb 05
Posts: 4253
Credit: 12755827947
RAC: 25324640

The distro I use doesn't

The distro I use doesn't package BOINC.  Period.  There may well be other distros in the same boat.

There have been a number of requests over the years (not by me) to the maintainers of my distro to package BOINC.  All have been refused.  Very few reasons other than 'crap software' were given but it hasn't been a problem for me since I've always used the Berkeley download page anyway.  I have also built my own version of 7.6.33 which is installed on about 8 machines and working fine.  At some point I will upgrade the rest of the fleet - just not right now!  When I'm ready, I'll probably build something a bit more recent than 7.6.33.

Most of my hosts run 7.2.42 which is earlier than the v7.4 you mention.  The install was done using the shell archive from Berkeley.  There is no link to a system certificate file but I could easily create one manually.  At this point with a tested and working script to deploy the new ca-bundle.crt file, I'll just deploy the file.  If there are any issues, I'll just plan to restart the client to see if that fixes things.  As a last resort, I might need to investigate an updated system certificate bundle and link to that.  I don't imagine that will be necessary.

Thanks very much for your responses.  I'm sorry to have bothered you and I hope all goes well for you with whatever you have to do at your end.

 EDIT:  Hadn't seen your last post until after posting the above.

 

Cheers,
Gary.

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 3768
Credit: 159974230
RAC: 26433

The certificates on our site

The certificates on our site have been updated.

BM

Gary Roberts
Gary Roberts
Moderator
Joined: 9 Feb 05
Posts: 4253
Credit: 12755827947
RAC: 25324640

I've just checked a couple of

I've just checked a couple of hosts running 7.2.42 and, so far, they seem to be uploading results and downloading new work without any complaints.  I think I might go home now since it's nearly 10:00PM here.  I haven't had to restart any machines.

Most of my machines run with a KDE4 desktop.  The upgrade to KDE Plasma 5 requires a clean install since the two are not compatible.  I had done that over several months on about 15 machines and hadn't noticed that the KDE5 ISO image I'd been using didn't include rsync by default - something which was always included with KDE4 images.  I had done my script testing on KDE4 machines so hadn't noticed the problem until the script got to the first KDE5 machine.  Since I keep a fully updated copy of the repository on a USB hard drive, it was simple (but a bit time consuming) to rectify by installing rsync on all KDE5 machines.  I'm lucky that I'd built in a fair bit of 'pause on error' functionality into the script so this allowed me to fix the problem before allowing the script to proceed and finish the job.

Thanks once again for your help.

 

Cheers,
Gary.

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 3768
Credit: 159974230
RAC: 26433

Gary, if there is no

Gary, if there is no 'ca-bundle.crt' file in BOINC's data directory, then the curl in the (Linux) BOINC client should use the system's setting. You don't need to create or update such a fie then.

BM

mmonnin
mmonnin
Joined: 29 May 16
Posts: 157
Credit: 206927914
RAC: 543696

Jonathan Jeckell wrote:Sorry

Jonathan Jeckell wrote:
Sorry to be dense, Bernd, but I just want to ensure I understood correctly: so for systems like PPC Macs and Raspberry Pi where there is no newer client (that I have seen) all we really need to do is ensure the ca.bundle.crt is updated and everything should be fine?

For my Pi 2 that was running the default OS that came with it there was no new BOINC version in the repository. I think it was like 7.0 something. Really old.

I updated awhile back to a newer Raspian version which had 7.6.33 in its repository. It's not the latest available but beyond 7.4. Yoyo updated the bin BOINC version awhile back which forced me to update.

http://www.rechenkraft.net/yoyo/show_host_detail.php?hostid=421945

MarioMaiaru
MarioMaiaru
Joined: 13 Apr 18
Posts: 1
Credit: 28720
RAC: 2121

Hola, he descargado un poco

Hola, he descargado un poco el primer paquete que me han enviado, pues bien la pregunta es como cambio mi nombre de usuario? como también ver mis créditos?  perdon por escribir en español ya que solo se ingles basico. gracias