Client Certificate Problem

Nick Name

Administrator
USA team member
There's a problem with the certificate bundle in the client again. Communication with some projects is returning this message:
iThena1
Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates
I believe that only Windoze systems area affected. According to the thread on the BOINC forum the issue is mainly an old version of Open SSL that needs updated. It's unclear how many projects are affected. iThena, WUProp, CPDN and GPUGrid have been mentioned.


You can tinker with the ca.crt file in your BOINC program folder if you want, or wait for an official fix which may take a few days.
 

Nick Name

Administrator
USA team member
Here's the fix if you're comfortable editing the certificate file. You need to remove a certificate, which is simply deleting some text from the file. You can do this in Notepad. This is only for Windows users, Linux etc. shouldn't be affected.

1. Run Notepad as Administrator and browse (File -> Open) to the cert file. It's called ca-bundle and it's located in the BOINC program folder, not the data folder. The typical location is C:\Program Files\BOINC. If you changed the installation path when you installed BOINC you'll need to go to that folder.

2. You should make a backup of the ca-bundle file in case things go bad. You can save the file to another location, copy-paste the contents to a new file, whatever is easiest for you. The part to remove is titled DST Root CA X3. Delete this and the text that follows. Make sure you delete The entire block from DST Root CA X3 to -----END CERTIFICATE-----.

3 Save the file and you should be good. You don't need to restart BOINC, it will pick up the change on the next communication attempt.
 

Nick Name

Administrator
USA team member
Richard Haselgrove has provided a replacement file if you'd prefer not to edit the cert file yourself.


You can also download one provided by the SRBase admin.


If you use these files you do so at your own risk, but I don't believe there is any real security risk here. These are both known and trusted persons in the BOINC community. You can open these in Notepad or other text reader if you wish and see what's in them. The alternative to a DIY fix is to wait for a fixed client, but that may take awhile. According to Richard there's been no response yet from the developer(s) even acknowledging this problem.

*Edit: If you download this file, you will replace the cert file mentioned above in your BOINC program folder. You will need to have administrator rights to do that, unless your program folder is in an unprotected directory.
 

Nick Name

Administrator
USA team member
I haven't seen any new developments. It must be a complex problem to solve which is probably why we had this issue.
 
Top