Due to Google moving to distrust the “Class 3 Public Primary CA” root certificate operated by Symantec Corporation, we're removing the Symantec/Verisign Class 3 Public Primary CA root certificate from ca-bundle.crt, bundled with BOINC clients.

Things you can expect that will happen due to this removal:

- In the worst case ‘one additional certificate authority’ is trusted by the BOINC client that browsers do not trust. Volunteers would be more annoyed with their browser not working against a project server than with the BOINC client that is working.

- By removing the cert, we potentially can cause a problem where new clients stop working while the browser continues to work for a few weeks (until the various vendors remove the root CA certificate from their root stores).

- The more common scenario will be that new clients stop working against a project.

Making a backup copy of your old ca-bundle.crt (in the BOINC Program directory) and putting it back in place for the new certificate file may overcome this, until the project catches up.

Well .. turns out IT IS A (small) PROBLEM...

I've been running boinc for some years - and on windows it's running fine - but as of recently I started running it on my raspberry pi ... And this little bugger now reports the nice ca certificate error for E@H and WCG ... the error started after I reinstalled the raspbian image and therefore had to install boinc anew.

I did a quick google search which lead me to an old error-report back in 2009 with the same errors - only that the offered ca-bundle.crt file obviously contains the now disabled certs - and can't be downloaded anymore ...

Any hints what I can do? Or will it really fix over time ? Though its kinda annoying seeing that error message for more than 2 weeks ...

I have forwarded this to the developers.
But a question though, does Einstein use a HTTPS connection as well for their server communications? (I know all projects should start doing that soon, but don't know which are already doing it).

Thanks for your reply.
As for your question, I am not 100% sure - but out of my 14 projects only WCG and E@H complain about the ca certificate - so I assume both use https, while the others either don't - or are satisfied with the installed certificates, while those 2 aren't. I checked the file ca-bundle.crt and it contains dozens of certificates.

I must admit, that I am not that pro with the raspi yet - but I installed the latest boinc directly from the raspbian repositories and I know that both projects used to be able to communicate before I recently had to rewrite the image and install boinc anew.

Unless the BOINC installed from the raspbian repositories is 7.6.22 or higher, it should contain the older ca-bundle.crt file with the certs still in it. If your ca-bundle.crt still has Verisign Class 3 Public Primary Certification Authority included, it's an older one.

Thanks for your reply.
As for your question, I am not 100% sure - but out of my 14 projects only WCG and E@H complain about the ca certificate - so I assume both use https, while the others either don't - or are satisfied with the installed certificates, while those 2 aren't. I checked the file ca-bundle.crt and it contains dozens of certificates.

I must admit, that I am not that pro with the raspi yet - but I installed the latest boinc directly from the raspbian repositories and I know that both projects used to be able to communicate before I recently had to rewrite the image and install boinc anew.

Don't assume, check their forum, and then you'd have learned that HTTPS is/was enforced, now lifted to level TLS 1.2 https://secure.worldcommunitygrid.org/about_us/viewNewsArticle.do?articleId=462 . SHA2 /SHA256 was already applied which essentially made older installs breaking, lest certain SSL files were back-ported manually, or installs upgraded to 7.2.47 or up.

---

Coelum Non Animum Mutant, Qui Trans Mare Currunt

Well, my boinc manager reports a client version of 7.4.23.

I enabled some more debug messages and now its clear - E@H wants to connect via https.

I'll dig around some more and report back if I can solve the issue. Part of the issue seems to be the access rights to ca-bundle.crt and the path boinc expects that file...

If I recollect correctly, there's an issue at Debian... a bug report was filed by Einstein [Christian Beer] in relation to the certificates problem. Don't know how that would impact Raspian, but suppose there's proliferation of some kind.

---

Coelum Non Animum Mutant, Qui Trans Mare Currunt

Thanks for your hints, SakeRob2

Yes I've read about Debian related trouble - part of the problem is that the /etc/ssl/certs directory belongs to root and all files in it as well - and ca-bundle.crt is a symlink to /etc/ssl/certs/ca-certificates.crt - and therefore likewise belongs to root while boinc runs under boinc:boinc

Though my first try with replacing the symlink with the "raw" file and make it accessible to boinc:boinc didn't work - boinc expects the file under CApath which directs to /etc/ssl/certs

I'll tinker around some more and report back

This is a problem with Debian Jessie and Rasbian Jessie. See the threads at Einstein for more information and work-around.

Attention when updating Debian stable (Jessie)
Can't contact EAH Servers - Peer Certificate Cannot be Authenticated...

Thanks Juha - that really helped, but leaves some questons unanswered.
I hope it will get better once we get raspbian from debian stretch on the pi