1)
Message boards :
News :
Migrating MilkyWay@home to a New Server
(Message 76570)
Posted 5 Nov 2023 by nickfolino Post: Does anyone have a working answer to this problem ? If so, I would love to hear it. Scroll up. I gave a solution. Nick |
2)
Message boards :
Number crunching :
Thread to report issues after server migration
(Message 76569)
Posted 5 Nov 2023 by nickfolino Post: [/quote]Sounds like Windows is very sensible, why have two copies of the same thing?[/quote] They're not the same thing. There are many reasons to keep them separate, spillage is the first one that pops into my head. Nick |
3)
Message boards :
Number crunching :
Thread to report issues after server migration
(Message 76536)
Posted 4 Nov 2023 by nickfolino Post: Does this mean that the valid certificate chain Firefox is supposed to have downloaded [from the MW site, I presumed] is actually a concoction constructed by Firefox? If so, fair enough (but a badly worded Firefox certificate information page!) and I'd be [vaguely] interested in how it does it2. If that is the case, that would certainly explain why I couldn't make sense of the two very different certificate chains I could see! I'll try to make it simple as I know it can be confusing. I'll use the MW certificate as an example. MW was issued a certificate that was signed by an intermediate authority. The intermediate authority's certificate was signed by a trusted root authority. So the certificate chain for the MW site should have 3 certificates in it. The site cert, an intermediate cert, and a root cert. All three are presented to you when you go to the site. The application you are using to get to the site then validates the chain. It looks at the site cert, sees it was signed by the intermediate, which was signed by the root. So the chain is verified. The chain that MW is currently presenting has the site cert, then an intermediate that wasn't used to sign the site cert, then the root cert. It can't validate the chain because the intermediate cert isn't correct. But if you tell your app to trust the correct intermediate and root all will be good. Web browsers already have these certs in their cert store so they don't break. Windows, being windows, uses the same cert store for the OS and the browser, which is why those clients aren't having problems as they already have the certs in their cert store. Hope that helps. Nick |
4)
Message boards :
Number crunching :
Thread to report issues after server migration
(Message 76528)
Posted 3 Nov 2023 by nickfolino Post: P.S. I will not be patching my certificate store :-) It's not a patch. The cert store holds certificates that you trust. In order for you to trust the certificate given to you by the milkyway site, you must trust the issuer of that certificate. Certificates presented by websites generally contain a chain of certificates that link back to a "trusted" root. In the case of the new certificate being presented by milkyway, the certificate chain was not built correctly. The 2nd certificate in their chain is not the correct one. Web browsers come by default with many trusted root certificates. Which is why your browser isn't complaining about the new site. The 2 certificates I posted are the correct ones that properly complete the security chain. It basically makes your OS trust their new cert just as your browser does because they complete the trusted chain. Nick |
5)
Message boards :
News :
Migrating MilkyWay@home to a New Server
(Message 76513)
Posted 3 Nov 2023 by nickfolino Post: There's a problem with the certificate chain on the new server. If you want to get up and going before they get it replaced drop these 2 certs into your machine cert-store. -----BEGIN CERTIFICATE----- MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B 3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/ Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2 VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT 79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6 c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3 ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs 8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/ qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG jjxDah2nGN59PRbxYvnKkKj9 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGSjCCBDKgAwIBAgIRAINbdhUgbS1uCX4LbkCf78AwDQYJKoZIhvcNAQEMBQAw gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIy MTExNjAwMDAwMFoXDTMyMTExNTIzNTk1OVowRDELMAkGA1UEBhMCVVMxEjAQBgNV BAoTCUludGVybmV0MjEhMB8GA1UEAxMYSW5Db21tb24gUlNBIFNlcnZlciBDQSAy MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAifBcxDi60DRXr5dVoPQi Q/w+GBE62216UiEGMdbUt7eSiIaFj/iZ/xiFop0rWuH4BCFJ3kSvQF+aIhEsOnuX R6mViSpUx53HM5ApIzFIVbd4GqY6tgwaPzu/XRI/4Dmz+hoLW/i/zD19iXvS95qf NU8qP7/3/USf2/VNSUNmuMKlaRgwkouue0usidYK7V8W3ze+rTFvWR2JtWKNTInc NyWD3GhVy/7G09PwTAu7h0qqRyTkETLf+z7FWtc8c12f+SfvmKHKFVqKpNPtgMkr wqwaOgOOD4Q00AihVT+UzJ6MmhNPGg+/Xf0BavmXKCGDTv5uzQeOdD35o/Zw16V4 C4J4toj1WLY7hkVhrzKG+UWJiSn8Hv3dUTj4dkneJBNQrUfcIfTHV3gCtKwXn1eX mrxhH+tWu9RVwsDegRG0s28OMdVeOwljZvYrUjRomutNO5GzynveVxJVCn3Cbn7a c4L+5vwPNgs04DdOAGzNYdG5t6ryyYPosSLH2B8qDNzxAgMBAAGjggFwMIIBbDAf BgNVHSMEGDAWgBRTeb9aqitKz1SA4dibwJ3ysgNmyzAdBgNVHQ4EFgQU70wAkqb7 di5eleLJX4cbGdVN4tkwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8C AQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCIGA1UdIAQbMBkwDQYL KwYBBAGyMQECAmcwCAYGZ4EMAQICMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9j cmwudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9y aXR5LmNybDBxBggrBgEFBQcBAQRlMGMwOgYIKwYBBQUHMAKGLmh0dHA6Ly9jcnQu dXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FBQUFDQS5jcnQwJQYIKwYBBQUHMAGG GWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggIBACaA DTTkHq4ivq8+puKE+ca3JbH32y+odcJqgqzDts5bgsapBswRYypjmXLel11Q2U6w rySldlIjBRDZ8Ah8NOs85A6MKJQLaU9qHzRyG6w2UQTzRwx2seY30Mks3ZdIe9rj s5rEYliIOh9Dwy8wUTJxXzmYf/A1Gkp4JJp0xIhCVR1gCSOX5JW6185kwid242bs Lm0vCQBAA/rQgxvLpItZhC9US/r33lgtX/cYFzB4jGOd+Xs2sEAUlGyu8grLohYh kgWN6hqyoFdOpmrl8yu7CSGV7gmVQf9viwVBDIKm+2zLDo/nhRkk8xA0Bb1BqPzy bPESSVh4y5rZ5bzB4Lo2YN061HV9+HDnnIDBffNIicACdv4JGyGfpbS6xsi3UCN1 5ypaG43PJqQ0UnBQDuR60io1ApeSNkYhkaHQ9Tk/0C4A+EM3MW/KFuU53eHLVlX9 ss1iG2AJfVktaZ2l/SbY7py8JUYMkL/jqZBRjNkD6srsmpJ6utUMmAlt7m1+cTX8 6/VEBc5Dp9VfuD6hNbNKDSg7YxyEVaBqBEtN5dppj4xSiCrs6LxLHnNo3rG8VJRf NVQdgFbMb7dOIBokklzfmU69lS0kgyz2mZMJmW2G/hhEdddJWHh3FcLi2MaeYiOV RFrLHtJvXEdf2aEaZ0LOb2Xo3zO6BJvjXldv2woN -----END CERTIFICATE----- Nick |
6)
Message boards :
Number crunching :
Thread to report issues after server migration
(Message 76503)
Posted 3 Nov 2023 by nickfolino Post: Ahhhh... The second cert in the chain is not correct. The server cert is signed by: C = US, O = Internet2, CN = InCommon RSA Server CA 2 But the chain has: C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA Nick |
7)
Message boards :
Number crunching :
Thread to report issues after server migration
(Message 76501)
Posted 2 Nov 2023 by nickfolino Post: Looks like the issue is the server is not sending the full certificate chain. I see the full chain. Try this: openssl s_client -connect milkyway-new.cs.rpi.edu:443 -showcerts |
8)
Message boards :
Number crunching :
Thread to report issues after server migration
(Message 76498)
Posted 2 Nov 2023 by nickfolino Post: I updated client/http_curl.cpp to not check for a valid cert and it now works. Not the best solution, but it has me back up for now. Nick |
9)
Message boards :
Number crunching :
Thread to report issues after server migration
(Message 76497)
Posted 2 Nov 2023 by nickfolino Post: I can see in Wireshark the "Unknown CA" error reported by Al. If you can point me to the location of the cert in the source I can try and replace it and see if it works. Nick |
10)
Message boards :
Number crunching :
Thread to report issues after server migration
(Message 76495)
Posted 2 Nov 2023 by nickfolino Post: Nov 02 17:33:46 inspiron.folino.us boinc[209154]: 02-Nov-2023 17:33:46 [---] Fetching configuration file from https://milkyway-new.cs.rpi.edu/milkyway/get_project_config.php Nov 02 17:33:47 inspiron.folino.us boinc[209154]: 02-Nov-2023 17:33:47 [---] Project communication failed: attempting access to reference site Nov 02 17:33:49 inspiron.folino.us boinc[209154]: 02-Nov-2023 17:33:49 [---] Internet access OK - project servers may be temporarily down. Nick |
11)
Message boards :
Number crunching :
Thread to report issues after server migration
(Message 76491)
Posted 2 Nov 2023 by nickfolino Post: I compiled the new 7.25.0 client on a few Linux servers and still cannot connect to the new server. Nick |
©2024 Astroinformatics Group