Yes, this is the reason that this is showing up on these systems relatively early. Mozilla stopped trusting the CA cert in question ("Thawte Premium Server CA" issued in 1996) in Jan 2015, since 1024 bit RSA is no longer considered secure (see: https://blog.mozilla.org/security/2014/09/08/...s-with-1024-bit-rsa-keys/ ), and Debian has followed suit.

Point of Trivia - since this particular Thawte CA was issued back in 1996, this would have been during the time that Thawte was still being run by founder Mark Shuttleworth (not sure if it had moved out of his parents' garage by that point?).

Mark later used part of the proceeds of the sale of Thawte to found the Ubuntu Linux distribution... Ubuntu is based on Debian, and so will probably be phasing out trusting this CA shortly too (but doesn't seem to have done-so already).

More detail and workaround: https://www.worldcommunitygrid.org/forums/wcg/viewthread_thread,38800

Thank you for your explanation. I have successfully used the work-around in the thread you linked to for uploading the results I already had waiting.
I have reverted the work-around as I do not know whether it affects the trust for other boinc-projects, so my computer will crunch on other projects until WGC gets a new and trusted certificate.

I can confirm boinc on Debian uses the system certificates rather than those that come with the boinc package:
/var/lib/boinc-client$ ls -l ca-bundle.crt
lrwxrwxrwx 1 boinc boinc 34 sep 19 2009 ca-bundle.crt -> /etc/ssl/certs/ca-certificates.crt

This is effecting me also. Very frustrating! The work around worked thankfully though as you say, they really should be upgrading their certificate.

Just came to the same conclusion regarding alternative certificate validation paths, sorry for the noise...

Here are some possible solutions/workarounds:

. Manually add the 1024 bit RSA key to ca-bundle.crt as above (the debug output indicates that the boinc client searches both this and /etc/ssl/certs, so it shouldn't impact other SSL connections as far as I can tell.

CAfile: ca-bundle.crt
Mon 01 Feb 2016 09:34:16 GMT | World Community Grid | [http] [ID#18] Info: CApath: /etc/ssl/certs

. Use a newer Debian e.g. 9.0 Stretch (currently in testing) with openssl 1.0.2f does support alternative validation paths - you can perhaps just run boinc under this alone using a container or schroot etc.

. The server admins install alternative SSL server certs which don't have this issue (although maintaining compatibility with older releases may be an issue unless they (ab)use round robin DNS to have multiple different SSL setups on different IP addresses - the boinc client retry should mean that the client eventually hits a compatible upload server.

Tim.