Am 28.07.21 um 21:38 schrieb Ingo Klöcker: > On Mittwoch, 28. Juli 2021 18:38:07 CEST Rainer Fiebig via Gnupg-users wrote: >> Am 28.07.21 um 17:42 schrieb Andrew Gallagher: >>> On 28/07/2021 15:19, Rainer Fiebig via Gnupg-users wrote: >>>> 2021-07-28 16:06:50 dirmngr[4135.6] Fehler beim Verbinden mit >>>> 'https://keys.openpgp.org:443': Fehlendes Herausgeberzertifikat in der >>>> Kette >>>> 2021-07-28 16:06:50 dirmngr[4135.6] command 'KS_SEARCH' failed: >>>> Fehlendes Herausgeberzertifikat in der Kette >>>> 2021-07-28 16:06:50 dirmngr[4135.6] Handhabungsroutine für den fd 6 >>>> beendet >>> >>> "Fehlendes Herausgeberzertifikat in der Kette" translates as "Missing >>> publisher certificate in the chain", is that correct? >> >> Correct. >> >>> keys.openpgp.org uses LetsEncrypt as their TLS CA. Can you connect to >>> other keyservers that also use LetsEncrypt? For example, pgpkeys.eu uses >>> the same intermediate certificate (LetsEncrypt R3) as keys.openpgp.org. >> >> This works: >> >> ~> gpg --keyserver pgpkeys.eu --search-keys >> E3FF2839C048B25C084DEBE9B26995E310250568 >> gpg: enabled debug flags: memstat >> gpg: data source: http://pgpkeys.eu:11371 >> (1) Łukasz Langa (GPG langa.pl) <luk...@langa.pl> >> Łukasz Langa <luk...@edgedb.com> >> Łukasz Langa <luk...@python.org> >> Łukasz Langa (Work e-mail account) <a...@fb.com> >> 4096 bit RSA key B26995E310250568, erzeugt: 2015-05-11 >> Keys 1-1 of 1 for "E3FF2839C048B25C084DEBE9B26995E310250568". Eingabe >> von Nummern, Nächste (N) oder Abbrechen (Q) > > > Doesn't use TLS. Just plain HTTP. > >> Each of these lines in dirmngr.conf also work: >> keyserver http://keys2.andreas-puls.de/ >> keyserver http://pgpkeys.eu/ > > Ditto. Since your problems seem to be related to TLS it's not really > surprising that keyservers not using https work. > At least I now know that such keyservers still exist. ;)
> Does 'gpg --keyserver hkps://pgpkeys.eu --search-keys ...' work for you? > No, same output as reported initially. > What does 'curl -v https://keys.openpgp.org' say? > ~> curl --max-filesize 10000 -v https://keys.openpgp.org * Trying 37.218.245.50:443... * Connected to keys.openpgp.org (37.218.245.50) port 443 (#0) * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none * CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=keys.openpgp.org * start date: Jul 26 04:32:08 2021 GMT * expire date: Oct 24 04:32:06 2021 GMT * subjectAltName: host "keys.openpgp.org" matched cert's "keys.openpgp.org" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. > GET / HTTP/1.1 > Host: keys.openpgp.org > User-Agent: curl/7.77.0 > Accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Server: nginx/1.14.2 < Date: Thu, 29 Jul 2021 07:20:26 GMT < Content-Type: text/html; charset=utf-8 < Content-Length: 1761 < Connection: keep-alive < Vary: Accept-Encoding < X-Frame-Options: SAMEORIGIN < X-XSS-Protection: 1; mode=block < X-Content-Type-Options: nosniff < Referrer-Policy: no-referrer-when-downgrade < Content-Security-Policy: default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; report-uri https://keysopenpgporg.report-uri.com/r/d/csp/enforce < Strict-Transport-Security: max-age=31536000; includeSubDomains < Expect-CT: max-age=31536000, report-uri="https://keysopenpgporg.report-uri.com/r/d/ct/reportOnly"; < alt-svc: h2="zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion:443"; ma=86400; persist=1 < <!doctype html> [..] Looks OK to me. The Let's Encrypt certificate is recognized and verified. Or what do you think? > Regards, > Ingo > Thanks for your help! _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
