Am 31.07.21 um 21:00 schrieb Xi Ruoyao:
> On Sat, 2021-07-31 at 19:56 +0200, Rainer Fiebig wrote:
>> Am 31.07.21 um 17:40 schrieb Werner Koch:
>>> On Thu, 29 Jul 2021 18:36, Andrew Gallagher said:
>>>
>>>> If you built gnupg from its default configuration, it does not
>>>> automatically look in /etc/ssl/certs for CA certificates. You may
>>>> want
>>>
>>> On Unix and unless gnupg was build with --with-default-trust-store-
>>> file
>>> the following collections of certificates are used for TLS:
>>>
>>> { "/etc/ssl/ca-bundle.pem" },
>>> { "/etc/ssl/certs/ca-certificates.crt" },
>>> { "/etc/pki/tls/cert.pem" },
>>> { "/usr/local/share/certs/ca-root-nss.crt" },
>>> { "/etc/ssl/cert.pem" }
>>>
>
> Hi Werner,
>
> Our "recommended" configuration in BLFS is: gnutls is built with p11-kit
> and --with-default-trust-store-pkcs11="pkcs11:", and gnupg is built with
> gnutls. So gnupg "should" use certificates from p11-kit trust store I
> think? And it works for me.
>
> I saw your discussion with "curl". In BLFS curl uses OpenSSL instead of
> GnuTLS, so they actually have different trust stores. GnuTLS (using
> p11-kit) uses /etc/pki/anchors, OpenSSL uses /etc/ssl/certs.
>
> I remember once an unclean shutdown caused a similar issue on my system
> (/etc/pki/anchors is disrupted, and every program using GnuTLS just
> started to distrust every certificate).
>
> Hi Rainer,
>
> Try "gnutls-cli keys.openpgp.org". If it does not get into "Simple
> Client Mode" as expected, it means p11-kit trust store may be disrupted.
> Try "make-ca -f -g" to rebuild it.
>
Thanks. "gnutls-cli keys.openpgp.org" seems to work:
~> gnutls-cli keys.openpgp.org
Processed 145 CA certificate(s).
Resolving 'keys.openpgp.org:443'...
Connecting to '37.218.245.50:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
[...]
- Handshake was completed
- Simple Client Mode:
- Peer has closed the GnuTLS connection
~>
> And check if your p11-kit was built with
> -Dtrust_paths=/etc/pki/anchors as the BLFS book says. If not sure,
> rebuild it. (I can also remember once I've mistyped the path, this also
> caused every program using GnuTLS started to distrust every
> certificate.)
>
p11-kit was built with
--with-trust-paths=/etc/pki/anchors
which is in accordance with BLFS-10.1. But I suppose that is equivalent
to -Dtrust_paths=/etc/pki/anchors ?
Anyway - I'll try "make-ca -f -g" and then re-build gnupg without
--with-default-trust-store-file=/etc/pki/tls/certs/ca-bundle.crt
and report back.
So long!
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
