[pkg-gnupg-maint] Bug#923482: dirmngr HKPS fails due to poorly configured certificates on *.pool.sks-keyservers.net

Jim Popovitch jimpop at domainmail.org
Thu Feb 28 19:51:07 GMT 2019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package: dirmngr
Version: 2.1.18-8~deb9u4

When a client uses HKPS keyservers dirmngr fails hard due to TLS
certificate validation errors:

2019-02-28 14:35:17 dirmngr[2155] listening on socket
'/run/user/1000/gnupg/S.dirmngr'
2019-02-28 14:35:17 dirmngr[2156.0] permanently loaded certificates: 0
2019-02-28 14:35:17 dirmngr[2156.0]     runtime cached certificates: 0
2019-02-28 14:35:18 dirmngr[2156.6] handler for fd 6 started
2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> # Home:
/home/jimpop/.gnupg
2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> # Config:
/home/jimpop/.gnupg/dirmngr.conf
2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> OK Dirmngr 2.1.18 at
your service
2019-02-28 14:35:18 dirmngr[2156.6] connection from process 2153
(1000:1000)
2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 <- GETINFO version
2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> D 2.1.18
2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> OK
2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 <- KEYSERVER --clear
hkps://ha.pool.sks-keyservers.net
2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> OK
2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 <- KEYSERVER
2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> S KEYSERVER
hkps://ha.pool.sks-keyservers.net
2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> OK
2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 <- KEYSERVER --clear
hkps://ha.pool.sks-keyservers.net
2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> OK
2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 <- KS_GET --quick --
0xF4B8B79CC372FBE38580F4C241EED2521FD6B2CA
2019-02-28 14:35:19 dirmngr[2156.6] resolve_dns_addr for 'ha.pool.sks-
keyservers.net': '192.146.137.99'
2019-02-28 14:35:19 dirmngr[2156.6] resolve_dns_addr for 'ha.pool.sks-
keyservers.net': '192.146.137.98'
2019-02-28 14:35:19 dirmngr[2156.6] resolve_dns_addr for 'ha.pool.sks-
keyservers.net': '178.32.66.144'
2019-02-28 14:35:19 dirmngr[2156.6] resolve_dns_addr for 'ha.pool.sks-
keyservers.net': '46.4.246.179'
2019-02-28 14:35:19 dirmngr[2156.6] resolve_dns_addr for 'ha.pool.sks-
keyservers.net': '37.191.231.105'
2019-02-28 14:35:19 dirmngr[2156.6] number of system provided CAs: 151
2019-02-28 14:35:20 dirmngr[2156.6] TLS verification of peer failed:
hostname does not match
2019-02-28 14:35:20 dirmngr[2156.6] DBG: expected hostname:
ha.pool.sks-keyservers.net
2019-02-28 14:35:20 dirmngr[2156.6] DBG: BEGIN Certificate 'server[0]':
2019-02-28 14:35:20 dirmngr[2156.6] DBG:      serial:
031DA3EEAFB1931E9D70695C4F75EB13B412
2019-02-28 14:35:20 dirmngr[2156.6] DBG:   notBefore: 2019-01-06
14:13:25
2019-02-28 14:35:20 dirmngr[2156.6] DBG:    notAfter: 2019-04-06
14:13:25
2019-02-28 14:35:20 dirmngr[2156.6] DBG:      issuer: CN=Let's Encrypt
Authority X3,O=Let's Encrypt,C=US
2019-02-28 14:35:20 dirmngr[2156.6] DBG:     subject: CN=sks.mj2.uk
2019-02-28 14:35:20 dirmngr[2156.6] DBG:         aka: (8:dns-
name10:sks.mj2.uk)
2019-02-28 14:35:20 dirmngr[2156.6] DBG:   hash algo:
1.2.840.113549.1.1.11
2019-02-28 14:35:20 dirmngr[2156.6] DBG:   SHA1 fingerprint:
E9AF92BDFE5ACBEC36630FA51ABCBF18B7E42E7A
2019-02-28 14:35:20 dirmngr[2156.6] DBG: END Certificate
2019-02-28 14:35:20 dirmngr[2156.6] DBG: BEGIN Certificate 'server[1]':
2019-02-28 14:35:20 dirmngr[2156.6] DBG:      serial:
0A0141420000015385736A0B85ECA708
2019-02-28 14:35:20 dirmngr[2156.6] DBG:   notBefore: 2016-03-17
16:40:46
2019-02-28 14:35:20 dirmngr[2156.6] DBG:    notAfter: 2021-03-17
16:40:46
2019-02-28 14:35:20 dirmngr[2156.6] DBG:      issuer: CN=DST Root CA
X3,O=Digital Signature Trust Co.
2019-02-28 14:35:20 dirmngr[2156.6] DBG:     subject: CN=Let's Encrypt
Authority X3,O=Let's Encrypt,C=US
2019-02-28 14:35:20 dirmngr[2156.6] DBG:   hash algo:
1.2.840.113549.1.1.11
2019-02-28 14:35:20 dirmngr[2156.6] DBG:   SHA1 fingerprint:
E6A3B45B062D509B3382282D196EFE97D5956CCB
2019-02-28 14:35:20 dirmngr[2156.6] DBG: END Certificate
2019-02-28 14:35:20 dirmngr[2156.6] TLS connection authentication
failed: General error
2019-02-28 14:35:20 dirmngr[2156.6] error connecting to 'https://178.32
.66.144:443': General error
2019-02-28 14:35:20 dirmngr[2156.6] command 'KS_GET' failed: General
error <Unspecified source>

There's multiple ways to resolve this (use HPK instead of HPKS, etc),
but the best way is for *.pool.sks-keyservers.net to fix their TLS
certificates.


Debian/Stretch
Linux host  4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19)
x86_64GNU/Linux
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlx4O6sACgkQdRlcPb+1
fkUrhQ/9Ge7cJXAUdYoINVszlrOFG1ePZoCIhU4LFnAUjRCsm/WojaQMHH3MJcv3
dKLWEsrXIQ0m5tXWmN3lUP5izsrsaMDFVTmP8nFogYhW8KL+wIaQRnpV2UFpArKV
45j59lirx6T0Iyf2kkCGgENFErbcVdVFuZ65Maph81Wkjqn/Ezb1uCNlXcpqDsE7
Gvnq569YlCM0dMR7pi+uiO+NJtP/mOWQfTYbgS1/C/hQW57is/zrE4Dz5EqJhp5U
xaULhIIMDnAygMSLTUjeCVKwF04O0X1Y1rmx2wReq1MJ3B6tc3tCniuSMSDZAHHK
Sj3+Ug49sfpzRNHHAgHEPeBD38bdARu1JUwttJWPpEPnpMmSEKLN0QULJODM/QQu
8agQFaunWkS7UU65VR7IxO7UciLWlmjDe/aQgBU9QzGBz9pMM69dBfk73qnTbv7S
/p65zVkTFvz1V5QLdngDrq6ADd5XwYtG5MI3KSWn2HHq9CTeLMviaaDWUKs+LYSl
5FZimzCvu/dpXRFCGrTeXehAIv4OoUc5U2zyb+sDyW5G+iQ2wyul30raF/ZQn0lw
08ReJedDn/Z61Ut8vyhFDIwPWsCc1/42ElnOGtIJgVmkTPuj+SAj8AhhhTrndzJU
3TeUILj98SuAI/pCghO/2KM/yfkxjU+iCvI+YVquHNG33x7IXH8=
=2zkb
-----END PGP SIGNATURE-----

More information about the pkg-gnupg-maint mailing list