Forum: help-en

Monitor Forum | Start New Thread Start New Thread
RE: Initial setup for lookup on server [ Reply ]
By: Bernhard Reiter on 2022-02-22 07:54
[forum:8281]
Something is at odds here. Let us all follow up in https://dev.gnupg.org/T5639.

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-21 14:00
[forum:8279]
I have the two LetsEncrypt root certificates.
Both self-signed, and AFIK I don't locally have the ISRG Root X1 which is issued by the expired DST Root CA X3 cert. The one that dirmngr keeps referring to.

I have looked in all the folders inside certificate manager for both the computer and user. I only have those two self-signed root certs. I don't know where else to look.

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-21 13:53
[forum:8278]
Here it is said that recent gpg4win or gnupg shouldn't have this problem.
https://dev.gnupg.org/T5639#153249

But the log is obviously showing that dirmngr is using the wrong certificate chain to base is validity decision on.

Earlier today I re-installed 2.3.4 after verifying that all gpg related processes were dead.
afaik there is no other dirmngr on my system.
It recognises changes in the conf.
When I check the path of dirmngr.exe in TaskMan it's the correct one, from 2021-12-20.

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-21 11:06
[forum:8277]
Oh, I tried removing the old DST Root CA X3 from trusted CAs, but something seems to pull it back in.

I thought I could remove it and reboot, and dirmngr would stop referring to it, but since something is pulling back into the trusted CAs, that's not going to work.

I instead ran an sslabs text on keyserver.ubuntu.com and it turns out they still have the old DST Root CA X3 certificate as part of the certificate chain.

Not all apps are able to overlook that one of the cert paths is invalid. Discussed here.
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

I tried #1, which it seems I'm not able to, as the certificate is automatically reinstated.
#2 & #3 I think are out of my hands.

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-21 09:44
[forum:8276]
So, is there something I can do?
Import some extra LetsEncrypt certificate?

I'm fairly sure I did do something back when LE revoked their old certs. Not related to gpg, but to make websites work properly.

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-21 09:42
[forum:8275]
tls-debug 4

2022-02-21 10:41:28 dirmngr[23236] listening on socket 'C:\\Users\\Kim\\AppData\\Local\\gnupg\\S.dirmngr'
2022-02-21 10:41:28 dirmngr[23236] permanently loaded certificates: 180
2022-02-21 10:41:28 dirmngr[23236] runtime cached certificates: 0
2022-02-21 10:41:28 dirmngr[23236] trusted certificates: 180 (180,0,0,0)
2022-02-21 10:41:28 dirmngr[23236] handler for fd 720 started
2022-02-21 10:41:28 dirmngr[23236] resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.9'
2022-02-21 10:41:28 dirmngr[23236] resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.8'
2022-02-21 10:41:28 dirmngr[23236] detected interfaces: IPv4
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): handshake
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): client state: 0 (hello_request)
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): flush output
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): client state: 1 (client_hello)
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): flush output
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): write client_hello
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, max version: [3:3]
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, current time: 1645436488
2022-02-21 10:41:28 dirmngr[23236] DBG: client_hello, random bytes: 62135e4810234c070d9e6be9d2bb4d0188dea1a0a066e7182b80b2508da2b891
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, session id len.: 0
2022-02-21 10:41:28 dirmngr[23236] DBG: client_hello, session id:
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, got 78 ciphersuites
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, compress len.: 2
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, compress alg.: 1 0
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, adding server name extension: 'keyserver.ubuntu.com'
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, adding signature_algorithms extension
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client hello, adding supported_elliptic_curves extension
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client hello, adding supported_point_formats extension
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, adding session ticket extension
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, total extension length: 83
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): write record
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): output record: msgtype = 22, version = [3:3], msglen = 285
2022-02-21 10:41:28 dirmngr[23236] DBG: output record sent to network: 160303011d01000119030362135e4810234c070d9e6be9d2bb4d0188dea1a0a0 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 66e7182b80b2508da2b89100009c00ffc030009fc028006bc0140039c08bc07d \
2022-02-21 10:41:28 dirmngr[23236] DBG: c07700c40088c02f009ec0270067c0130033c08ac07cc07600be0045c0120016 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 00abc03800b3c0360091c091c09bc09700aac03700b2c0350090c090c096c09a \
2022-02-21 10:41:28 dirmngr[23236] DBG: c034008f009d003d0035c07b00c00084009c003c002fc07a00ba0041000a00ad \
2022-02-21 10:41:28 dirmngr[23236] DBG: 00b70095c093c09900ac00b60094c092c098009300a900af008dc08fc09500a8 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 00ae008cc08ec094008b02010000530000001900170000146b65797365727665 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 722e7562756e74752e636f6d000d001600140601050104010301020106030503 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 040303030203000a000e000c001700180019001a001b001c000b000201000023 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 0000
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): flush output
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): message length: 290, out_left: 290
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): es_write returned: success
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): client state: 2 (server_hello)
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): flush output
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): read server_hello
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): read record
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): fetch input
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): in_left: 0, nb_want: 5
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): input record: msgtype = 22, version = [3:3], msglen = 65
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): fetch input
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): in_left: 5, nb_want: 70
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:41:28 dirmngr[23236] DBG: input record from network: 16030300410200003d0303d04f2c342d24a3f7cbaebf4c401f6d40d05454fb35 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 2c939a444f574e4752440100c02f000015ff0100010000000000000b00040300 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 010200230000
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): handshake message: msglen = 65, type = 2, hslen = 65
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(1): server_hello, chosen version: [3:3]
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): server_hello, current time: 3494849588
2022-02-21 10:41:28 dirmngr[23236] DBG: server_hello, random bytes: d04f2c342d24a3f7cbaebf4c401f6d40d05454fb352c939a444f574e47524401
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): server_hello, session id len.: 0
2022-02-21 10:41:28 dirmngr[23236] DBG: server_hello, session id:
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): no session has been resumed
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(1): server_hello, chosen ciphersuite: 49199 (TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256)
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): server_hello, compress alg.: 0
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): server_hello, total extension length: 21
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): found renegotiation extension
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): unknown extension found: 0 (ignoring)
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): found supported_point_formats extension
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(4): point format selected: 0
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): found session_ticket extension
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): client state: 3 (server_certificate)
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): flush output
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): read certificate
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): read record
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): fetch input
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): in_left: 0, nb_want: 5
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): input record: msgtype = 22, version = [3:3], msglen = 4056
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): fetch input
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): in_left: 5, nb_want: 4061
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:41:28 dirmngr[23236] DBG: input record from network: 1603030fd80b000fd4000fd100054a308205463082042ea003020102021204cc \
2022-02-21 10:41:28 dirmngr[23236] DBG: 227c37c5112c6c1b538b751a18451bf6300d06092a864886f70d01010b050030 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 32310b300906035504061302555331163014060355040a130d4c657427732045 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 6e6372797074310b3009060355040313025233301e170d323131323235303332 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 3033365a170d3232303332353033323033355a3020311e301c06035504031315 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 686f636b65797075636b2e7562756e74752e636f6d30820122300d06092a8648 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 86f70d01010105000382010f003082010a0282010100ae8f24debd5f4c678c7b \
2022-02-21 10:41:28 dirmngr[23236] DBG: 940e67989a4309373a2506ee3a4bee1eb5c714a7db3732e177fe95b172664806 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 48340d7ddb33ecb0ee59ef6194ac56db62fd0e2d1e969fae23a15aab3c3bf501 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 7ee200537e69a99556754b009a62975d036ee193baa7c414a694e29e08f33bff \
2022-02-21 10:41:28 dirmngr[23236] DBG: 6f849bc046c9e6f343ee3e7844c1b189b7fc20483538a023f745698847eadb7f \
2022-02-21 10:41:28 dirmngr[23236] DBG: 83d41397ebb2e32939126b2f42719c83f97633813fe67dc4c6b983730f207df6 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 1db1fe77867e60103294472695f4e9b0167b781d3d61ceb492b4ee8a964e1e37 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 57e43db31f84ddd734a73ca24c66c212b11b5fbfca2edabf73cb71325d3a4d16 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 432d94e24051c1a571094a45019accd35f44c252e4c90203010001a382026630 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 820262300e0603551d0f0101ff0404030205a0301d0603551d25041630140608 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 2b0601050507030106082b06010505070302300c0603551d130101ff04023000 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 301d0603551d0e04160414aff96c679324c7c0367aa3ddabdb762e4363b55430 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 1f0603551d23041830168014142eb317b75856cbae500940e61faf9d8b14c2c6 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 305506082b0601050507010104493047302106082b0601050507300186156874 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 74703a2f2f72332e6f2e6c656e63722e6f7267302206082b0601050507300286 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 16687474703a2f2f72332e692e6c656e63722e6f72672f30360603551d11042f \
2022-02-21 10:41:28 dirmngr[23236] DBG: 302d8215686f636b65797075636b2e7562756e74752e636f6d82146b65797365 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 727665722e7562756e74752e636f6d304c0603551d2004453043300806066781 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 0c0102013037060b2b0601040182df130101013028302606082b060105050702 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 01161a687474703a2f2f6370732e6c657473656e63727970742e6f7267308201 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 04060a2b06010401d6790204020481f50481f200f000770041c8cab1df22464a \
2022-02-21 10:41:28 dirmngr[23236] DBG: 10c6a13a0942875e4e318b1b03ebeb4bc768f090629606f60000017defd1af87 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 0000040300483046022100a23361bb24840826e61cf5f04998f902bedd044e29 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 543669d7ad6bb34cb3864902210093467e2402f3e676cd4fe7bb7db884b9ebf0 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 76b3a13f802015b47002ae45c8b600750046a555eb75fa912030b5a28969f4f3 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 7d112c4174befd49b885abf2fc70fe6d470000017defd1af9b00000403004630 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 440220776cbbf77f65f8fc74953d339594070ce7b82b89f9be51580bf033c8a0 \
2022-02-21 10:41:28 dirmngr[23236] DBG: acc72d02207c626dfd7adf5fe95e8a438c12f4b65f4765b568620e52e6e5e57a \
2022-02-21 10:41:28 dirmngr[23236] DBG: 2a9f582bf7300d06092a864886f70d01010b05000382010100b207f1c41e998d \
2022-02-21 10:41:28 dirmngr[23236] DBG: 0a84022a3bbac7e4e6e3fc24de43b446fefc5ec5a8835de05d2c5c84c7e69369 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 932e2ff5eb59bff8f21b05342ecfbeecd62f65c25c6a12cf6cf721e6664eac00 \
2022-02-21 10:41:28 dirmngr[23236] DBG: c3399fd91246fb6239d5a74c8d320dacd70c8b7709ba53c97b20d809897a5822 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 991c3944e44a840b037a4ac64c527077ca3a0bc7834129d8cd0f4913f7e9e00d \
2022-02-21 10:41:28 dirmngr[23236] DBG: 952ae8432ead670004fd75e3e99c33df29c56ce6c548ea1605116158eccda5b2 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 48154bf6f6dd70af903bb19d110fddef7f95d8800f23f94742ef5f7a71794490 \
2022-02-21 10:41:28 dirmngr[23236] DBG: ff2899e71fb124fff4431755f4c75fd6f6a338cee86d88338eabfc3c6513fe9e \
2022-02-21 10:41:28 dirmngr[23236] DBG: c177ac89bcd21457ec1669741943a05fc99bed37e4544f7e3300051a30820516 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d0609 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 2a864886f70d01010b0500304f310b3009060355040613025553312930270603 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 55040a1320496e7465726e657420536563757269747920526573656172636820 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 47726f7570311530130603550403130c4953524720526f6f74205831301e170d \
2022-02-21 10:41:28 dirmngr[23236] DBG: 3230303930343030303030305a170d3235303931353136303030305a3032310b \
2022-02-21 10:41:28 dirmngr[23236] DBG: 300906035504061302555331163014060355040a130d4c6574277320456e6372 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 797074310b300906035504031302523330820122300d06092a864886f70d0101 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 0105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592 \
2022-02-21 10:41:28 dirmngr[23236] DBG: c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f47941455 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 35578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f0 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 5a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34 \
2022-02-21 10:41:28 dirmngr[23236] DBG: c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b \
2022-02-21 10:41:28 dirmngr[23236] DBG: 8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da \
2022-02-21 10:41:28 dirmngr[23236] DBG: 715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318 \
2022-02-21 10:41:28 dirmngr[23236] DBG: ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851d \
2022-02-21 10:41:28 dirmngr[23236] DBG: a169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e \
2022-02-21 10:41:28 dirmngr[23236] DBG: 0603551d0f0101ff040403020186301d0603551d250416301406082b06010505 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 07030206082b0601050507030130120603551d130101ff040830060101ff0201 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 00301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b \
2022-02-21 10:41:28 dirmngr[23236] DBG: 6e303206082b0601050507010104263024302206082b06010505073002861668 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 7474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e \
2022-02-21 10:41:28 dirmngr[23236] DBG: 301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f3022 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 0603551d20041b30193008060667810c010201300d060b2b0601040182df1301 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 0101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485 \
2022-02-21 10:41:28 dirmngr[23236] DBG: bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b7 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 6e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e665 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 6e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b823 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 7b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79 \
2022-02-21 10:41:28 dirmngr[23236] DBG: c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a0 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 1d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e \
2022-02-21 10:41:28 dirmngr[23236] DBG: 1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc055 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 4336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9 \
2022-02-21 10:41:28 dirmngr[23236] DBG: a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a \
2022-02-21 10:41:28 dirmngr[23236] DBG: 43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e186 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 93c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae \
2022-02-21 10:41:28 dirmngr[23236] DBG: 82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f8 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 58f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca2094746 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 3ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d \
2022-02-21 10:41:28 dirmngr[23236] DBG: 3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506dec \
2022-02-21 10:41:28 dirmngr[23236] DBG: ce005518fee94964d44eca979cb45bc073a8abb847c200056430820560308204 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 48a00302010202104001772137d4e942b8ee76aa3c640ab7300d06092a864886 \
2022-02-21 10:41:28 dirmngr[23236] DBG: f70d01010b0500303f31243022060355040a131b4469676974616c205369676e \
2022-02-21 10:41:28 dirmngr[23236] DBG: 617475726520547275737420436f2e311730150603550403130e44535420526f \
2022-02-21 10:41:28 dirmngr[23236] DBG: 6f74204341205833301e170d3231303132303139313430335a170d3234303933 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 303138313430335a304f310b300906035504061302555331293027060355040a \
2022-02-21 10:41:28 dirmngr[23236] DBG: 1320496e7465726e65742053656375726974792052657365617263682047726f \
2022-02-21 10:41:28 dirmngr[23236] DBG: 7570311530130603550403130c4953524720526f6f7420583130820222300d06 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 092a864886f70d01010105000382020f003082020a0282020100ade82473f414 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 37f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef600 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 4f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79 \
2022-02-21 10:41:28 dirmngr[23236] DBG: dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680 \
2022-02-21 10:41:28 dirmngr[23236] DBG: aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074 \
2022-02-21 10:41:28 dirmngr[23236] DBG: b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0b \
2022-02-21 10:41:28 dirmngr[23236] DBG: e8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c \
2022-02-21 10:41:28 dirmngr[23236] DBG: 3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279 \
2022-02-21 10:41:28 dirmngr[23236] DBG: e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e2 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 37960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0f \
2022-02-21 10:41:28 dirmngr[23236] DBG: d8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689 \
2022-02-21 10:41:28 dirmngr[23236] DBG: c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72 \
2022-02-21 10:41:28 dirmngr[23236] DBG: a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae05013 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 7c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d \
2022-02-21 10:41:28 dirmngr[23236] DBG: 608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a \
2022-02-21 10:41:28 dirmngr[23236] DBG: 88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d027 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 5de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 82014630820142300f0603551d130101ff040530030101ff300e0603551d0f01 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 01ff040403020106304b06082b06010505070101043f303d303b06082b060105 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 05073002862f687474703a2f2f617070732e6964656e74727573742e636f6d2f \
2022-02-21 10:41:28 dirmngr[23236] DBG: 726f6f74732f647374726f6f74636178332e703763301f0603551d2304183016 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 8014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d30 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 4b3008060667810c010201303f060b2b0601040182df130101013030302e0608 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 2b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c6574 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 73656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b68 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 7474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f5443 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 41583343524c2e63726c301d0603551d0e0416041479b459e67bb6e5e4017380 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 0888c81a58f6e99b6e300d06092a864886f70d01010b050003820101000a7300 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 6c966eff0e52d0aedd8ce75a06ad2fa8e38fbfc90a031550c2e56c42bb6f9bf4 \
2022-02-21 10:41:28 dirmngr[23236] DBG: b44fc244880875cceb079b14626e78deec27ba395cf5a2a16e5694701053b1bb \
2022-02-21 10:41:28 dirmngr[23236] DBG: e4afd0a2c32b01d496f4c5203533f9d86136e0718db4b8b5aa824595c0f2a923 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 28e7d6a1cb6708daa0432caa1b931fc9def5ab695d13f55b865822ca4d55e470 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 676dc257c5463941cf8a5883586d99fe57e8360ef00e23aafd8897d0e35c0e94 \
2022-02-21 10:41:28 dirmngr[23236] DBG: 49b5b51735d22ebf4e85ef18e08592eb063b6c29230960dc45024c12183be9fb \
2022-02-21 10:41:28 dirmngr[23236] DBG: 0ededc44f85898aeeabd4545a1885d66cafe10e96f82c811420dfbe9ece38600 \
2022-02-21 10:41:28 dirmngr[23236] DBG: de9d10e338faa47db1d8e8498284069b2be86b4f010c38772ef9dde739
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): handshake message: msglen = 4056, type = 11, hslen = 4056
2022-02-21 10:41:28 dirmngr[23236] ntbtls: peer certificate: chain length=3
2022-02-21 10:41:28 dirmngr[23236]ntbtls: serial: 04cc227c37c5112c6c1b538b751a18451bf6
2022-02-21 10:41:28 dirmngr[23236] ntbtls: issuer: CN=R3,O=Let's Encrypt,C=US
2022-02-21 10:41:28 dirmngr[23236] ntbtls: subject: CN=hockeypuck.ubuntu.com
2022-02-21 10:41:28 dirmngr[23236] ntbtls: aka: (8:dns-name21:hockeypuck.ubuntu.com)
2022-02-21 10:41:28 dirmngr[23236] ntbtls: aka: (8:dns-name20:keyserver.ubuntu.com)
2022-02-21 10:41:28 dirmngr[23236] ntbtls: notBefore: 2021-12-25 03:20:36
2022-02-21 10:41:28 dirmngr[23236] ntbtls: notAfter: 2022-03-25 03:20:35
2022-02-21 10:41:28 dirmngr[23236] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:41:28 dirmngr[23236]ntbtls: serial: 00912b084acf0c18a753f6d62e25a75f5a
2022-02-21 10:41:28 dirmngr[23236] ntbtls: issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-21 10:41:28 dirmngr[23236] ntbtls: subject: CN=R3,O=Let's Encrypt,C=US
2022-02-21 10:41:28 dirmngr[23236] ntbtls: notBefore: 2020-09-04 00:00:00
2022-02-21 10:41:28 dirmngr[23236] ntbtls: notAfter: 2025-09-15 16:00:00
2022-02-21 10:41:28 dirmngr[23236] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:41:28 dirmngr[23236]ntbtls: serial: 4001772137d4e942b8ee76aa3c640ab7
2022-02-21 10:41:28 dirmngr[23236] ntbtls: issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
2022-02-21 10:41:28 dirmngr[23236] ntbtls: subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-21 10:41:28 dirmngr[23236] ntbtls: notBefore: 2021-01-20 19:14:03
2022-02-21 10:41:28 dirmngr[23236] ntbtls: notAfter: 2024-09-30 18:14:03
2022-02-21 10:41:28 dirmngr[23236] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(1): comparing hostname 'hockeypuck.ubuntu.com' to 'keyserver.ubuntu.com'
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(1): comparing hostname 'keyserver.ubuntu.com' to 'keyserver.ubuntu.com'
2022-02-21 10:41:28 dirmngr[23236] certificate already cached
2022-02-21 10:41:28 dirmngr[23236] certificate cached
2022-02-21 10:41:28 dirmngr[23236] Note: non-critical certificate policy not allowed
2022-02-21 10:41:28 dirmngr[23236] certificate is good
2022-02-21 10:41:28 dirmngr[23236] certificate has expired
2022-02-21 10:41:28 dirmngr[23236] (expired at 2021-09-29 19:21:40)
2022-02-21 10:41:28 dirmngr[23236] Note: non-critical certificate policy not allowed
2022-02-21 10:41:28 dirmngr[23236] certificate is good
2022-02-21 10:41:28 dirmngr[23236] certificate has expired
2022-02-21 10:41:28 dirmngr[23236] (expired at 2021-09-30 14:01:15)
2022-02-21 10:41:28 dirmngr[23236] root certificate is good and trusted
2022-02-21 10:41:28 dirmngr[23236] target certificate is NOT valid
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(1): error from the verify callback returned: Certificate expired <Dirmngr>
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): handshake ready
2022-02-21 10:41:28 dirmngr[23236] TLS handshake failed: Certificate expired <Dirmngr>
2022-02-21 10:41:28 dirmngr[23236] error connecting to 'https://162.213.33.9:443': Certificate expired
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): release
2022-02-21 10:41:28 dirmngr[23236] command 'KS_SEARCH' failed: Certificate expired
2022-02-21 10:41:28 dirmngr[23236] handler for fd 720 terminated

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-21 09:42
[forum:8274]
Ok, here goes. :-)

tls-debug 1

2022-02-21 10:34:11 dirmngr[17092] listening on socket 'C:\\Users\\Kim\\AppData\\Local\\gnupg\\S.dirmngr'
2022-02-21 10:34:12 dirmngr[17092] permanently loaded certificates: 180
2022-02-21 10:34:12 dirmngr[17092] runtime cached certificates: 0
2022-02-21 10:34:12 dirmngr[17092] trusted certificates: 180 (180,0,0,0)
2022-02-21 10:34:12 dirmngr[17092] handler for fd 712 started
2022-02-21 10:34:12 dirmngr[17092] resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.9'
2022-02-21 10:34:12 dirmngr[17092] resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.8'
2022-02-21 10:34:12 dirmngr[17092] detected interfaces: IPv4
2022-02-21 10:34:12 dirmngr[17092] DBG: ntbtls(1): server_hello, chosen version: [3:3]
2022-02-21 10:34:12 dirmngr[17092] DBG: ntbtls(1): server_hello, chosen ciphersuite: 49199 (TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256)
2022-02-21 10:34:12 dirmngr[17092] ntbtls: peer certificate: chain length=3
2022-02-21 10:34:12 dirmngr[17092] DBG: ntbtls(1): comparing hostname 'hockeypuck.ubuntu.com' to 'keyserver.ubuntu.com'
2022-02-21 10:34:12 dirmngr[17092] DBG: ntbtls(1): comparing hostname 'keyserver.ubuntu.com' to 'keyserver.ubuntu.com'
2022-02-21 10:34:12 dirmngr[17092] certificate already cached
2022-02-21 10:34:12 dirmngr[17092] certificate cached
2022-02-21 10:34:12 dirmngr[17092] Note: non-critical certificate policy not allowed
2022-02-21 10:34:12 dirmngr[17092] certificate is good
2022-02-21 10:34:12 dirmngr[17092] certificate has expired
2022-02-21 10:34:12 dirmngr[17092] (expired at 2021-09-29 19:21:40)
2022-02-21 10:34:12 dirmngr[17092] Note: non-critical certificate policy not allowed
2022-02-21 10:34:12 dirmngr[17092] certificate is good
2022-02-21 10:34:12 dirmngr[17092] certificate has expired
2022-02-21 10:34:12 dirmngr[17092] (expired at 2021-09-30 14:01:15)
2022-02-21 10:34:12 dirmngr[17092] root certificate is good and trusted
2022-02-21 10:34:12 dirmngr[17092] target certificate is NOT valid
2022-02-21 10:34:12 dirmngr[17092] DBG: ntbtls(1): error from the verify callback returned: Certificate expired <Dirmngr>
2022-02-21 10:34:12 dirmngr[17092] TLS handshake failed: Certificate expired <Dirmngr>
2022-02-21 10:34:12 dirmngr[17092] error connecting to 'https://162.213.33.8:443': Certificate expired
2022-02-21 10:34:12 dirmngr[17092] command 'KS_SEARCH' failed: Certificate expired
2022-02-21 10:34:12 dirmngr[17092] handler for fd 712 terminated

tls-debug 2

2022-02-21 10:35:46 dirmngr[22880] listening on socket 'C:\\Users\\Kim\\AppData\\Local\\gnupg\\S.dirmngr'
2022-02-21 10:35:46 dirmngr[22880] permanently loaded certificates: 180
2022-02-21 10:35:46 dirmngr[22880] runtime cached certificates: 0
2022-02-21 10:35:46 dirmngr[22880] trusted certificates: 180 (180,0,0,0)
2022-02-21 10:35:46 dirmngr[22880] handler for fd 708 started
2022-02-21 10:35:46 dirmngr[22880] resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.9'
2022-02-21 10:35:46 dirmngr[22880] resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.8'
2022-02-21 10:35:46 dirmngr[22880] detected interfaces: IPv4
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): handshake
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): client state: 0 (hello_request)
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): client state: 1 (client_hello)
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): write client_hello
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): client state: 2 (server_hello)
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): read server_hello
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(1): server_hello, chosen version: [3:3]
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(1): server_hello, chosen ciphersuite: 49199 (TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256)
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): server_hello, total extension length: 21
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): found renegotiation extension
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): unknown extension found: 0 (ignoring)
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): found supported_point_formats extension
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): found session_ticket extension
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): client state: 3 (server_certificate)
2022-02-21 10:35:46 dirmngr[22880] ntbtls: peer certificate: chain length=3
2022-02-21 10:35:46 dirmngr[22880]ntbtls: serial: 04cc227c37c5112c6c1b538b751a18451bf6
2022-02-21 10:35:46 dirmngr[22880] ntbtls: issuer: CN=R3,O=Let's Encrypt,C=US
2022-02-21 10:35:46 dirmngr[22880] ntbtls: subject: CN=hockeypuck.ubuntu.com
2022-02-21 10:35:46 dirmngr[22880] ntbtls: aka: (8:dns-name21:hockeypuck.ubuntu.com)
2022-02-21 10:35:46 dirmngr[22880] ntbtls: aka: (8:dns-name20:keyserver.ubuntu.com)
2022-02-21 10:35:46 dirmngr[22880] ntbtls: notBefore: 2021-12-25 03:20:36
2022-02-21 10:35:46 dirmngr[22880] ntbtls: notAfter: 2022-03-25 03:20:35
2022-02-21 10:35:46 dirmngr[22880] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:35:46 dirmngr[22880]ntbtls: serial: 00912b084acf0c18a753f6d62e25a75f5a
2022-02-21 10:35:46 dirmngr[22880] ntbtls: issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-21 10:35:46 dirmngr[22880] ntbtls: subject: CN=R3,O=Let's Encrypt,C=US
2022-02-21 10:35:46 dirmngr[22880] ntbtls: notBefore: 2020-09-04 00:00:00
2022-02-21 10:35:46 dirmngr[22880] ntbtls: notAfter: 2025-09-15 16:00:00
2022-02-21 10:35:46 dirmngr[22880] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:35:46 dirmngr[22880]ntbtls: serial: 4001772137d4e942b8ee76aa3c640ab7
2022-02-21 10:35:46 dirmngr[22880] ntbtls: issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
2022-02-21 10:35:46 dirmngr[22880] ntbtls: subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-21 10:35:46 dirmngr[22880] ntbtls: notBefore: 2021-01-20 19:14:03
2022-02-21 10:35:46 dirmngr[22880] ntbtls: notAfter: 2024-09-30 18:14:03
2022-02-21 10:35:46 dirmngr[22880] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(1): comparing hostname 'hockeypuck.ubuntu.com' to 'keyserver.ubuntu.com'
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(1): comparing hostname 'keyserver.ubuntu.com' to 'keyserver.ubuntu.com'
2022-02-21 10:35:46 dirmngr[22880] certificate already cached
2022-02-21 10:35:46 dirmngr[22880] certificate cached
2022-02-21 10:35:46 dirmngr[22880] Note: non-critical certificate policy not allowed
2022-02-21 10:35:46 dirmngr[22880] certificate is good
2022-02-21 10:35:46 dirmngr[22880] certificate has expired
2022-02-21 10:35:46 dirmngr[22880] (expired at 2021-09-29 19:21:40)
2022-02-21 10:35:46 dirmngr[22880] Note: non-critical certificate policy not allowed
2022-02-21 10:35:46 dirmngr[22880] certificate is good
2022-02-21 10:35:46 dirmngr[22880] certificate has expired
2022-02-21 10:35:46 dirmngr[22880] (expired at 2021-09-30 14:01:15)
2022-02-21 10:35:46 dirmngr[22880] root certificate is good and trusted
2022-02-21 10:35:46 dirmngr[22880] target certificate is NOT valid
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(1): error from the verify callback returned: Certificate expired <Dirmngr>
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): handshake ready
2022-02-21 10:35:46 dirmngr[22880] TLS handshake failed: Certificate expired <Dirmngr>
2022-02-21 10:35:46 dirmngr[22880] error connecting to 'https://162.213.33.8:443': Certificate expired
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): release
2022-02-21 10:35:46 dirmngr[22880] command 'KS_SEARCH' failed: Certificate expired
2022-02-21 10:35:46 dirmngr[22880] handler for fd 708 terminated

tls-debug 3

2022-02-21 10:40:31 dirmngr[2592] listening on socket 'C:\\Users\\Kim\\AppData\\Local\\gnupg\\S.dirmngr'
2022-02-21 10:40:31 dirmngr[2592] permanently loaded certificates: 180
2022-02-21 10:40:31 dirmngr[2592] runtime cached certificates: 0
2022-02-21 10:40:31 dirmngr[2592] trusted certificates: 180 (180,0,0,0)
2022-02-21 10:40:31 dirmngr[2592] handler for fd 720 started
2022-02-21 10:40:31 dirmngr[2592] resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.9'
2022-02-21 10:40:31 dirmngr[2592] resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.8'
2022-02-21 10:40:31 dirmngr[2592] detected interfaces: IPv4
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): handshake
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): client state: 0 (hello_request)
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): flush output
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): client state: 1 (client_hello)
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): flush output
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): write client_hello
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, max version: [3:3]
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, current time: 1645436431
2022-02-21 10:40:31 dirmngr[2592] DBG: client_hello, random bytes: 62135e0f392dc4c64d93cd9d246245268727da03abf349002ac3e54038f381a1
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, session id len.: 0
2022-02-21 10:40:31 dirmngr[2592] DBG: client_hello, session id:
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, got 78 ciphersuites
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, compress len.: 2
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, compress alg.: 1 0
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, adding server name extension: 'keyserver.ubuntu.com'
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, adding signature_algorithms extension
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client hello, adding supported_elliptic_curves extension
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client hello, adding supported_point_formats extension
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, adding session ticket extension
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, total extension length: 83
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): write record
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): output record: msgtype = 22, version = [3:3], msglen = 285
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): flush output
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): message length: 290, out_left: 290
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): es_write returned: success
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): client state: 2 (server_hello)
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): flush output
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): read server_hello
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): read record
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): fetch input
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): in_left: 0, nb_want: 5
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): input record: msgtype = 22, version = [3:3], msglen = 65
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): fetch input
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): in_left: 5, nb_want: 70
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): handshake message: msglen = 65, type = 2, hslen = 65
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(1): server_hello, chosen version: [3:3]
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): server_hello, current time: 2411400778
2022-02-21 10:40:31 dirmngr[2592] DBG: server_hello, random bytes: 8fbb0e4a0803168a8830148b455259b7d8239aa390d8cf50444f574e47524401
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): server_hello, session id len.: 0
2022-02-21 10:40:31 dirmngr[2592] DBG: server_hello, session id:
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): no session has been resumed
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(1): server_hello, chosen ciphersuite: 49199 (TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256)
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): server_hello, compress alg.: 0
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): server_hello, total extension length: 21
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): found renegotiation extension
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): unknown extension found: 0 (ignoring)
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): found supported_point_formats extension
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): found session_ticket extension
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): client state: 3 (server_certificate)
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): flush output
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): read certificate
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): read record
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): fetch input
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): in_left: 0, nb_want: 5
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): input record: msgtype = 22, version = [3:3], msglen = 4056
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): fetch input
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): in_left: 5, nb_want: 4061
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): handshake message: msglen = 4056, type = 11, hslen = 4056
2022-02-21 10:40:31 dirmngr[2592] ntbtls: peer certificate: chain length=3
2022-02-21 10:40:31 dirmngr[2592]ntbtls: serial: 04cc227c37c5112c6c1b538b751a18451bf6
2022-02-21 10:40:31 dirmngr[2592] ntbtls: issuer: CN=R3,O=Let's Encrypt,C=US
2022-02-21 10:40:31 dirmngr[2592] ntbtls: subject: CN=hockeypuck.ubuntu.com
2022-02-21 10:40:31 dirmngr[2592] ntbtls: aka: (8:dns-name21:hockeypuck.ubuntu.com)
2022-02-21 10:40:31 dirmngr[2592] ntbtls: aka: (8:dns-name20:keyserver.ubuntu.com)
2022-02-21 10:40:31 dirmngr[2592] ntbtls: notBefore: 2021-12-25 03:20:36
2022-02-21 10:40:31 dirmngr[2592] ntbtls: notAfter: 2022-03-25 03:20:35
2022-02-21 10:40:31 dirmngr[2592] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:40:31 dirmngr[2592]ntbtls: serial: 00912b084acf0c18a753f6d62e25a75f5a
2022-02-21 10:40:31 dirmngr[2592] ntbtls: issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-21 10:40:31 dirmngr[2592] ntbtls: subject: CN=R3,O=Let's Encrypt,C=US
2022-02-21 10:40:31 dirmngr[2592] ntbtls: notBefore: 2020-09-04 00:00:00
2022-02-21 10:40:31 dirmngr[2592] ntbtls: notAfter: 2025-09-15 16:00:00
2022-02-21 10:40:31 dirmngr[2592] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:40:31 dirmngr[2592]ntbtls: serial: 4001772137d4e942b8ee76aa3c640ab7
2022-02-21 10:40:31 dirmngr[2592] ntbtls: issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
2022-02-21 10:40:31 dirmngr[2592] ntbtls: subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-21 10:40:31 dirmngr[2592] ntbtls: notBefore: 2021-01-20 19:14:03
2022-02-21 10:40:31 dirmngr[2592] ntbtls: notAfter: 2024-09-30 18:14:03
2022-02-21 10:40:31 dirmngr[2592] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(1): comparing hostname 'hockeypuck.ubuntu.com' to 'keyserver.ubuntu.com'
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(1): comparing hostname 'keyserver.ubuntu.com' to 'keyserver.ubuntu.com'
2022-02-21 10:40:31 dirmngr[2592] certificate already cached
2022-02-21 10:40:31 dirmngr[2592] certificate cached
2022-02-21 10:40:31 dirmngr[2592] Note: non-critical certificate policy not allowed
2022-02-21 10:40:31 dirmngr[2592] certificate is good
2022-02-21 10:40:31 dirmngr[2592] certificate has expired
2022-02-21 10:40:31 dirmngr[2592] (expired at 2021-09-29 19:21:40)
2022-02-21 10:40:31 dirmngr[2592] Note: non-critical certificate policy not allowed
2022-02-21 10:40:31 dirmngr[2592] certificate is good
2022-02-21 10:40:31 dirmngr[2592] certificate has expired
2022-02-21 10:40:31 dirmngr[2592] (expired at 2021-09-30 14:01:15)
2022-02-21 10:40:31 dirmngr[2592] root certificate is good and trusted
2022-02-21 10:40:31 dirmngr[2592] target certificate is NOT valid
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(1): error from the verify callback returned: Certificate expired <Dirmngr>
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): handshake ready
2022-02-21 10:40:31 dirmngr[2592] TLS handshake failed: Certificate expired <Dirmngr>
2022-02-21 10:40:31 dirmngr[2592] error connecting to 'https://162.213.33.8:443': Certificate expired
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): release
2022-02-21 10:40:31 dirmngr[2592] command 'KS_SEARCH' failed: Certificate expired
2022-02-21 10:40:31 dirmngr[2592] handler for fd 720 terminated

tls-debug 4 - eh, that's so long it deserves its own post.


RE: Initial setup for lookup on server [ Reply ]
By: Bernhard Reiter on 2022-02-21 09:07
[forum:8271]
Hi Kim,

thanks for the log and the config and the patience. :)

The log confirms, that it is a problem with the TLS certificate of
2022-02-21 09:29:40 dirmngr[25220] resolve_dns_addr for 'keyserver.ubuntu.com':
'162.213.33.8'
2022-02-21 09:29:41 dirmngr[25220] certificate has expired
2022-02-21 09:29:41 dirmngr[25220] (expired at 2021-09-30 14:01:15)
2022-02-21 09:29:41 dirmngr[25220] root certificate is good and trusted
2022-02-21 09:29:41 dirmngr[25220] target certificate is NOT valid
2022-02-21 09:29:41 dirmngr[25220] TLS handshake failed: Certificate expired
<Dirmngr>


So my suspicion is that the windows installation misses some of the new Let's encrypt certificates. (I think when restarting dirmngr, a debug option can list, which certificates it loads precisely.) If not, there is still a TLS certificate certification issue lurking somewhere.


Regards
Bernhard

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-21 08:32
[forum:8270]
This is my gpg.conf by the way.

###+++--- GPGConf ---+++###
utf8-strings
default-key 84A94C18F68F97DC3709E5057B294EAD4F52CAAA
keyserver hkps://keyserver.ubuntu.com
###+++--- GPGConf ---+++### 2022-02-15 18:12:04 V�steuropa, normaltid
# GPGConf edited this configuration file.
# It will disable options before this marked block, but it will
# never change anything below these lines.
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
fixed-list-mode
no-comments
no-emit-version
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
require-cross-certification
no-symkey-cache
throw-keyids
use-agent

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-21 08:31
[forum:8269]
This is what my log said when trying to lookup my own key with hkps.

2022-02-21 09:29:40 dirmngr[25220] listening on socket 'C:\\Users\\Kim\\AppData\\Local\\gnupg\\S.dirmngr'
2022-02-21 09:29:40 dirmngr[25220] permanently loaded certificates: 180
2022-02-21 09:29:40 dirmngr[25220] runtime cached certificates: 0
2022-02-21 09:29:40 dirmngr[25220] trusted certificates: 180 (180,0,0,0)
2022-02-21 09:29:40 dirmngr[25220] handler for fd 700 started
2022-02-21 09:29:40 dirmngr[25220] resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.9'
2022-02-21 09:29:40 dirmngr[25220] resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.8'
2022-02-21 09:29:41 dirmngr[25220] detected interfaces: IPv4
2022-02-21 09:29:41 dirmngr[25220] certificate already cached
2022-02-21 09:29:41 dirmngr[25220] certificate cached
2022-02-21 09:29:41 dirmngr[25220] Note: non-critical certificate policy not allowed
2022-02-21 09:29:41 dirmngr[25220] certificate is good
2022-02-21 09:29:41 dirmngr[25220] certificate has expired
2022-02-21 09:29:41 dirmngr[25220] (expired at 2021-09-29 19:21:40)
2022-02-21 09:29:41 dirmngr[25220] Note: non-critical certificate policy not allowed
2022-02-21 09:29:41 dirmngr[25220] certificate is good
2022-02-21 09:29:41 dirmngr[25220] certificate has expired
2022-02-21 09:29:41 dirmngr[25220] (expired at 2021-09-30 14:01:15)
2022-02-21 09:29:41 dirmngr[25220] root certificate is good and trusted
2022-02-21 09:29:41 dirmngr[25220] target certificate is NOT valid
2022-02-21 09:29:41 dirmngr[25220] TLS handshake failed: Certificate expired <Dirmngr>
2022-02-21 09:29:41 dirmngr[25220] error connecting to 'https://162.213.33.8:443': Certificate expired
2022-02-21 09:29:41 dirmngr[25220] command 'KS_SEARCH' failed: Certificate expired
2022-02-21 09:29:41 dirmngr[25220] handler for fd 700 terminated

RE: Initial setup for lookup on server [ Reply ]
By: Bernhard Reiter on 2022-02-16 08:04
[forum:8260]
Hi Kim,

one differente between GNU/Linux and Windows with GnuPG's dirmngr is where they take their trusted certificates (the root certificates) from.

On Windows the come from the Windows own store, which can have a different content then what is available on GNU/Linux.

To debug this, someone can add log-file and debug options to dirmngr.conf (and restart it).

In our tests keyserver.ubuntu.com works fine so far on Windows.

History:
Problems came up when Let's encrypt used (a legitimate) trick when they had to migrate from one root ca to the next. So the validation of the certificate chain in dirmngr was improved, but there still might be defects in it.

Regards,
Bernhard

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-15 17:44
[forum:8259]
I don't know what is wrong or what happened, but I can't make gpg cli work with any encrypted server. Regardless of which version I install.

I tried all versions from 2.34 down to 2.3.34.
None work with an encrypted keyserver. They all work with non-encrypted keyservers.

2.3.4 work great with encrypted keyservers in Ubuntu.

All I know is that hkps://keyserver.ubuntu.com used to work great, before I installed 4.0.0.

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-15 17:27
[forum:8258]
Aaaaand now I have to apologise.

gpg 2.3.4 in cmd on Windows 10 also fails all encrypted hosts, with invalid certificate.

gpg 2.3.4 in Linux (Ubuntu in WSL on the same Windows 10 system) works great with all hosts.

Sorry. I didn't realise that I was in the WSL terminal, and not cmd terminal when reporting earlies.

So this means that both Kleopatra 4.0.0 and gpg 2.3.4 fail with hkps and https on Windows.

gpg 2.3.4 in WSL Ubuntu works fine with all hosts.

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-15 17:15
[forum:8257]
Just to verify, this is a change from gpg4win before version 4.

I've had hkps://keyserver.ubuntu.com for years without issue.

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-15 17:12
[forum:8256]

gpg4win_400_refresh_pgp_keys-hkp.png (10) downloads
But with hkp it works.

Using hkps & https works great in cmd with gpg.
But Kleopatra doesn't like it.

gpg even accepts http, but not Kleopatra.
Kleopatra only accepts hkp.

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-15 17:10
[forum:8255]

gpg4win_400_refresh_pgp_keys-hkps.png (16) downloads
Same invalid certificate with hkps.

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-15 17:09
[forum:8254]

gpg4win_400_refresh_pgp_keys-https.png (10) downloads
If I use https://keyserver.ubuntu.com I get an error message saying certificate is invalid.

RE: Initial setup for lookup on server [ Reply ]
By: Kim Nilsson on 2022-02-15 17:09
[forum:8253]

gpg4win_400_refresh_pgp_keys.png (10) downloads
Having that setting empty fails completely for me.

RE: Initial setup for lookup on server [ Reply ]
By: Bernhard Reiter on 2022-01-18 14:26
[forum:8223]
Yes, this is the reason why searching for public keys does not work at all.

Remove the setting (make it empty) so that the default is used or use one of the keyservers in from the list I've posted.

Best,
Bernhard

RE: Initial setup for lookup on server [ Reply ]
By: Mark W on 2022-01-16 23:02
[forum:8221]
I just looked at my GPG4Win 4 install to see what it was set at, and it is "hkp://keys.gnupg.net";. I have been using GPG4Win since v3 so is that the reason?

Should it be changed to "https://keyserver.ubuntu.com";

RE: Initial setup for lookup on server [ Reply ]
By: Bernhard Reiter on 2022-01-06 09:33
[forum:8199]
Hi Matt,

the keyserver should be empty to use the default, which in current GnuPG is
'https://keyserver.ubuntu.com'

Did you have Gpg4win installed before? This could be the reason why there is the old keyserver.

To use an even more modern one, see https://social.tchncs.de/@ber/107008659842900171
for the emerging new network of pubkeyservers.

Regards
Bernhard

Initial setup for lookup on server [ Reply ]
By: Matt Postiff on 2022-01-02 00:55
[forum:8193]
Hi, I'm having trouble doing a lookup on server...I believe because I don't have Settings | Configure Kleopatra | Directory Services set up properly.

The OpenPGP keyserver box has kttp://keys.gnupg.net and the X.509 Directory Services box is empty. The Add button offers Active Directory or LDAP.

But the dialog box does not like what I see in online documentation with various columns and other settings. It is not obvious what I do at this point even after hunting around online. I would think the install defaults should work, even if not ideally, but it appears not. Can someone give me some guidance? I'm not experienced with this software.

I just downloaded 4.0.0, installed, and rebooted.