Some issues to use Kleopatra with a SSL connection to the server

Good afternoon,

I’m using Kleopatra in my endpoint and I have a SKS keyserver where I keep my keys.
I have kleopatra working with sks keyserver, connecting to port 11371 (hkp protocol). I can “Publish on server” and “Lookup on server” for users and everything is fine.
But I would like to make a connection more secure and use SSL (port 443).
In my ubuntu server I have an apache who redirects traffic from port 80 to 443. I already have certificates. So through browser everything is fine.
But unfortunately, in kleopatra, I can’t “Publish on server” and “Lookup on server” for users with a SSL (port 443) connection. I try to publish and gives me an error.

In" kleopatra-> Settings-> Configure Kleopatra-> Directory Services → OpenPGP Keyserver: " I already filled with “http://URL:443” or “http://URL”, or “hkps://URL”,… but unfortunatly until now nothing was solved.

Can you help me to configure kleopatra to work with an encrypted connection?
Any sugestion?

Thank you.

Regards,

Fábio

Hi Fabio,

turn up the diagnostic output for dirmngr, restart it and check the messages there,
which should give you more details about what is going wrong. Maybe the certificate is not fully trusted (I don’t remember, but I guess that dirmngrs TLS library may use the GnuPG keystore, so that would be different from the one that the browser would use.)

Best Regards,
Bernhard

Hi Bernhard,

thank you for your help.
Through the diagnostic I noticed that there is some issues.
My certificate is self signed and is not verified by a CA. Do you think that this is the problem? Is possible to make a connection using SSL (443) with a self signed certificate?

Thank you.

Best regards,
Fábio

Hi Fabio,

note that it is good that dirmngr does not just accept the certificate without trust path,
it protects you, if somebody tries something. :slight_smile:

It is possible to give your own CAs to dirmngr (you’ll have to look it up in the documentation).
So if “self-signed” actually means signed by your own little CA certificate, you can make it work.

Otherwise if you are retrieving public keys for OpenPGP or S/MIME and you can secure the transport layer otherwise (e.g. VPN or ssh tunnelling), the TLS layer of dirmngr itself is not necessary. (It protects against people observing, what you are requesting, not the integrity.)

Does this help?

Regards,
Bernhard

Hi Bernhard,

yes, it helps.
Thank you for your answer :slight_smile:

Best regards,

Fábio