Initial setup for lookup on server

Hi, I’m having trouble doing a lookup on server…I believe because I don’t have Settings | Configure Kleopatra | Directory Services set up properly.

The OpenPGP keyserver box has kttp://keys.gnupg.net and the X.509 Directory Services box is empty. The Add button offers Active Directory or LDAP.

But the dialog box does not like what I see in online documentation with various columns and other settings. It is not obvious what I do at this point even after hunting around online. I would think the install defaults should work, even if not ideally, but it appears not. Can someone give me some guidance? I’m not experienced with this software.

I just downloaded 4.0.0, installed, and rebooted.

Hi Matt,

the keyserver should be empty to use the default, which in current GnuPG is
https://keyserver.ubuntu.com

Did you have Gpg4win installed before? This could be the reason why there is the old keyserver.

To use an even more modern one, see https://social.tchncs.de/@ber/107008659842900171
for the emerging new network of pubkeyservers.

Regards
Bernhard

I just looked at my GPG4Win 4 install to see what it was set at, and it is “hkp://keys.gnupg.net”. I have been using GPG4Win since v3 so is that the reason?

Should it be changed to “https://keyserver.ubuntu.com

Yes, this is the reason why searching for public keys does not work at all.

Remove the setting (make it empty) so that the default is used or use one of the keyservers in from the list I’ve posted.

Best,
Bernhard

Having that setting empty fails completely for me.

gpg4win_400_refresh_pgp_keys.png

If I use https://keyserver.ubuntu.com I get an error message saying certificate is invalid.

gpg4win_400_refresh_pgp_keys-https.png

Same invalid certificate with hkps.

gpg4win_400_refresh_pgp_keys-hkps.png

But with hkp it works.

Using hkps & https works great in cmd with gpg.
But Kleopatra doesn’t like it.

gpg even accepts http, but not Kleopatra.
Kleopatra only accepts hkp.

gpg4win_400_refresh_pgp_keys-hkp.png

Just to verify, this is a change from gpg4win before version 4.

I’ve had hkps://keyserver.ubuntu.com for years without issue.

Aaaaand now I have to apologise.

gpg 2.3.4 in cmd on Windows 10 also fails all encrypted hosts, with invalid certificate.

gpg 2.3.4 in Linux (Ubuntu in WSL on the same Windows 10 system) works great with all hosts.

Sorry. I didn’t realise that I was in the WSL terminal, and not cmd terminal when reporting earlies.

So this means that both Kleopatra 4.0.0 and gpg 2.3.4 fail with hkps and https on Windows.

gpg 2.3.4 in WSL Ubuntu works fine with all hosts.

I don’t know what is wrong or what happened, but I can’t make gpg cli work with any encrypted server. Regardless of which version I install.

I tried all versions from 2.34 down to 2.3.34.
None work with an encrypted keyserver. They all work with non-encrypted keyservers.

2.3.4 work great with encrypted keyservers in Ubuntu.

All I know is that hkps://keyserver.ubuntu.com used to work great, before I installed 4.0.0.

Hi Kim,

one differente between GNU/Linux and Windows with GnuPG’s dirmngr is where they take their trusted certificates (the root certificates) from.

On Windows the come from the Windows own store, which can have a different content then what is available on GNU/Linux.

To debug this, someone can add log-file and debug options to dirmngr.conf (and restart it).

In our tests keyserver.ubuntu.com works fine so far on Windows.

History:
Problems came up when Let’s encrypt used (a legitimate) trick when they had to migrate from one root ca to the next. So the validation of the certificate chain in dirmngr was improved, but there still might be defects in it.

Regards,
Bernhard

This is what my log said when trying to lookup my own key with hkps.

2022-02-21 09:29:40 dirmngr[25220] listening on socket ‘C:\Users\Kim\AppData\Local\gnupg\S.dirmngr’
2022-02-21 09:29:40 dirmngr[25220] permanently loaded certificates: 180
2022-02-21 09:29:40 dirmngr[25220] runtime cached certificates: 0
2022-02-21 09:29:40 dirmngr[25220] trusted certificates: 180 (180,0,0,0)
2022-02-21 09:29:40 dirmngr[25220] handler for fd 700 started
2022-02-21 09:29:40 dirmngr[25220] resolve_dns_addr for ‘keyserver.ubuntu.com’: ‘162.213.33.9’
2022-02-21 09:29:40 dirmngr[25220] resolve_dns_addr for ‘keyserver.ubuntu.com’: ‘162.213.33.8’
2022-02-21 09:29:41 dirmngr[25220] detected interfaces: IPv4
2022-02-21 09:29:41 dirmngr[25220] certificate already cached
2022-02-21 09:29:41 dirmngr[25220] certificate cached
2022-02-21 09:29:41 dirmngr[25220] Note: non-critical certificate policy not allowed
2022-02-21 09:29:41 dirmngr[25220] certificate is good
2022-02-21 09:29:41 dirmngr[25220] certificate has expired
2022-02-21 09:29:41 dirmngr[25220] (expired at 2021-09-29 19:21:40)
2022-02-21 09:29:41 dirmngr[25220] Note: non-critical certificate policy not allowed
2022-02-21 09:29:41 dirmngr[25220] certificate is good
2022-02-21 09:29:41 dirmngr[25220] certificate has expired
2022-02-21 09:29:41 dirmngr[25220] (expired at 2021-09-30 14:01:15)
2022-02-21 09:29:41 dirmngr[25220] root certificate is good and trusted
2022-02-21 09:29:41 dirmngr[25220] target certificate is NOT valid
2022-02-21 09:29:41 dirmngr[25220] TLS handshake failed: Certificate expired
2022-02-21 09:29:41 dirmngr[25220] error connecting to ‘https://162.213.33.8:443’: Certificate expired
2022-02-21 09:29:41 dirmngr[25220] command ‘KS_SEARCH’ failed: Certificate expired
2022-02-21 09:29:41 dirmngr[25220] handler for fd 700 terminated

This is my gpg.conf by the way.

###++±-- GPGConf —+++###
utf8-strings
default-key 84A94C18F68F97DC3709E5057B294EAD4F52CAAA
keyserver hkps://keyserver.ubuntu.com
###++±-- GPGConf —+++### 2022-02-15 18:12:04 V�steuropa, normaltid

GPGConf edited this configuration file.

It will disable options before this marked block, but it will

never change anything below these lines.

personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
fixed-list-mode
no-comments
no-emit-version
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
require-cross-certification
no-symkey-cache
throw-keyids
use-agent

Hi Kim,

thanks for the log and the config and the patience. :slight_smile:

The log confirms, that it is a problem with the TLS certificate of
2022-02-21 09:29:40 dirmngr[25220] resolve_dns_addr for ‘keyserver.ubuntu.com’:
‘162.213.33.8’
2022-02-21 09:29:41 dirmngr[25220] certificate has expired
2022-02-21 09:29:41 dirmngr[25220] (expired at 2021-09-30 14:01:15)
2022-02-21 09:29:41 dirmngr[25220] root certificate is good and trusted
2022-02-21 09:29:41 dirmngr[25220] target certificate is NOT valid
2022-02-21 09:29:41 dirmngr[25220] TLS handshake failed: Certificate expired

So my suspicion is that the windows installation misses some of the new Let’s encrypt certificates. (I think when restarting dirmngr, a debug option can list, which certificates it loads precisely.) If not, there is still a TLS certificate certification issue lurking somewhere.

Regards
Bernhard

Ok, here goes. :slight_smile:

tls-debug 1

2022-02-21 10:34:11 dirmngr[17092] listening on socket ‘C:\Users\Kim\AppData\Local\gnupg\S.dirmngr’
2022-02-21 10:34:12 dirmngr[17092] permanently loaded certificates: 180
2022-02-21 10:34:12 dirmngr[17092] runtime cached certificates: 0
2022-02-21 10:34:12 dirmngr[17092] trusted certificates: 180 (180,0,0,0)
2022-02-21 10:34:12 dirmngr[17092] handler for fd 712 started
2022-02-21 10:34:12 dirmngr[17092] resolve_dns_addr for ‘keyserver.ubuntu.com’: ‘162.213.33.9’
2022-02-21 10:34:12 dirmngr[17092] resolve_dns_addr for ‘keyserver.ubuntu.com’: ‘162.213.33.8’
2022-02-21 10:34:12 dirmngr[17092] detected interfaces: IPv4
2022-02-21 10:34:12 dirmngr[17092] DBG: ntbtls(1): server_hello, chosen version: [3:3]
2022-02-21 10:34:12 dirmngr[17092] DBG: ntbtls(1): server_hello, chosen ciphersuite: 49199 (TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256)
2022-02-21 10:34:12 dirmngr[17092] ntbtls: peer certificate: chain length=3
2022-02-21 10:34:12 dirmngr[17092] DBG: ntbtls(1): comparing hostname ‘hockeypuck.ubuntu.com’ to ‘keyserver.ubuntu.com
2022-02-21 10:34:12 dirmngr[17092] DBG: ntbtls(1): comparing hostname ‘keyserver.ubuntu.com’ to ‘keyserver.ubuntu.com
2022-02-21 10:34:12 dirmngr[17092] certificate already cached
2022-02-21 10:34:12 dirmngr[17092] certificate cached
2022-02-21 10:34:12 dirmngr[17092] Note: non-critical certificate policy not allowed
2022-02-21 10:34:12 dirmngr[17092] certificate is good
2022-02-21 10:34:12 dirmngr[17092] certificate has expired
2022-02-21 10:34:12 dirmngr[17092] (expired at 2021-09-29 19:21:40)
2022-02-21 10:34:12 dirmngr[17092] Note: non-critical certificate policy not allowed
2022-02-21 10:34:12 dirmngr[17092] certificate is good
2022-02-21 10:34:12 dirmngr[17092] certificate has expired
2022-02-21 10:34:12 dirmngr[17092] (expired at 2021-09-30 14:01:15)
2022-02-21 10:34:12 dirmngr[17092] root certificate is good and trusted
2022-02-21 10:34:12 dirmngr[17092] target certificate is NOT valid
2022-02-21 10:34:12 dirmngr[17092] DBG: ntbtls(1): error from the verify callback returned: Certificate expired
2022-02-21 10:34:12 dirmngr[17092] TLS handshake failed: Certificate expired
2022-02-21 10:34:12 dirmngr[17092] error connecting to ‘https://162.213.33.8:443’: Certificate expired
2022-02-21 10:34:12 dirmngr[17092] command ‘KS_SEARCH’ failed: Certificate expired
2022-02-21 10:34:12 dirmngr[17092] handler for fd 712 terminated

tls-debug 2

2022-02-21 10:35:46 dirmngr[22880] listening on socket ‘C:\Users\Kim\AppData\Local\gnupg\S.dirmngr’
2022-02-21 10:35:46 dirmngr[22880] permanently loaded certificates: 180
2022-02-21 10:35:46 dirmngr[22880] runtime cached certificates: 0
2022-02-21 10:35:46 dirmngr[22880] trusted certificates: 180 (180,0,0,0)
2022-02-21 10:35:46 dirmngr[22880] handler for fd 708 started
2022-02-21 10:35:46 dirmngr[22880] resolve_dns_addr for ‘keyserver.ubuntu.com’: ‘162.213.33.9’
2022-02-21 10:35:46 dirmngr[22880] resolve_dns_addr for ‘keyserver.ubuntu.com’: ‘162.213.33.8’
2022-02-21 10:35:46 dirmngr[22880] detected interfaces: IPv4
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): handshake
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): client state: 0 (hello_request)
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): client state: 1 (client_hello)
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): write client_hello
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): client state: 2 (server_hello)
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): read server_hello
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(1): server_hello, chosen version: [3:3]
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(1): server_hello, chosen ciphersuite: 49199 (TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256)
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): server_hello, total extension length: 21
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): found renegotiation extension
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): unknown extension found: 0 (ignoring)
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): found supported_point_formats extension
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): found session_ticket extension
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): client state: 3 (server_certificate)
2022-02-21 10:35:46 dirmngr[22880] ntbtls: peer certificate: chain length=3
2022-02-21 10:35:46 dirmngr[22880]ntbtls: serial: 04cc227c37c5112c6c1b538b751a18451bf6
2022-02-21 10:35:46 dirmngr[22880] ntbtls: issuer: CN=R3,O=Let’s Encrypt,C=US
2022-02-21 10:35:46 dirmngr[22880] ntbtls: subject: CN=hockeypuck.ubuntu.com
2022-02-21 10:35:46 dirmngr[22880] ntbtls: aka: (8:dns-name21:hockeypuck.ubuntu.com)
2022-02-21 10:35:46 dirmngr[22880] ntbtls: aka: (8:dns-name20:keyserver.ubuntu.com)
2022-02-21 10:35:46 dirmngr[22880] ntbtls: notBefore: 2021-12-25 03:20:36
2022-02-21 10:35:46 dirmngr[22880] ntbtls: notAfter: 2022-03-25 03:20:35
2022-02-21 10:35:46 dirmngr[22880] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:35:46 dirmngr[22880]ntbtls: serial: 00912b084acf0c18a753f6d62e25a75f5a
2022-02-21 10:35:46 dirmngr[22880] ntbtls: issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-21 10:35:46 dirmngr[22880] ntbtls: subject: CN=R3,O=Let’s Encrypt,C=US
2022-02-21 10:35:46 dirmngr[22880] ntbtls: notBefore: 2020-09-04 00:00:00
2022-02-21 10:35:46 dirmngr[22880] ntbtls: notAfter: 2025-09-15 16:00:00
2022-02-21 10:35:46 dirmngr[22880] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:35:46 dirmngr[22880]ntbtls: serial: 4001772137d4e942b8ee76aa3c640ab7
2022-02-21 10:35:46 dirmngr[22880] ntbtls: issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
2022-02-21 10:35:46 dirmngr[22880] ntbtls: subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-21 10:35:46 dirmngr[22880] ntbtls: notBefore: 2021-01-20 19:14:03
2022-02-21 10:35:46 dirmngr[22880] ntbtls: notAfter: 2024-09-30 18:14:03
2022-02-21 10:35:46 dirmngr[22880] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(1): comparing hostname ‘hockeypuck.ubuntu.com’ to ‘keyserver.ubuntu.com
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(1): comparing hostname ‘keyserver.ubuntu.com’ to ‘keyserver.ubuntu.com
2022-02-21 10:35:46 dirmngr[22880] certificate already cached
2022-02-21 10:35:46 dirmngr[22880] certificate cached
2022-02-21 10:35:46 dirmngr[22880] Note: non-critical certificate policy not allowed
2022-02-21 10:35:46 dirmngr[22880] certificate is good
2022-02-21 10:35:46 dirmngr[22880] certificate has expired
2022-02-21 10:35:46 dirmngr[22880] (expired at 2021-09-29 19:21:40)
2022-02-21 10:35:46 dirmngr[22880] Note: non-critical certificate policy not allowed
2022-02-21 10:35:46 dirmngr[22880] certificate is good
2022-02-21 10:35:46 dirmngr[22880] certificate has expired
2022-02-21 10:35:46 dirmngr[22880] (expired at 2021-09-30 14:01:15)
2022-02-21 10:35:46 dirmngr[22880] root certificate is good and trusted
2022-02-21 10:35:46 dirmngr[22880] target certificate is NOT valid
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(1): error from the verify callback returned: Certificate expired
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): handshake ready
2022-02-21 10:35:46 dirmngr[22880] TLS handshake failed: Certificate expired
2022-02-21 10:35:46 dirmngr[22880] error connecting to ‘https://162.213.33.8:443’: Certificate expired
2022-02-21 10:35:46 dirmngr[22880] DBG: ntbtls(2): release
2022-02-21 10:35:46 dirmngr[22880] command ‘KS_SEARCH’ failed: Certificate expired
2022-02-21 10:35:46 dirmngr[22880] handler for fd 708 terminated

tls-debug 3

2022-02-21 10:40:31 dirmngr[2592] listening on socket ‘C:\Users\Kim\AppData\Local\gnupg\S.dirmngr’
2022-02-21 10:40:31 dirmngr[2592] permanently loaded certificates: 180
2022-02-21 10:40:31 dirmngr[2592] runtime cached certificates: 0
2022-02-21 10:40:31 dirmngr[2592] trusted certificates: 180 (180,0,0,0)
2022-02-21 10:40:31 dirmngr[2592] handler for fd 720 started
2022-02-21 10:40:31 dirmngr[2592] resolve_dns_addr for ‘keyserver.ubuntu.com’: ‘162.213.33.9’
2022-02-21 10:40:31 dirmngr[2592] resolve_dns_addr for ‘keyserver.ubuntu.com’: ‘162.213.33.8’
2022-02-21 10:40:31 dirmngr[2592] detected interfaces: IPv4
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): handshake
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): client state: 0 (hello_request)
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): flush output
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): client state: 1 (client_hello)
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): flush output
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): write client_hello
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, max version: [3:3]
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, current time: 1645436431
2022-02-21 10:40:31 dirmngr[2592] DBG: client_hello, random bytes: 62135e0f392dc4c64d93cd9d246245268727da03abf349002ac3e54038f381a1
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, session id len.: 0
2022-02-21 10:40:31 dirmngr[2592] DBG: client_hello, session id:
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, got 78 ciphersuites
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, compress len.: 2
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, compress alg.: 1 0
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, adding server name extension: ‘keyserver.ubuntu.com
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, adding signature_algorithms extension
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client hello, adding supported_elliptic_curves extension
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client hello, adding supported_point_formats extension
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, adding session ticket extension
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): client_hello, total extension length: 83
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): write record
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): output record: msgtype = 22, version = [3:3], msglen = 285
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): flush output
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): message length: 290, out_left: 290
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): es_write returned: success
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): client state: 2 (server_hello)
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): flush output
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): read server_hello
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): read record
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): fetch input
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): in_left: 0, nb_want: 5
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): input record: msgtype = 22, version = [3:3], msglen = 65
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): fetch input
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): in_left: 5, nb_want: 70
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): handshake message: msglen = 65, type = 2, hslen = 65
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(1): server_hello, chosen version: [3:3]
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): server_hello, current time: 2411400778
2022-02-21 10:40:31 dirmngr[2592] DBG: server_hello, random bytes: 8fbb0e4a0803168a8830148b455259b7d8239aa390d8cf50444f574e47524401
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): server_hello, session id len.: 0
2022-02-21 10:40:31 dirmngr[2592] DBG: server_hello, session id:
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): no session has been resumed
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(1): server_hello, chosen ciphersuite: 49199 (TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256)
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): server_hello, compress alg.: 0
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): server_hello, total extension length: 21
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): found renegotiation extension
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): unknown extension found: 0 (ignoring)
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): found supported_point_formats extension
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): found session_ticket extension
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): client state: 3 (server_certificate)
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): flush output
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): read certificate
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): read record
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): fetch input
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): in_left: 0, nb_want: 5
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): input record: msgtype = 22, version = [3:3], msglen = 4056
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): fetch input
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): in_left: 5, nb_want: 4061
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(3): handshake message: msglen = 4056, type = 11, hslen = 4056
2022-02-21 10:40:31 dirmngr[2592] ntbtls: peer certificate: chain length=3
2022-02-21 10:40:31 dirmngr[2592]ntbtls: serial: 04cc227c37c5112c6c1b538b751a18451bf6
2022-02-21 10:40:31 dirmngr[2592] ntbtls: issuer: CN=R3,O=Let’s Encrypt,C=US
2022-02-21 10:40:31 dirmngr[2592] ntbtls: subject: CN=hockeypuck.ubuntu.com
2022-02-21 10:40:31 dirmngr[2592] ntbtls: aka: (8:dns-name21:hockeypuck.ubuntu.com)
2022-02-21 10:40:31 dirmngr[2592] ntbtls: aka: (8:dns-name20:keyserver.ubuntu.com)
2022-02-21 10:40:31 dirmngr[2592] ntbtls: notBefore: 2021-12-25 03:20:36
2022-02-21 10:40:31 dirmngr[2592] ntbtls: notAfter: 2022-03-25 03:20:35
2022-02-21 10:40:31 dirmngr[2592] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:40:31 dirmngr[2592]ntbtls: serial: 00912b084acf0c18a753f6d62e25a75f5a
2022-02-21 10:40:31 dirmngr[2592] ntbtls: issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-21 10:40:31 dirmngr[2592] ntbtls: subject: CN=R3,O=Let’s Encrypt,C=US
2022-02-21 10:40:31 dirmngr[2592] ntbtls: notBefore: 2020-09-04 00:00:00
2022-02-21 10:40:31 dirmngr[2592] ntbtls: notAfter: 2025-09-15 16:00:00
2022-02-21 10:40:31 dirmngr[2592] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:40:31 dirmngr[2592]ntbtls: serial: 4001772137d4e942b8ee76aa3c640ab7
2022-02-21 10:40:31 dirmngr[2592] ntbtls: issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
2022-02-21 10:40:31 dirmngr[2592] ntbtls: subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-21 10:40:31 dirmngr[2592] ntbtls: notBefore: 2021-01-20 19:14:03
2022-02-21 10:40:31 dirmngr[2592] ntbtls: notAfter: 2024-09-30 18:14:03
2022-02-21 10:40:31 dirmngr[2592] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(1): comparing hostname ‘hockeypuck.ubuntu.com’ to ‘keyserver.ubuntu.com
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(1): comparing hostname ‘keyserver.ubuntu.com’ to ‘keyserver.ubuntu.com
2022-02-21 10:40:31 dirmngr[2592] certificate already cached
2022-02-21 10:40:31 dirmngr[2592] certificate cached
2022-02-21 10:40:31 dirmngr[2592] Note: non-critical certificate policy not allowed
2022-02-21 10:40:31 dirmngr[2592] certificate is good
2022-02-21 10:40:31 dirmngr[2592] certificate has expired
2022-02-21 10:40:31 dirmngr[2592] (expired at 2021-09-29 19:21:40)
2022-02-21 10:40:31 dirmngr[2592] Note: non-critical certificate policy not allowed
2022-02-21 10:40:31 dirmngr[2592] certificate is good
2022-02-21 10:40:31 dirmngr[2592] certificate has expired
2022-02-21 10:40:31 dirmngr[2592] (expired at 2021-09-30 14:01:15)
2022-02-21 10:40:31 dirmngr[2592] root certificate is good and trusted
2022-02-21 10:40:31 dirmngr[2592] target certificate is NOT valid
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(1): error from the verify callback returned: Certificate expired
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): handshake ready
2022-02-21 10:40:31 dirmngr[2592] TLS handshake failed: Certificate expired
2022-02-21 10:40:31 dirmngr[2592] error connecting to ‘https://162.213.33.8:443’: Certificate expired
2022-02-21 10:40:31 dirmngr[2592] DBG: ntbtls(2): release
2022-02-21 10:40:31 dirmngr[2592] command ‘KS_SEARCH’ failed: Certificate expired
2022-02-21 10:40:31 dirmngr[2592] handler for fd 720 terminated

tls-debug 4 - eh, that’s so long it deserves its own post.

tls-debug 4

2022-02-21 10:41:28 dirmngr[23236] listening on socket ‘C:\Users\Kim\AppData\Local\gnupg\S.dirmngr’
2022-02-21 10:41:28 dirmngr[23236] permanently loaded certificates: 180
2022-02-21 10:41:28 dirmngr[23236] runtime cached certificates: 0
2022-02-21 10:41:28 dirmngr[23236] trusted certificates: 180 (180,0,0,0)
2022-02-21 10:41:28 dirmngr[23236] handler for fd 720 started
2022-02-21 10:41:28 dirmngr[23236] resolve_dns_addr for ‘keyserver.ubuntu.com’: ‘162.213.33.9’
2022-02-21 10:41:28 dirmngr[23236] resolve_dns_addr for ‘keyserver.ubuntu.com’: ‘162.213.33.8’
2022-02-21 10:41:28 dirmngr[23236] detected interfaces: IPv4
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): handshake
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): client state: 0 (hello_request)
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): flush output
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): client state: 1 (client_hello)
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): flush output
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): write client_hello
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, max version: [3:3]
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, current time: 1645436488
2022-02-21 10:41:28 dirmngr[23236] DBG: client_hello, random bytes: 62135e4810234c070d9e6be9d2bb4d0188dea1a0a066e7182b80b2508da2b891
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, session id len.: 0
2022-02-21 10:41:28 dirmngr[23236] DBG: client_hello, session id:
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, got 78 ciphersuites
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, compress len.: 2
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, compress alg.: 1 0
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, adding server name extension: ‘keyserver.ubuntu.com
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, adding signature_algorithms extension
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client hello, adding supported_elliptic_curves extension
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client hello, adding supported_point_formats extension
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, adding session ticket extension
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): client_hello, total extension length: 83
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): write record
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): output record: msgtype = 22, version = [3:3], msglen = 285
2022-02-21 10:41:28 dirmngr[23236] DBG: output record sent to network: 160303011d01000119030362135e4810234c070d9e6be9d2bb4d0188dea1a0a0
2022-02-21 10:41:28 dirmngr[23236] DBG: 66e7182b80b2508da2b89100009c00ffc030009fc028006bc0140039c08bc07d
2022-02-21 10:41:28 dirmngr[23236] DBG: c07700c40088c02f009ec0270067c0130033c08ac07cc07600be0045c0120016
2022-02-21 10:41:28 dirmngr[23236] DBG: 00abc03800b3c0360091c091c09bc09700aac03700b2c0350090c090c096c09a
2022-02-21 10:41:28 dirmngr[23236] DBG: c034008f009d003d0035c07b00c00084009c003c002fc07a00ba0041000a00ad
2022-02-21 10:41:28 dirmngr[23236] DBG: 00b70095c093c09900ac00b60094c092c098009300a900af008dc08fc09500a8
2022-02-21 10:41:28 dirmngr[23236] DBG: 00ae008cc08ec094008b02010000530000001900170000146b65797365727665
2022-02-21 10:41:28 dirmngr[23236] DBG: 722e7562756e74752e636f6d000d001600140601050104010301020106030503
2022-02-21 10:41:28 dirmngr[23236] DBG: 040303030203000a000e000c001700180019001a001b001c000b000201000023
2022-02-21 10:41:28 dirmngr[23236] DBG: 0000
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): flush output
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): message length: 290, out_left: 290
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): es_write returned: success
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): client state: 2 (server_hello)
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): flush output
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): read server_hello
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): read record
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): fetch input
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): in_left: 0, nb_want: 5
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): input record: msgtype = 22, version = [3:3], msglen = 65
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): fetch input
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): in_left: 5, nb_want: 70
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:41:28 dirmngr[23236] DBG: input record from network: 16030300410200003d0303d04f2c342d24a3f7cbaebf4c401f6d40d05454fb35
2022-02-21 10:41:28 dirmngr[23236] DBG: 2c939a444f574e4752440100c02f000015ff0100010000000000000b00040300
2022-02-21 10:41:28 dirmngr[23236] DBG: 010200230000
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): handshake message: msglen = 65, type = 2, hslen = 65
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(1): server_hello, chosen version: [3:3]
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): server_hello, current time: 3494849588
2022-02-21 10:41:28 dirmngr[23236] DBG: server_hello, random bytes: d04f2c342d24a3f7cbaebf4c401f6d40d05454fb352c939a444f574e47524401
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): server_hello, session id len.: 0
2022-02-21 10:41:28 dirmngr[23236] DBG: server_hello, session id:
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): no session has been resumed
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(1): server_hello, chosen ciphersuite: 49199 (TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256)
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): server_hello, compress alg.: 0
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): server_hello, total extension length: 21
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): found renegotiation extension
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): unknown extension found: 0 (ignoring)
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): found supported_point_formats extension
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(4): point format selected: 0
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): found session_ticket extension
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): client state: 3 (server_certificate)
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): flush output
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): read certificate
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): read record
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): fetch input
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): in_left: 0, nb_want: 5
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): input record: msgtype = 22, version = [3:3], msglen = 4056
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): fetch input
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): in_left: 5, nb_want: 4061
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): es_read returned: success
2022-02-21 10:41:28 dirmngr[23236] DBG: input record from network: 1603030fd80b000fd4000fd100054a308205463082042ea003020102021204cc
2022-02-21 10:41:28 dirmngr[23236] DBG: 227c37c5112c6c1b538b751a18451bf6300d06092a864886f70d01010b050030
2022-02-21 10:41:28 dirmngr[23236] DBG: 32310b300906035504061302555331163014060355040a130d4c657427732045
2022-02-21 10:41:28 dirmngr[23236] DBG: 6e6372797074310b3009060355040313025233301e170d323131323235303332
2022-02-21 10:41:28 dirmngr[23236] DBG: 3033365a170d3232303332353033323033355a3020311e301c06035504031315
2022-02-21 10:41:28 dirmngr[23236] DBG: 686f636b65797075636b2e7562756e74752e636f6d30820122300d06092a8648
2022-02-21 10:41:28 dirmngr[23236] DBG: 86f70d01010105000382010f003082010a0282010100ae8f24debd5f4c678c7b
2022-02-21 10:41:28 dirmngr[23236] DBG: 940e67989a4309373a2506ee3a4bee1eb5c714a7db3732e177fe95b172664806
2022-02-21 10:41:28 dirmngr[23236] DBG: 48340d7ddb33ecb0ee59ef6194ac56db62fd0e2d1e969fae23a15aab3c3bf501
2022-02-21 10:41:28 dirmngr[23236] DBG: 7ee200537e69a99556754b009a62975d036ee193baa7c414a694e29e08f33bff
2022-02-21 10:41:28 dirmngr[23236] DBG: 6f849bc046c9e6f343ee3e7844c1b189b7fc20483538a023f745698847eadb7f
2022-02-21 10:41:28 dirmngr[23236] DBG: 83d41397ebb2e32939126b2f42719c83f97633813fe67dc4c6b983730f207df6
2022-02-21 10:41:28 dirmngr[23236] DBG: 1db1fe77867e60103294472695f4e9b0167b781d3d61ceb492b4ee8a964e1e37
2022-02-21 10:41:28 dirmngr[23236] DBG: 57e43db31f84ddd734a73ca24c66c212b11b5fbfca2edabf73cb71325d3a4d16
2022-02-21 10:41:28 dirmngr[23236] DBG: 432d94e24051c1a571094a45019accd35f44c252e4c90203010001a382026630
2022-02-21 10:41:28 dirmngr[23236] DBG: 820262300e0603551d0f0101ff0404030205a0301d0603551d25041630140608
2022-02-21 10:41:28 dirmngr[23236] DBG: 2b0601050507030106082b06010505070302300c0603551d130101ff04023000
2022-02-21 10:41:28 dirmngr[23236] DBG: 301d0603551d0e04160414aff96c679324c7c0367aa3ddabdb762e4363b55430
2022-02-21 10:41:28 dirmngr[23236] DBG: 1f0603551d23041830168014142eb317b75856cbae500940e61faf9d8b14c2c6
2022-02-21 10:41:28 dirmngr[23236] DBG: 305506082b0601050507010104493047302106082b0601050507300186156874
2022-02-21 10:41:28 dirmngr[23236] DBG: 74703a2f2f72332e6f2e6c656e63722e6f7267302206082b0601050507300286
2022-02-21 10:41:28 dirmngr[23236] DBG: 16687474703a2f2f72332e692e6c656e63722e6f72672f30360603551d11042f
2022-02-21 10:41:28 dirmngr[23236] DBG: 302d8215686f636b65797075636b2e7562756e74752e636f6d82146b65797365
2022-02-21 10:41:28 dirmngr[23236] DBG: 727665722e7562756e74752e636f6d304c0603551d2004453043300806066781
2022-02-21 10:41:28 dirmngr[23236] DBG: 0c0102013037060b2b0601040182df130101013028302606082b060105050702
2022-02-21 10:41:28 dirmngr[23236] DBG: 01161a687474703a2f2f6370732e6c657473656e63727970742e6f7267308201
2022-02-21 10:41:28 dirmngr[23236] DBG: 04060a2b06010401d6790204020481f50481f200f000770041c8cab1df22464a
2022-02-21 10:41:28 dirmngr[23236] DBG: 10c6a13a0942875e4e318b1b03ebeb4bc768f090629606f60000017defd1af87
2022-02-21 10:41:28 dirmngr[23236] DBG: 0000040300483046022100a23361bb24840826e61cf5f04998f902bedd044e29
2022-02-21 10:41:28 dirmngr[23236] DBG: 543669d7ad6bb34cb3864902210093467e2402f3e676cd4fe7bb7db884b9ebf0
2022-02-21 10:41:28 dirmngr[23236] DBG: 76b3a13f802015b47002ae45c8b600750046a555eb75fa912030b5a28969f4f3
2022-02-21 10:41:28 dirmngr[23236] DBG: 7d112c4174befd49b885abf2fc70fe6d470000017defd1af9b00000403004630
2022-02-21 10:41:28 dirmngr[23236] DBG: 440220776cbbf77f65f8fc74953d339594070ce7b82b89f9be51580bf033c8a0
2022-02-21 10:41:28 dirmngr[23236] DBG: acc72d02207c626dfd7adf5fe95e8a438c12f4b65f4765b568620e52e6e5e57a
2022-02-21 10:41:28 dirmngr[23236] DBG: 2a9f582bf7300d06092a864886f70d01010b05000382010100b207f1c41e998d
2022-02-21 10:41:28 dirmngr[23236] DBG: 0a84022a3bbac7e4e6e3fc24de43b446fefc5ec5a8835de05d2c5c84c7e69369
2022-02-21 10:41:28 dirmngr[23236] DBG: 932e2ff5eb59bff8f21b05342ecfbeecd62f65c25c6a12cf6cf721e6664eac00
2022-02-21 10:41:28 dirmngr[23236] DBG: c3399fd91246fb6239d5a74c8d320dacd70c8b7709ba53c97b20d809897a5822
2022-02-21 10:41:28 dirmngr[23236] DBG: 991c3944e44a840b037a4ac64c527077ca3a0bc7834129d8cd0f4913f7e9e00d
2022-02-21 10:41:28 dirmngr[23236] DBG: 952ae8432ead670004fd75e3e99c33df29c56ce6c548ea1605116158eccda5b2
2022-02-21 10:41:28 dirmngr[23236] DBG: 48154bf6f6dd70af903bb19d110fddef7f95d8800f23f94742ef5f7a71794490
2022-02-21 10:41:28 dirmngr[23236] DBG: ff2899e71fb124fff4431755f4c75fd6f6a338cee86d88338eabfc3c6513fe9e
2022-02-21 10:41:28 dirmngr[23236] DBG: c177ac89bcd21457ec1669741943a05fc99bed37e4544f7e3300051a30820516
2022-02-21 10:41:28 dirmngr[23236] DBG: 308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d0609
2022-02-21 10:41:28 dirmngr[23236] DBG: 2a864886f70d01010b0500304f310b3009060355040613025553312930270603
2022-02-21 10:41:28 dirmngr[23236] DBG: 55040a1320496e7465726e657420536563757269747920526573656172636820
2022-02-21 10:41:28 dirmngr[23236] DBG: 47726f7570311530130603550403130c4953524720526f6f74205831301e170d
2022-02-21 10:41:28 dirmngr[23236] DBG: 3230303930343030303030305a170d3235303931353136303030305a3032310b
2022-02-21 10:41:28 dirmngr[23236] DBG: 300906035504061302555331163014060355040a130d4c6574277320456e6372
2022-02-21 10:41:28 dirmngr[23236] DBG: 797074310b300906035504031302523330820122300d06092a864886f70d0101
2022-02-21 10:41:28 dirmngr[23236] DBG: 0105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592
2022-02-21 10:41:28 dirmngr[23236] DBG: c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f47941455
2022-02-21 10:41:28 dirmngr[23236] DBG: 35578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f0
2022-02-21 10:41:28 dirmngr[23236] DBG: 5a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34
2022-02-21 10:41:28 dirmngr[23236] DBG: c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b
2022-02-21 10:41:28 dirmngr[23236] DBG: 8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da
2022-02-21 10:41:28 dirmngr[23236] DBG: 715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318
2022-02-21 10:41:28 dirmngr[23236] DBG: ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851d
2022-02-21 10:41:28 dirmngr[23236] DBG: a169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e
2022-02-21 10:41:28 dirmngr[23236] DBG: 0603551d0f0101ff040403020186301d0603551d250416301406082b06010505
2022-02-21 10:41:28 dirmngr[23236] DBG: 07030206082b0601050507030130120603551d130101ff040830060101ff0201
2022-02-21 10:41:28 dirmngr[23236] DBG: 00301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6
2022-02-21 10:41:28 dirmngr[23236] DBG: 301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b
2022-02-21 10:41:28 dirmngr[23236] DBG: 6e303206082b0601050507010104263024302206082b06010505073002861668
2022-02-21 10:41:28 dirmngr[23236] DBG: 7474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e
2022-02-21 10:41:28 dirmngr[23236] DBG: 301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f3022
2022-02-21 10:41:28 dirmngr[23236] DBG: 0603551d20041b30193008060667810c010201300d060b2b0601040182df1301
2022-02-21 10:41:28 dirmngr[23236] DBG: 0101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485
2022-02-21 10:41:28 dirmngr[23236] DBG: bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b7
2022-02-21 10:41:28 dirmngr[23236] DBG: 6e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e665
2022-02-21 10:41:28 dirmngr[23236] DBG: 6e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b823
2022-02-21 10:41:28 dirmngr[23236] DBG: 7b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79
2022-02-21 10:41:28 dirmngr[23236] DBG: c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a0
2022-02-21 10:41:28 dirmngr[23236] DBG: 1d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e
2022-02-21 10:41:28 dirmngr[23236] DBG: 1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc055
2022-02-21 10:41:28 dirmngr[23236] DBG: 4336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9
2022-02-21 10:41:28 dirmngr[23236] DBG: a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a
2022-02-21 10:41:28 dirmngr[23236] DBG: 43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e186
2022-02-21 10:41:28 dirmngr[23236] DBG: 93c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae
2022-02-21 10:41:28 dirmngr[23236] DBG: 82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f8
2022-02-21 10:41:28 dirmngr[23236] DBG: 58f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca2094746
2022-02-21 10:41:28 dirmngr[23236] DBG: 3ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d
2022-02-21 10:41:28 dirmngr[23236] DBG: 3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506dec
2022-02-21 10:41:28 dirmngr[23236] DBG: ce005518fee94964d44eca979cb45bc073a8abb847c200056430820560308204
2022-02-21 10:41:28 dirmngr[23236] DBG: 48a00302010202104001772137d4e942b8ee76aa3c640ab7300d06092a864886
2022-02-21 10:41:28 dirmngr[23236] DBG: f70d01010b0500303f31243022060355040a131b4469676974616c205369676e
2022-02-21 10:41:28 dirmngr[23236] DBG: 617475726520547275737420436f2e311730150603550403130e44535420526f
2022-02-21 10:41:28 dirmngr[23236] DBG: 6f74204341205833301e170d3231303132303139313430335a170d3234303933
2022-02-21 10:41:28 dirmngr[23236] DBG: 303138313430335a304f310b300906035504061302555331293027060355040a
2022-02-21 10:41:28 dirmngr[23236] DBG: 1320496e7465726e65742053656375726974792052657365617263682047726f
2022-02-21 10:41:28 dirmngr[23236] DBG: 7570311530130603550403130c4953524720526f6f7420583130820222300d06
2022-02-21 10:41:28 dirmngr[23236] DBG: 092a864886f70d01010105000382020f003082020a0282020100ade82473f414
2022-02-21 10:41:28 dirmngr[23236] DBG: 37f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef600
2022-02-21 10:41:28 dirmngr[23236] DBG: 4f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79
2022-02-21 10:41:28 dirmngr[23236] DBG: dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680
2022-02-21 10:41:28 dirmngr[23236] DBG: aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074
2022-02-21 10:41:28 dirmngr[23236] DBG: b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0b
2022-02-21 10:41:28 dirmngr[23236] DBG: e8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c
2022-02-21 10:41:28 dirmngr[23236] DBG: 3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279
2022-02-21 10:41:28 dirmngr[23236] DBG: e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e2
2022-02-21 10:41:28 dirmngr[23236] DBG: 37960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0f
2022-02-21 10:41:28 dirmngr[23236] DBG: d8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689
2022-02-21 10:41:28 dirmngr[23236] DBG: c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72
2022-02-21 10:41:28 dirmngr[23236] DBG: a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae05013
2022-02-21 10:41:28 dirmngr[23236] DBG: 7c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d
2022-02-21 10:41:28 dirmngr[23236] DBG: 608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a
2022-02-21 10:41:28 dirmngr[23236] DBG: 88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d027
2022-02-21 10:41:28 dirmngr[23236] DBG: 5de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3
2022-02-21 10:41:28 dirmngr[23236] DBG: 82014630820142300f0603551d130101ff040530030101ff300e0603551d0f01
2022-02-21 10:41:28 dirmngr[23236] DBG: 01ff040403020106304b06082b06010505070101043f303d303b06082b060105
2022-02-21 10:41:28 dirmngr[23236] DBG: 05073002862f687474703a2f2f617070732e6964656e74727573742e636f6d2f
2022-02-21 10:41:28 dirmngr[23236] DBG: 726f6f74732f647374726f6f74636178332e703763301f0603551d2304183016
2022-02-21 10:41:28 dirmngr[23236] DBG: 8014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d30
2022-02-21 10:41:28 dirmngr[23236] DBG: 4b3008060667810c010201303f060b2b0601040182df130101013030302e0608
2022-02-21 10:41:28 dirmngr[23236] DBG: 2b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c6574
2022-02-21 10:41:28 dirmngr[23236] DBG: 73656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b68
2022-02-21 10:41:28 dirmngr[23236] DBG: 7474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f5443
2022-02-21 10:41:28 dirmngr[23236] DBG: 41583343524c2e63726c301d0603551d0e0416041479b459e67bb6e5e4017380
2022-02-21 10:41:28 dirmngr[23236] DBG: 0888c81a58f6e99b6e300d06092a864886f70d01010b050003820101000a7300
2022-02-21 10:41:28 dirmngr[23236] DBG: 6c966eff0e52d0aedd8ce75a06ad2fa8e38fbfc90a031550c2e56c42bb6f9bf4
2022-02-21 10:41:28 dirmngr[23236] DBG: b44fc244880875cceb079b14626e78deec27ba395cf5a2a16e5694701053b1bb
2022-02-21 10:41:28 dirmngr[23236] DBG: e4afd0a2c32b01d496f4c5203533f9d86136e0718db4b8b5aa824595c0f2a923
2022-02-21 10:41:28 dirmngr[23236] DBG: 28e7d6a1cb6708daa0432caa1b931fc9def5ab695d13f55b865822ca4d55e470
2022-02-21 10:41:28 dirmngr[23236] DBG: 676dc257c5463941cf8a5883586d99fe57e8360ef00e23aafd8897d0e35c0e94
2022-02-21 10:41:28 dirmngr[23236] DBG: 49b5b51735d22ebf4e85ef18e08592eb063b6c29230960dc45024c12183be9fb
2022-02-21 10:41:28 dirmngr[23236] DBG: 0ededc44f85898aeeabd4545a1885d66cafe10e96f82c811420dfbe9ece38600
2022-02-21 10:41:28 dirmngr[23236] DBG: de9d10e338faa47db1d8e8498284069b2be86b4f010c38772ef9dde739
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(3): handshake message: msglen = 4056, type = 11, hslen = 4056
2022-02-21 10:41:28 dirmngr[23236] ntbtls: peer certificate: chain length=3
2022-02-21 10:41:28 dirmngr[23236]ntbtls: serial: 04cc227c37c5112c6c1b538b751a18451bf6
2022-02-21 10:41:28 dirmngr[23236] ntbtls: issuer: CN=R3,O=Let’s Encrypt,C=US
2022-02-21 10:41:28 dirmngr[23236] ntbtls: subject: CN=hockeypuck.ubuntu.com
2022-02-21 10:41:28 dirmngr[23236] ntbtls: aka: (8:dns-name21:hockeypuck.ubuntu.com)
2022-02-21 10:41:28 dirmngr[23236] ntbtls: aka: (8:dns-name20:keyserver.ubuntu.com)
2022-02-21 10:41:28 dirmngr[23236] ntbtls: notBefore: 2021-12-25 03:20:36
2022-02-21 10:41:28 dirmngr[23236] ntbtls: notAfter: 2022-03-25 03:20:35
2022-02-21 10:41:28 dirmngr[23236] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:41:28 dirmngr[23236]ntbtls: serial: 00912b084acf0c18a753f6d62e25a75f5a
2022-02-21 10:41:28 dirmngr[23236] ntbtls: issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-21 10:41:28 dirmngr[23236] ntbtls: subject: CN=R3,O=Let’s Encrypt,C=US
2022-02-21 10:41:28 dirmngr[23236] ntbtls: notBefore: 2020-09-04 00:00:00
2022-02-21 10:41:28 dirmngr[23236] ntbtls: notAfter: 2025-09-15 16:00:00
2022-02-21 10:41:28 dirmngr[23236] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:41:28 dirmngr[23236]ntbtls: serial: 4001772137d4e942b8ee76aa3c640ab7
2022-02-21 10:41:28 dirmngr[23236] ntbtls: issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
2022-02-21 10:41:28 dirmngr[23236] ntbtls: subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2022-02-21 10:41:28 dirmngr[23236] ntbtls: notBefore: 2021-01-20 19:14:03
2022-02-21 10:41:28 dirmngr[23236] ntbtls: notAfter: 2024-09-30 18:14:03
2022-02-21 10:41:28 dirmngr[23236] ntbtls: hashAlgo: 1.2.840.113549.1.1.11
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(1): comparing hostname ‘hockeypuck.ubuntu.com’ to ‘keyserver.ubuntu.com
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(1): comparing hostname ‘keyserver.ubuntu.com’ to ‘keyserver.ubuntu.com
2022-02-21 10:41:28 dirmngr[23236] certificate already cached
2022-02-21 10:41:28 dirmngr[23236] certificate cached
2022-02-21 10:41:28 dirmngr[23236] Note: non-critical certificate policy not allowed
2022-02-21 10:41:28 dirmngr[23236] certificate is good
2022-02-21 10:41:28 dirmngr[23236] certificate has expired
2022-02-21 10:41:28 dirmngr[23236] (expired at 2021-09-29 19:21:40)
2022-02-21 10:41:28 dirmngr[23236] Note: non-critical certificate policy not allowed
2022-02-21 10:41:28 dirmngr[23236] certificate is good
2022-02-21 10:41:28 dirmngr[23236] certificate has expired
2022-02-21 10:41:28 dirmngr[23236] (expired at 2021-09-30 14:01:15)
2022-02-21 10:41:28 dirmngr[23236] root certificate is good and trusted
2022-02-21 10:41:28 dirmngr[23236] target certificate is NOT valid
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(1): error from the verify callback returned: Certificate expired
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): handshake ready
2022-02-21 10:41:28 dirmngr[23236] TLS handshake failed: Certificate expired
2022-02-21 10:41:28 dirmngr[23236] error connecting to ‘https://162.213.33.9:443’: Certificate expired
2022-02-21 10:41:28 dirmngr[23236] DBG: ntbtls(2): release
2022-02-21 10:41:28 dirmngr[23236] command ‘KS_SEARCH’ failed: Certificate expired
2022-02-21 10:41:28 dirmngr[23236] handler for fd 720 terminated

So, is there something I can do?
Import some extra LetsEncrypt certificate?

I’m fairly sure I did do something back when LE revoked their old certs. Not related to gpg, but to make websites work properly.

Oh, I tried removing the old DST Root CA X3 from trusted CAs, but something seems to pull it back in.

I thought I could remove it and reboot, and dirmngr would stop referring to it, but since something is pulling back into the trusted CAs, that’s not going to work.

I instead ran an sslabs text on keyserver.ubuntu.com and it turns out they still have the old DST Root CA X3 certificate as part of the certificate chain.

Not all apps are able to overlook that one of the cert paths is invalid. Discussed here.
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

I tried #1, which it seems I’m not able to, as the certificate is automatically reinstated.
#2 & #3 I think are out of my hands.

Here it is said that recent gpg4win or gnupg shouldn’t have this problem.
https://dev.gnupg.org/T5639#153249

But the log is obviously showing that dirmngr is using the wrong certificate chain to base is validity decision on.

Earlier today I re-installed 2.3.4 after verifying that all gpg related processes were dead.
afaik there is no other dirmngr on my system.
It recognises changes in the conf.
When I check the path of dirmngr.exe in TaskMan it’s the correct one, from 2021-12-20.