On Sat, 2021-07-31 at 19:56 +0200, Rainer Fiebig wrote:
> Am 31.07.21 um 17:40 schrieb Werner Koch:
> > On Thu, 29 Jul 2021 18:36, Andrew Gallagher said:
> >
> > > If you built gnupg from its default configuration, it does not
> > > automatically look in /etc/ssl/certs for CA certificates. You may
> > > want
> >
> > On Unix and unless gnupg was build with --with-default-trust-store-
> > file
> > the following collections of certificates are used for TLS:
> >
> > { "/etc/ssl/ca-bundle.pem" },
> > { "/etc/ssl/certs/ca-certificates.crt" },
> > { "/etc/pki/tls/cert.pem" },
> > { "/usr/local/share/certs/ca-root-nss.crt" },
> > { "/etc/ssl/cert.pem" }
> >
Hi Werner,
Our "recommended" configuration in BLFS is: gnutls is built with p11-kit
and --with-default-trust-store-pkcs11="pkcs11:", and gnupg is built with
gnutls. So gnupg "should" use certificates from p11-kit trust store I
think? And it works for me.
I saw your discussion with "curl". In BLFS curl uses OpenSSL instead of
GnuTLS, so they actually have different trust stores. GnuTLS (using
p11-kit) uses /etc/pki/anchors, OpenSSL uses /etc/ssl/certs.
I remember once an unclean shutdown caused a similar issue on my system
(/etc/pki/anchors is disrupted, and every program using GnuTLS just
started to distrust every certificate).
Hi Rainer,
Try "gnutls-cli keys.openpgp.org". If it does not get into "Simple
Client Mode" as expected, it means p11-kit trust store may be disrupted.
Try "make-ca -f -g" to rebuild it.
And check if your p11-kit was built with
-Dtrust_paths=/etc/pki/anchors as the BLFS book says. If not sure,
rebuild it. (I can also remember once I've mistyped the path, this also
caused every program using GnuTLS started to distrust every
certificate.)
--
Xi Ruoyao <[email protected]>
School of Aerospace Science and Technology, Xidian University
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
