Re: Gpg4win LetsEncrypt issue

[David Kačerek via Gnupg-users]

-- Original Message --
From: "Werner Koch via Gnupg-users" 
To:
Sent: 11.01.2022 11:52:00
Subject: Gpg4win LetsEncrypt issue


For details please see https://dev.gnupg.org/T5639 which was fixed with
GnuPG 2.2.32 and 2.3.4.

Hello,
I'd say the problem is not fixed in neither GnuPG 2.2.32 nor 2.3.4. At 
least not on Windows 10. Along with Alex Nadtoka & Anze Jesterle, I'm 
another person suffering from the same issue.
If I try to search for some keys on some keyserver not using the Let's 
Encrypt certificate, like hkp(s)://keyserver-01.2ndquadrant.com, there's 
no problem.


If I try to search on hkp://keyserver.ubuntu.com, there's no problem as 
well.


But If I try to search on hkps://keyserver.ubuntu.com or 
hkp(s)://keys.openpgp.org, I'm getting:
C:\Users\David>gpg --keyserver hkps://keyserver.ubuntu.com --search-keys 
opensuse

gpg: error searching keyserver: Certificate expired
gpg: keyserver search failed: Certificate expired
Both keyserver.ubuntu.com and keys.openpgp.org key servers use the LE 
certificate. On a side note, I wonder why hkp://keys.openpgp.org doesn't 
work either since hkp:// protokol works on top of HTTP and not HTTPS, 
but that's another issue.


If I remove the invalid intermediate certificate R3, issued by DST Root 
CA X3, expired on 09/29/2021 from certmgr.msc and then reload dirmngr, 
"certificate expired" error no longer shows in any case.


I've checked I have the new valid intermediate certificate R3, issued by 
ISRG Root X1, expiring on 09/15/2025 present in certmgt.msc and yet in 
such a case dirmngr shows in its log that it still tries the old 
verification path when the invalid R3 cert is installed. I would attach 
the whole log but it's partly in Czech and I don't know how to switch 
the output fully to English since it doesn't work despite setting the 
LC_MESSAGES=C variable.


So to me, it seems that both GnuPG 2.2.32 and 2.3.4 (installed via 
GnuPG4Win 4.0) on Win10 still suffer from the issue. So can we re-open 
the bug report https://dev.gnupg.org/T5639 or 
https://dev.gnupg.org/T5744 or should I create another one?


Thanks,
David K.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Werner Koch via Gnupg-users]

On Thu,  6 Jan 2022 15:33, Anze Jensterle said:

> checked multiple times). Only deleting the old intermediates instead of the
> root helped. Do you also check all the intermediate paths?

Sure.  My former answer was simply wrong.

For details please see https://dev.gnupg.org/T5639 which was fixed with
GnuPG 2.2.32 and 2.3.4.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Bernhard Reiter]

Am Mittwoch 05 Januar 2022 09:16:52 schrieb Alex Nadtoka via Gnupg-users:
> Is there a way to enable more detailed debug mode so I can see the path for
> the certificate that dirmngr is using?

Use dirmngr.conf to add more diagnostic output, e.g.
  
log-file c:\XYZ
debug-level advanced

and restart dirmngr and do a request.
(reload could be done by 
 gpgconf --reload dirmngr
)

Regards
Bernhard

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Alex Nadtoka via Gnupg-users]

yes as well as for me. I was using latest  gpg software


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

чт, 6 січ. 2022 р. о 10:32 Werner Koch  пише:

> Hi!
>
> instead of working around the problem, I strongly suggest to update
> gpg4win to 4.0 or at least install gnupg 2.2.33 on top of an older
> gpg4win.  This fixes the problem without a need to tweak the root cert
> store.
>
>
> Salam-Shalom,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Anze Jensterle]

That's the weird thing: I had the new root installed all this time (I
checked multiple times). Only deleting the old intermediates instead of the
root helped. Do you also check all the intermediate paths?
So the path to verify was SERVER->INTERMEDIATE(R3 signed by DST Root)->DST
ROOT, both the SERVER->INTERMEDIATE (R3 signed by ISRG Root X1)->ISRG ROOT
(cross-signed by DST), or the  SERVER->INTERMEDIATE (R3 signed by ISRG Root
X1)->ISRG ROOT (self-signed) never happened.
Best,
Anze

On Thu, Jan 6, 2022 at 3:30 PM Werner Koch  wrote:

> On Thu,  6 Jan 2022 12:02, Anze Jensterle said:
>
> > Any idea why? I suspect it has to do with old intermediates being
> > crosssigned as well.
>
> If you don't have the current LE root certificate the old certification
> path is tried.
>
>
> Shalom-Salam,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Werner Koch via Gnupg-users]

On Thu,  6 Jan 2022 12:02, Anze Jensterle said:

> Any idea why? I suspect it has to do with old intermediates being
> crosssigned as well.

If you don't have the current LE root certificate the old certification
path is tried.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Anze Jensterle]

Hi Werner,
This was happening to me on the latest 2.3.4 with gpg4win 4.

Any idea why? I suspect it has to do with old intermediates being
crosssigned as well.

Best,
Anze

On Thu, 6 Jan 2022 at 09:41 Werner Koch via Gnupg-users <
gnupg-users@gnupg.org> wrote:

> Hi!
>
> instead of working around the problem, I strongly suggest to update
> gpg4win to 4.0 or at least install gnupg 2.2.33 on top of an older
> gpg4win.  This fixes the problem without a need to tweak the root cert
> store.
>
>
> Salam-Shalom,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Werner Koch via Gnupg-users]

Hi!

instead of working around the problem, I strongly suggest to update
gpg4win to 4.0 or at least install gnupg 2.2.33 on top of an older
gpg4win.  This fixes the problem without a need to tweak the root cert
store.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Alex Nadtoka via Gnupg-users]

Ok for me the fix was by importing this intermediate certificate to
intermediates in user profile and local computer

https://letsencrypt.org/certs/lets-encrypt-r3.pem

I guess old r3 should be removed and new one added

Regards,
Oleksandr

ср, 5 січ. 2022 р. о 10:16 Alex Nadtoka  пише:

> I found one such certificate and removed it but the issue is still there.
> Is there a way to enable more detailed debug mode so I can see the path for
> the certificate that dirmngr is using?
>
> Regards,
> Oleksandr
>
> ср, 5 січ. 2022 р. о 02:44 Anze Jensterle  пише:
>
>> OK, I seem to have solved the issue.
>> @Alex Nadtoka  Deleting the DST Root is not
>> needed. Make sure to delete the certificate name "Let's Encrypt X1" or
>> similar and "R3" from the user and system store. They are not stored under
>> "Trusted Roots" but under "Intermediate CAs". After I deleted all the old
>> cached intermediates I am able to use a keyserver again.
>>
>> Best,
>> Anze
>>
>> On Wed, Jan 5, 2022 at 1:26 AM Anze Jensterle  wrote:
>>
>>> I am having the same issue on GnuPG version 2.3.4.
>>> If I have the DST root in my Trust Root Store I get Certificate expired,
>>> if I don't have it in there I get "No inquire callback in IPC" and Dirmngr
>>> logs "error connecting to 'https://keys.openpgp.org:443': Missing
>>> issuer certificate".
>>> Any idea why this would still happen?
>>>
>>> Best,
>>> Anze
>>>
>>> On Tue, Jan 4, 2022 at 3:46 PM Alex Nadtoka via Gnupg-users <
>>> gnupg-users@gnupg.org> wrote:
>>>
 I do have isntalled ISRG Root X1 and  X2
 But I noticed that DST Root CA X3 appeared again in the system...
 weird. deleted it with admin privileges from entire PC

 вт, 4 січ. 2022 р. о 15:14 Andrew Gallagher via Gnupg-users <
 gnupg-users@gnupg.org> пише:

>
> On 4 Jan 2022, at 12:15, Alex Nadtoka  wrote:
>
> yes thanks, tried disabling it but error was still there. So I
> deleted  DST Root CA X3 . At the mooment I see error from dirmngr
> 2.3.4: no CA certificate found
> And
> error searching keyserver: "No inquire callback in IPC"
> Not sure if it is still because of root certificate. Will try to
> google now
>
>
> You probably don’t have the new root certificate installed then. You
> should be able to download it from letsencrypt.org
>
> A
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users

>>>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Alex Nadtoka via Gnupg-users]

I found one such certificate and removed it but the issue is still there.
Is there a way to enable more detailed debug mode so I can see the path for
the certificate that dirmngr is using?

Regards,
Oleksandr

ср, 5 січ. 2022 р. о 02:44 Anze Jensterle  пише:

> OK, I seem to have solved the issue.
> @Alex Nadtoka  Deleting the DST Root is not
> needed. Make sure to delete the certificate name "Let's Encrypt X1" or
> similar and "R3" from the user and system store. They are not stored under
> "Trusted Roots" but under "Intermediate CAs". After I deleted all the old
> cached intermediates I am able to use a keyserver again.
>
> Best,
> Anze
>
> On Wed, Jan 5, 2022 at 1:26 AM Anze Jensterle  wrote:
>
>> I am having the same issue on GnuPG version 2.3.4.
>> If I have the DST root in my Trust Root Store I get Certificate expired,
>> if I don't have it in there I get "No inquire callback in IPC" and Dirmngr
>> logs "error connecting to 'https://keys.openpgp.org:443': Missing issuer
>> certificate".
>> Any idea why this would still happen?
>>
>> Best,
>> Anze
>>
>> On Tue, Jan 4, 2022 at 3:46 PM Alex Nadtoka via Gnupg-users <
>> gnupg-users@gnupg.org> wrote:
>>
>>> I do have isntalled ISRG Root X1 and  X2
>>> But I noticed that DST Root CA X3 appeared again in the system...
>>> weird. deleted it with admin privileges from entire PC
>>>
>>> вт, 4 січ. 2022 р. о 15:14 Andrew Gallagher via Gnupg-users <
>>> gnupg-users@gnupg.org> пише:
>>>

 On 4 Jan 2022, at 12:15, Alex Nadtoka  wrote:

 yes thanks, tried disabling it but error was still there. So I deleted  DST
 Root CA X3 . At the mooment I see error from dirmngr 2.3.4: no CA
 certificate found
 And
 error searching keyserver: "No inquire callback in IPC"
 Not sure if it is still because of root certificate. Will try to google
 now


 You probably don’t have the new root certificate installed then. You
 should be able to download it from letsencrypt.org

 A
 ___
 Gnupg-users mailing list
 Gnupg-users@gnupg.org
 http://lists.gnupg.org/mailman/listinfo/gnupg-users

>>> ___
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>
>>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Anze Jensterle]

OK, I seem to have solved the issue.
@Alex Nadtoka  Deleting the DST Root is not needed.
Make sure to delete the certificate name "Let's Encrypt X1" or similar and
"R3" from the user and system store. They are not stored under "Trusted
Roots" but under "Intermediate CAs". After I deleted all the old cached
intermediates I am able to use a keyserver again.

Best,
Anze

On Wed, Jan 5, 2022 at 1:26 AM Anze Jensterle  wrote:

> I am having the same issue on GnuPG version 2.3.4.
> If I have the DST root in my Trust Root Store I get Certificate expired,
> if I don't have it in there I get "No inquire callback in IPC" and Dirmngr
> logs "error connecting to 'https://keys.openpgp.org:443': Missing issuer
> certificate".
> Any idea why this would still happen?
>
> Best,
> Anze
>
> On Tue, Jan 4, 2022 at 3:46 PM Alex Nadtoka via Gnupg-users <
> gnupg-users@gnupg.org> wrote:
>
>> I do have isntalled ISRG Root X1 and  X2
>> But I noticed that DST Root CA X3 appeared again in the system... weird.
>> deleted it with admin privileges from entire PC
>>
>> вт, 4 січ. 2022 р. о 15:14 Andrew Gallagher via Gnupg-users <
>> gnupg-users@gnupg.org> пише:
>>
>>>
>>> On 4 Jan 2022, at 12:15, Alex Nadtoka  wrote:
>>>
>>> yes thanks, tried disabling it but error was still there. So I deleted  DST
>>> Root CA X3 . At the mooment I see error from dirmngr 2.3.4: no CA
>>> certificate found
>>> And
>>> error searching keyserver: "No inquire callback in IPC"
>>> Not sure if it is still because of root certificate. Will try to google
>>> now
>>>
>>>
>>> You probably don’t have the new root certificate installed then. You
>>> should be able to download it from letsencrypt.org
>>>
>>> A
>>> ___
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Anze Jensterle]

I am having the same issue on GnuPG version 2.3.4.
If I have the DST root in my Trust Root Store I get Certificate expired, if
I don't have it in there I get "No inquire callback in IPC" and Dirmngr
logs "error connecting to 'https://keys.openpgp.org:443': Missing issuer
certificate".
Any idea why this would still happen?

Best,
Anze

On Tue, Jan 4, 2022 at 3:46 PM Alex Nadtoka via Gnupg-users <
gnupg-users@gnupg.org> wrote:

> I do have isntalled ISRG Root X1 and  X2
> But I noticed that DST Root CA X3 appeared again in the system... weird.
> deleted it with admin privileges from entire PC
>
> вт, 4 січ. 2022 р. о 15:14 Andrew Gallagher via Gnupg-users <
> gnupg-users@gnupg.org> пише:
>
>>
>> On 4 Jan 2022, at 12:15, Alex Nadtoka  wrote:
>>
>> yes thanks, tried disabling it but error was still there. So I deleted  DST
>> Root CA X3 . At the mooment I see error from dirmngr 2.3.4: no CA
>> certificate found
>> And
>> error searching keyserver: "No inquire callback in IPC"
>> Not sure if it is still because of root certificate. Will try to google
>> now
>>
>>
>> You probably don’t have the new root certificate installed then. You
>> should be able to download it from letsencrypt.org
>>
>> A
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Alex Nadtoka via Gnupg-users]

I do have isntalled ISRG Root X1 and  X2
But I noticed that DST Root CA X3 appeared again in the system... weird.
deleted it with admin privileges from entire PC

вт, 4 січ. 2022 р. о 15:14 Andrew Gallagher via Gnupg-users <
gnupg-users@gnupg.org> пише:

>
> On 4 Jan 2022, at 12:15, Alex Nadtoka  wrote:
>
> yes thanks, tried disabling it but error was still there. So I deleted  DST
> Root CA X3 . At the mooment I see error from dirmngr 2.3.4: no CA
> certificate found
> And
> error searching keyserver: "No inquire callback in IPC"
> Not sure if it is still because of root certificate. Will try to google now
>
>
> You probably don’t have the new root certificate installed then. You
> should be able to download it from letsencrypt.org
>
> A
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Andrew Gallagher via Gnupg-users]

> On 4 Jan 2022, at 12:15, Alex Nadtoka  wrote:
> 
> yes thanks, tried disabling it but error was still there. So I deleted  DST 
> Root CA X3 . At the mooment I see error from dirmngr 2.3.4: no CA certificate 
> found 
> And 
>  error searching keyserver: "No inquire callback in IPC"
> 
> Not sure if it is still because of root certificate. Will try to google now

You probably don’t have the new root certificate installed then. You should be 
able to download it from letsencrypt.org

A___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Alex Nadtoka via Gnupg-users]

yes thanks, tried disabling it but error was still there. So I deleted  DST
Root CA X3 . At the mooment I see error from dirmngr 2.3.4: no CA
certificate found
And
error searching keyserver: "No inquire callback in IPC"
Not sure if it is still because of root certificate. Will try to google now

пн, 3 січ. 2022 р. о 19:23 Andrew Gallagher via Gnupg-users <
gnupg-users@gnupg.org> пише:

> On Fri, 2021-12-31 at 23:23 +0200, Alex Nadtoka wrote:
> > Ok, thanks. Where on the client end i can remove it?
>
> This blog appears to do it correctly (to the best of my knowledge) and
> as its worked example uses the very same CA certificate that we have
> just been discussing:
>
>
> https://www.thesslstore.com/blog/how-to-remove-certificates-from-windows-10/
>
> A
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Andrew Gallagher via Gnupg-users]

On Fri, 2021-12-31 at 23:23 +0200, Alex Nadtoka wrote:
> Ok, thanks. Where on the client end i can remove it?

This blog appears to do it correctly (to the best of my knowledge) and
as its worked example uses the very same CA certificate that we have
just been discussing:  

https://www.thesslstore.com/blog/how-to-remove-certificates-from-windows-10/

A


signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Alex Nadtoka via Gnupg-users]

Ok, thanks. Where on the client end i can remove it?

чт, 30 дек. 2021 г., 23:12 Andrew Gallagher via Gnupg-users <
gnupg-users@gnupg.org>:

>
> > On 30 Dec 2021, at 16:27, Alex Nadtoka  wrote:
> >
> > Even if I remove root certificate from the server it will be added again
> on renewal.
>
> It is the client that needs the ca certificate to be removed, not the
> server. The root cause is that there is more than one verification path
> possible and unpatched openssl versions pick the wrong (expired) option.
>
> A
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Andrew Gallagher via Gnupg-users]

> On 30 Dec 2021, at 16:27, Alex Nadtoka  wrote:
> 
> Even if I remove root certificate from the server it will be added again on 
> renewal.

It is the client that needs the ca certificate to be removed, not the server. 
The root cause is that there is more than one verification path possible and 
unpatched openssl versions pick the wrong (expired) option. 

A
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Alex Nadtoka via Gnupg-users]

Actually I just now realized that the things are automated on the server.
Certbot+nginx renews SSL certificates every 3 months. And currently
keyserver uses the latest SSL certificate with automatically set up CA Root
certificates. Even if I remove root certificate from the server it will be
added again on renewal. Well again, I have latest gpg4win with latest gnupg
and cannot connect to ANY keyserver that uses lets encrypt.  BUT I can
without any issues connect to my keyserver via GPG Suite for Mac OS, simple
command line gpg client on my Ubuntu and CentOS servers.
May be the issue is indeed bug in dirmngr ?  From command line on windows
cmd when I try to connect to keyserver the issue is the same.

Pretty weird that I can connect to one keyserver from everywhere except the
windows tool...
Sorry to bother you... It is just that I am trying to understand the way it
may work from the box OR by adding some parameter to GnuPG System menu in
Kleopatra configuration... I understand that previously there was some
issue with lets encrypt certificates and it was fixed in gnupg 2.2.32 but I
was using 2.3.4 version and now tried installing  2.2.32 instead and still
no luck. The error is the same

2021-12-30 18:13:16 gpg[17256] DBG: chan_0x0274 <- ERR 167772261
Certificate expired 
2021-12-30 18:13:16 gpg[17256] error searching keyserver: Certificate
expired
2021-12-30 18:13:16 gpg[17256] keyserver search failed: Certificate expired

Oleksandr

чт, 30 груд. 2021 р. о 16:44 Alex Nadtoka  пише:

> Cool thanks. going to test it today
> Yesterday tested also with GPG Suite on MacOS - works fine, so only
> windows issue I think.
>
> чт, 30 груд. 2021 р. о 16:31 Werner Koch via Gnupg-users <
> gnupg-users@gnupg.org> пише:
>
>> On Wed, 29 Dec 2021 21:33, Andrew Gallagher said:
>>
>> > OK, so you definitely need to solve the root certificate issue.
>>
>> This has been fixed with gnupg 2.2.32 - please get an update.  The
>> workaround is to delete the old LE certificate from your Root CA store.
>>
>>
>> Salam-Shalom,
>>
>>Werner
>>
>> --
>> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Alex Nadtoka via Gnupg-users]

Cool thanks. going to test it today
Yesterday tested also with GPG Suite on MacOS - works fine, so only windows
issue I think.

чт, 30 груд. 2021 р. о 16:31 Werner Koch via Gnupg-users <
gnupg-users@gnupg.org> пише:

> On Wed, 29 Dec 2021 21:33, Andrew Gallagher said:
>
> > OK, so you definitely need to solve the root certificate issue.
>
> This has been fixed with gnupg 2.2.32 - please get an update.  The
> workaround is to delete the old LE certificate from your Root CA store.
>
>
> Salam-Shalom,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Werner Koch via Gnupg-users]

On Wed, 29 Dec 2021 21:33, Andrew Gallagher said:

> OK, so you definitely need to solve the root certificate issue. 

This has been fixed with gnupg 2.2.32 - please get an update.  The
workaround is to delete the old LE certificate from your Root CA store.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Alex Nadtoka via Gnupg-users]

It is just dirmngr  Through browsers everything works fine as well as
from gpg command line client in Linux

ср, 29 груд. 2021 р. о 23:34 Andrew Gallagher via Gnupg-users <
gnupg-users@gnupg.org> пише:

>
> > On 29 Dec 2021, at 21:12, Alex Nadtoka  wrote:
> >
> > We have our internal GPG server( I want people in company to be able to
> connect to it from windows as well...
>
> OK, so you definitely need to solve the root certificate issue.
>
> Do sites using letsencrypt work from an Edge browser on that machine, or
> is it just dirmngr?
>
> A
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Andrew Gallagher via Gnupg-users]

> On 29 Dec 2021, at 21:12, Alex Nadtoka  wrote:
> 
> We have our internal GPG server( I want people in company to be able to 
> connect to it from windows as well... 

OK, so you definitely need to solve the root certificate issue. 

Do sites using letsencrypt work from an Edge browser on that machine, or is it 
just dirmngr?

A
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Alex Nadtoka via Gnupg-users]

We have our internal GPG server( I want people in company to be able to
connect to it from windows as well...

ср, 29 груд. 2021 р. о 23:11 Andrew Gallagher via Gnupg-users <
gnupg-users@gnupg.org> пише:

>
> On 29 Dec 2021, at 20:15, Alex Nadtoka  wrote:
>
> yes it works with  keyserver-01.2ndquadrant.com
>
>
> Is this server sufficient for your purposes or do you also need to support
> an internal keyserver?
>
> A
>
> ср, 29 груд. 2021 р. о 17:06 Andrew Gallagher via Gnupg-users <
> gnupg-users@gnupg.org> пише:
>
>> On Wed, 2021-12-29 at 14:33 +0200, Alex Nadtoka via Gnupg-users wrote:
>> > I cannot connect to any keyserver. The error is certificate expired.
>> > I am on latest (I think) Windows 10 . Tried reinstalling it or
>> > installing on new Windows machine but no luck . dirmngr keeps telling
>> > me that certificate is expired.
>>
>> Have you tried configuring an hkps keyserver that does not use
>> LetsEncrypt, e.g. keyserver-01.2ndquadrant.com ?
>>
>> A
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Andrew Gallagher via Gnupg-users]

> On 29 Dec 2021, at 20:15, Alex Nadtoka  wrote:
> 
> yes it works with  keyserver-01.2ndquadrant.com 

Is this server sufficient for your purposes or do you also need to support an 
internal keyserver?

A

> ср, 29 груд. 2021 р. о 17:06 Andrew Gallagher via Gnupg-users 
>  пише:
>> On Wed, 2021-12-29 at 14:33 +0200, Alex Nadtoka via Gnupg-users wrote:
>> > I cannot connect to any keyserver. The error is certificate expired.
>> > I am on latest (I think) Windows 10 . Tried reinstalling it or
>> > installing on new Windows machine but no luck . dirmngr keeps telling
>> > me that certificate is expired. 
>> 
>> Have you tried configuring an hkps keyserver that does not use
>> LetsEncrypt, e.g. keyserver-01.2ndquadrant.com ?
>> 
>> A
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Alex Nadtoka via Gnupg-users]

yes it works with  keyserver-01.2ndquadrant.com


ср, 29 груд. 2021 р. о 17:06 Andrew Gallagher via Gnupg-users <
gnupg-users@gnupg.org> пише:

> On Wed, 2021-12-29 at 14:33 +0200, Alex Nadtoka via Gnupg-users wrote:
> > I cannot connect to any keyserver. The error is certificate expired.
> > I am on latest (I think) Windows 10 . Tried reinstalling it or
> > installing on new Windows machine but no luck . dirmngr keeps telling
> > me that certificate is expired.
>
> Have you tried configuring an hkps keyserver that does not use
> LetsEncrypt, e.g. keyserver-01.2ndquadrant.com ?
>
> A
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gpg4win LetsEncrypt issue

[Andrew Gallagher via Gnupg-users]

On Wed, 2021-12-29 at 14:33 +0200, Alex Nadtoka via Gnupg-users wrote:
> I cannot connect to any keyserver. The error is certificate expired.
> I am on latest (I think) Windows 10 . Tried reinstalling it or
> installing on new Windows machine but no luck . dirmngr keeps telling
> me that certificate is expired. 

Have you tried configuring an hkps keyserver that does not use
LetsEncrypt, e.g. keyserver-01.2ndquadrant.com ?

A


signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Gpg4win LetsEncrypt issue

[Alex Nadtoka via Gnupg-users]

I cannot connect to any keyserver. The error is certificate expired. I am
on latest (I think) Windows 10 . Tried reinstalling it or installing on new
Windows machine but no luck . dirmngr keeps telling me that certificate is
expired.

I know I can put  ignore-cert followed by the SHA-1 fingerprint of the
problematic certificate in my dirmngr.conf to ignore certificate errors.
But where I can get thouse fingerprints for lets encrypt certificates?

I feel like I I can get ot from here ... but not sure where exactly the
fingerpring is? (
https://letsencrypt.org/certificates/
Also it should be for root or intermediate CA  or both?

Also is there anybody who can successfully connect with Kleopatra to any
keyserver on Windows?

Oleksandr
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users