Mailing List Archive

On Wed, 2021-12-29 at 14:33 +0200, Alex Nadtoka via Gnupg-users wrote:
> I cannot connect to any keyserver. The error is certificate expired.
> I am on latest (I think) Windows 10 . Tried reinstalling it or
> installing on new Windows machine but no luck . dirmngr keeps telling
> me that certificate is expired. 

Have you tried configuring an hkps keyserver that does not use
LetsEncrypt, e.g. keyserver-01.2ndquadrant.com ?

A

yes it works with keyserver-01.2ndquadrant.com


??, 29 ????. 2021 ?. ? 17:06 Andrew Gallagher via Gnupg-users <
gnupg-users@gnupg.org> ????:

> On Wed, 2021-12-29 at 14:33 +0200, Alex Nadtoka via Gnupg-users wrote:
> > I cannot connect to any keyserver. The error is certificate expired.
> > I am on latest (I think) Windows 10 . Tried reinstalling it or
> > installing on new Windows machine but no luck . dirmngr keeps telling
> > me that certificate is expired.
>
> Have you tried configuring an hkps keyserver that does not use
> LetsEncrypt, e.g. keyserver-01.2ndquadrant.com ?
>
> A
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

> On 29 Dec 2021, at 20:15, Alex Nadtoka <alex.nadtoka@gmail.com> wrote:
>
> yes it works with keyserver-01.2ndquadrant.com

Is this server sufficient for your purposes or do you also need to support an internal keyserver?

A

> ??, 29 ????. 2021 ?. ? 17:06 Andrew Gallagher via Gnupg-users <gnupg-users@gnupg.org> ????:
>> On Wed, 2021-12-29 at 14:33 +0200, Alex Nadtoka via Gnupg-users wrote:
>> > I cannot connect to any keyserver. The error is certificate expired.
>> > I am on latest (I think) Windows 10 . Tried reinstalling it or
>> > installing on new Windows machine but no luck . dirmngr keeps telling
>> > me that certificate is expired.
>>
>> Have you tried configuring an hkps keyserver that does not use
>> LetsEncrypt, e.g. keyserver-01.2ndquadrant.com ?
>>
>> A
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users

We have our internal GPG server( I want people in company to be able to
connect to it from windows as well...

??, 29 ????. 2021 ?. ? 23:11 Andrew Gallagher via Gnupg-users <
gnupg-users@gnupg.org> ????:

>
> On 29 Dec 2021, at 20:15, Alex Nadtoka <alex.nadtoka@gmail.com> wrote:
>
> yes it works with keyserver-01.2ndquadrant.com
>
>
> Is this server sufficient for your purposes or do you also need to support
> an internal keyserver?
>
> A
>
> ??, 29 ????. 2021 ?. ? 17:06 Andrew Gallagher via Gnupg-users <
> gnupg-users@gnupg.org> ????:
>
>> On Wed, 2021-12-29 at 14:33 +0200, Alex Nadtoka via Gnupg-users wrote:
>> > I cannot connect to any keyserver. The error is certificate expired.
>> > I am on latest (I think) Windows 10 . Tried reinstalling it or
>> > installing on new Windows machine but no luck . dirmngr keeps telling
>> > me that certificate is expired.
>>
>> Have you tried configuring an hkps keyserver that does not use
>> LetsEncrypt, e.g. keyserver-01.2ndquadrant.com ?
>>
>> A
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

> On 29 Dec 2021, at 21:12, Alex Nadtoka <alex.nadtoka@gmail.com> wrote:
>
> We have our internal GPG server( I want people in company to be able to connect to it from windows as well...

OK, so you definitely need to solve the root certificate issue.

Do sites using letsencrypt work from an Edge browser on that machine, or is it just dirmngr?

A
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

It is just dirmngr .... Through browsers everything works fine as well as
from gpg command line client in Linux

??, 29 ????. 2021 ?. ? 23:34 Andrew Gallagher via Gnupg-users <
gnupg-users@gnupg.org> ????:

>
> > On 29 Dec 2021, at 21:12, Alex Nadtoka <alex.nadtoka@gmail.com> wrote:
> >
> > We have our internal GPG server( I want people in company to be able to
> connect to it from windows as well...
>
> OK, so you definitely need to solve the root certificate issue.
>
> Do sites using letsencrypt work from an Edge browser on that machine, or
> is it just dirmngr?
>
> A
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

On Wed, 29 Dec 2021 21:33, Andrew Gallagher said:

> OK, so you definitely need to solve the root certificate issue.

This has been fixed with gnupg 2.2.32 - please get an update. The
workaround is to delete the old LE certificate from your Root CA store.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Cool thanks. going to test it today
Yesterday tested also with GPG Suite on MacOS - works fine, so only windows
issue I think.

??, 30 ????. 2021 ?. ? 16:31 Werner Koch via Gnupg-users <
gnupg-users@gnupg.org> ????:

> On Wed, 29 Dec 2021 21:33, Andrew Gallagher said:
>
> > OK, so you definitely need to solve the root certificate issue.
>
> This has been fixed with gnupg 2.2.32 - please get an update. The
> workaround is to delete the old LE certificate from your Root CA store.
>
>
> Salam-Shalom,
>
> Werner
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

Actually I just now realized that the things are automated on the server.
Certbot+nginx renews SSL certificates every 3 months. And currently
keyserver uses the latest SSL certificate with automatically set up CA Root
certificates. Even if I remove root certificate from the server it will be
added again on renewal. Well again, I have latest gpg4win with latest gnupg
and cannot connect to ANY keyserver that uses lets encrypt. BUT I can
without any issues connect to my keyserver via GPG Suite for Mac OS, simple
command line gpg client on my Ubuntu and CentOS servers.
May be the issue is indeed bug in dirmngr ? From command line on windows
cmd when I try to connect to keyserver the issue is the same.

Pretty weird that I can connect to one keyserver from everywhere except the
windows tool...
Sorry to bother you... It is just that I am trying to understand the way it
may work from the box OR by adding some parameter to GnuPG System menu in
Kleopatra configuration... I understand that previously there was some
issue with lets encrypt certificates and it was fixed in gnupg 2.2.32 but I
was using 2.3.4 version and now tried installing 2.2.32 instead and still
no luck. The error is the same

2021-12-30 18:13:16 gpg[17256] DBG: chan_0x00000274 <- ERR 167772261
Certificate expired <Dirmngr>
2021-12-30 18:13:16 gpg[17256] error searching keyserver: Certificate
expired
2021-12-30 18:13:16 gpg[17256] keyserver search failed: Certificate expired

Oleksandr

??, 30 ????. 2021 ?. ? 16:44 Alex Nadtoka <alex.nadtoka@gmail.com> ????:

> Cool thanks. going to test it today
> Yesterday tested also with GPG Suite on MacOS - works fine, so only
> windows issue I think.
>
> ??, 30 ????. 2021 ?. ? 16:31 Werner Koch via Gnupg-users <
> gnupg-users@gnupg.org> ????:
>
>> On Wed, 29 Dec 2021 21:33, Andrew Gallagher said:
>>
>> > OK, so you definitely need to solve the root certificate issue.
>>
>> This has been fixed with gnupg 2.2.32 - please get an update. The
>> workaround is to delete the old LE certificate from your Root CA store.
>>
>>
>> Salam-Shalom,
>>
>> Werner
>>
>> --
>> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>

> On 30 Dec 2021, at 16:27, Alex Nadtoka <alex.nadtoka@gmail.com> wrote:
>
> Even if I remove root certificate from the server it will be added again on renewal.

It is the client that needs the ca certificate to be removed, not the server. The root cause is that there is more than one verification path possible and unpatched openssl versions pick the wrong (expired) option.

A
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Ok, thanks. Where on the client end i can remove it?

??, 30 ???. 2021 ?., 23:12 Andrew Gallagher via Gnupg-users <
gnupg-users@gnupg.org>:

>
> > On 30 Dec 2021, at 16:27, Alex Nadtoka <alex.nadtoka@gmail.com> wrote:
> >
> > Even if I remove root certificate from the server it will be added again
> on renewal.
>
> It is the client that needs the ca certificate to be removed, not the
> server. The root cause is that there is more than one verification path
> possible and unpatched openssl versions pick the wrong (expired) option.
>
> A
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

On Fri, 2021-12-31 at 23:23 +0200, Alex Nadtoka wrote:
> Ok, thanks. Where on the client end i can remove it?

This blog appears to do it correctly (to the best of my knowledge) and
as its worked example uses the very same CA certificate that we have
just been discussing:  

https://www.thesslstore.com/blog/how-to-remove-certificates-from-windows-10/

A

yes thanks, tried disabling it but error was still there. So I deleted DST
Root CA X3 . At the mooment I see error from dirmngr 2.3.4: no CA
certificate found
And
error searching keyserver: "No inquire callback in IPC"
Not sure if it is still because of root certificate. Will try to google now

??, 3 ???. 2022 ?. ? 19:23 Andrew Gallagher via Gnupg-users <
gnupg-users@gnupg.org> ????:

> On Fri, 2021-12-31 at 23:23 +0200, Alex Nadtoka wrote:
> > Ok, thanks. Where on the client end i can remove it?
>
> This blog appears to do it correctly (to the best of my knowledge) and
> as its worked example uses the very same CA certificate that we have
> just been discussing:
>
>
> https://www.thesslstore.com/blog/how-to-remove-certificates-from-windows-10/
>
> A
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

> On 4 Jan 2022, at 12:15, Alex Nadtoka <alex.nadtoka@gmail.com> wrote:
>
> yes thanks, tried disabling it but error was still there. So I deleted DST Root CA X3 . At the mooment I see error from dirmngr 2.3.4: no CA certificate found
> And
> error searching keyserver: "No inquire callback in IPC"
>
> Not sure if it is still because of root certificate. Will try to google now

You probably don’t have the new root certificate installed then. You should be able to download it from letsencrypt.org

A

I do have isntalled ISRG Root X1 and X2
But I noticed that DST Root CA X3 appeared again in the system... weird.
deleted it with admin privileges from entire PC

??, 4 ???. 2022 ?. ? 15:14 Andrew Gallagher via Gnupg-users <
gnupg-users@gnupg.org> ????:

>
> On 4 Jan 2022, at 12:15, Alex Nadtoka <alex.nadtoka@gmail.com> wrote:
>
> yes thanks, tried disabling it but error was still there. So I deleted DST
> Root CA X3 . At the mooment I see error from dirmngr 2.3.4: no CA
> certificate found
> And
> error searching keyserver: "No inquire callback in IPC"
> Not sure if it is still because of root certificate. Will try to google now
>
>
> You probably don’t have the new root certificate installed then. You
> should be able to download it from letsencrypt.org
>
> A
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

I am having the same issue on GnuPG version 2.3.4.
If I have the DST root in my Trust Root Store I get Certificate expired, if
I don't have it in there I get "No inquire callback in IPC" and Dirmngr
logs "error connecting to 'https://keys.openpgp.org:443': Missing issuer
certificate".
Any idea why this would still happen?

Best,
Anze

On Tue, Jan 4, 2022 at 3:46 PM Alex Nadtoka via Gnupg-users <
gnupg-users@gnupg.org> wrote:

> I do have isntalled ISRG Root X1 and X2
> But I noticed that DST Root CA X3 appeared again in the system... weird.
> deleted it with admin privileges from entire PC
>
> ??, 4 ???. 2022 ?. ? 15:14 Andrew Gallagher via Gnupg-users <
> gnupg-users@gnupg.org> ????:
>
>>
>> On 4 Jan 2022, at 12:15, Alex Nadtoka <alex.nadtoka@gmail.com> wrote:
>>
>> yes thanks, tried disabling it but error was still there. So I deleted DST
>> Root CA X3 . At the mooment I see error from dirmngr 2.3.4: no CA
>> certificate found
>> And
>> error searching keyserver: "No inquire callback in IPC"
>> Not sure if it is still because of root certificate. Will try to google
>> now
>>
>>
>> You probably don’t have the new root certificate installed then. You
>> should be able to download it from letsencrypt.org
>>
>> A
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

OK, I seem to have solved the issue.
@Alex Nadtoka <alex.nadtoka@gmail.com> Deleting the DST Root is not needed.
Make sure to delete the certificate name "Let's Encrypt X1" or similar and
"R3" from the user and system store. They are not stored under "Trusted
Roots" but under "Intermediate CAs". After I deleted all the old cached
intermediates I am able to use a keyserver again.

Best,
Anze

On Wed, Jan 5, 2022 at 1:26 AM Anze Jensterle <anze@anze.dev> wrote:

> I am having the same issue on GnuPG version 2.3.4.
> If I have the DST root in my Trust Root Store I get Certificate expired,
> if I don't have it in there I get "No inquire callback in IPC" and Dirmngr
> logs "error connecting to 'https://keys.openpgp.org:443': Missing issuer
> certificate".
> Any idea why this would still happen?
>
> Best,
> Anze
>
> On Tue, Jan 4, 2022 at 3:46 PM Alex Nadtoka via Gnupg-users <
> gnupg-users@gnupg.org> wrote:
>
>> I do have isntalled ISRG Root X1 and X2
>> But I noticed that DST Root CA X3 appeared again in the system... weird.
>> deleted it with admin privileges from entire PC
>>
>> ??, 4 ???. 2022 ?. ? 15:14 Andrew Gallagher via Gnupg-users <
>> gnupg-users@gnupg.org> ????:
>>
>>>
>>> On 4 Jan 2022, at 12:15, Alex Nadtoka <alex.nadtoka@gmail.com> wrote:
>>>
>>> yes thanks, tried disabling it but error was still there. So I deleted DST
>>> Root CA X3 . At the mooment I see error from dirmngr 2.3.4: no CA
>>> certificate found
>>> And
>>> error searching keyserver: "No inquire callback in IPC"
>>> Not sure if it is still because of root certificate. Will try to google
>>> now
>>>
>>>
>>> You probably don’t have the new root certificate installed then. You
>>> should be able to download it from letsencrypt.org
>>>
>>> A
>>> _______________________________________________
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>

I found one such certificate and removed it but the issue is still there.
Is there a way to enable more detailed debug mode so I can see the path for
the certificate that dirmngr is using?

Regards,
Oleksandr

??, 5 ???. 2022 ?. ? 02:44 Anze Jensterle <anze@anze.dev> ????:

> OK, I seem to have solved the issue.
> @Alex Nadtoka <alex.nadtoka@gmail.com> Deleting the DST Root is not
> needed. Make sure to delete the certificate name "Let's Encrypt X1" or
> similar and "R3" from the user and system store. They are not stored under
> "Trusted Roots" but under "Intermediate CAs". After I deleted all the old
> cached intermediates I am able to use a keyserver again.
>
> Best,
> Anze
>
> On Wed, Jan 5, 2022 at 1:26 AM Anze Jensterle <anze@anze.dev> wrote:
>
>> I am having the same issue on GnuPG version 2.3.4.
>> If I have the DST root in my Trust Root Store I get Certificate expired,
>> if I don't have it in there I get "No inquire callback in IPC" and Dirmngr
>> logs "error connecting to 'https://keys.openpgp.org:443': Missing issuer
>> certificate".
>> Any idea why this would still happen?
>>
>> Best,
>> Anze
>>
>> On Tue, Jan 4, 2022 at 3:46 PM Alex Nadtoka via Gnupg-users <
>> gnupg-users@gnupg.org> wrote:
>>
>>> I do have isntalled ISRG Root X1 and X2
>>> But I noticed that DST Root CA X3 appeared again in the system...
>>> weird. deleted it with admin privileges from entire PC
>>>
>>> ??, 4 ???. 2022 ?. ? 15:14 Andrew Gallagher via Gnupg-users <
>>> gnupg-users@gnupg.org> ????:
>>>
>>>>
>>>> On 4 Jan 2022, at 12:15, Alex Nadtoka <alex.nadtoka@gmail.com> wrote:
>>>>
>>>> yes thanks, tried disabling it but error was still there. So I deleted DST
>>>> Root CA X3 . At the mooment I see error from dirmngr 2.3.4: no CA
>>>> certificate found
>>>> And
>>>> error searching keyserver: "No inquire callback in IPC"
>>>> Not sure if it is still because of root certificate. Will try to google
>>>> now
>>>>
>>>>
>>>> You probably don’t have the new root certificate installed then. You
>>>> should be able to download it from letsencrypt.org
>>>>
>>>> A
>>>> _______________________________________________
>>>> Gnupg-users mailing list
>>>> Gnupg-users@gnupg.org
>>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>>
>>> _______________________________________________
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>
>>

Ok for me the fix was by importing this intermediate certificate to
intermediates in user profile and local computer

https://letsencrypt.org/certs/lets-encrypt-r3.pem

I guess old r3 should be removed and new one added

Regards,
Oleksandr

??, 5 ???. 2022 ?. ? 10:16 Alex Nadtoka <alex.nadtoka@gmail.com> ????:

> I found one such certificate and removed it but the issue is still there.
> Is there a way to enable more detailed debug mode so I can see the path for
> the certificate that dirmngr is using?
>
> Regards,
> Oleksandr
>
> ??, 5 ???. 2022 ?. ? 02:44 Anze Jensterle <anze@anze.dev> ????:
>
>> OK, I seem to have solved the issue.
>> @Alex Nadtoka <alex.nadtoka@gmail.com> Deleting the DST Root is not
>> needed. Make sure to delete the certificate name "Let's Encrypt X1" or
>> similar and "R3" from the user and system store. They are not stored under
>> "Trusted Roots" but under "Intermediate CAs". After I deleted all the old
>> cached intermediates I am able to use a keyserver again.
>>
>> Best,
>> Anze
>>
>> On Wed, Jan 5, 2022 at 1:26 AM Anze Jensterle <anze@anze.dev> wrote:
>>
>>> I am having the same issue on GnuPG version 2.3.4.
>>> If I have the DST root in my Trust Root Store I get Certificate expired,
>>> if I don't have it in there I get "No inquire callback in IPC" and Dirmngr
>>> logs "error connecting to 'https://keys.openpgp.org:443': Missing
>>> issuer certificate".
>>> Any idea why this would still happen?
>>>
>>> Best,
>>> Anze
>>>
>>> On Tue, Jan 4, 2022 at 3:46 PM Alex Nadtoka via Gnupg-users <
>>> gnupg-users@gnupg.org> wrote:
>>>
>>>> I do have isntalled ISRG Root X1 and X2
>>>> But I noticed that DST Root CA X3 appeared again in the system...
>>>> weird. deleted it with admin privileges from entire PC
>>>>
>>>> ??, 4 ???. 2022 ?. ? 15:14 Andrew Gallagher via Gnupg-users <
>>>> gnupg-users@gnupg.org> ????:
>>>>
>>>>>
>>>>> On 4 Jan 2022, at 12:15, Alex Nadtoka <alex.nadtoka@gmail.com> wrote:
>>>>>
>>>>> yes thanks, tried disabling it but error was still there. So I
>>>>> deleted DST Root CA X3 . At the mooment I see error from dirmngr
>>>>> 2.3.4: no CA certificate found
>>>>> And
>>>>> error searching keyserver: "No inquire callback in IPC"
>>>>> Not sure if it is still because of root certificate. Will try to
>>>>> google now
>>>>>
>>>>>
>>>>> You probably don’t have the new root certificate installed then. You
>>>>> should be able to download it from letsencrypt.org
>>>>>
>>>>> A
>>>>> _______________________________________________
>>>>> Gnupg-users mailing list
>>>>> Gnupg-users@gnupg.org
>>>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>>>
>>>> _______________________________________________
>>>> Gnupg-users mailing list
>>>> Gnupg-users@gnupg.org
>>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>>
>>>

Hi!

instead of working around the problem, I strongly suggest to update
gpg4win to 4.0 or at least install gnupg 2.2.33 on top of an older
gpg4win. This fixes the problem without a need to tweak the root cert
store.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Hi Werner,
This was happening to me on the latest 2.3.4 with gpg4win 4.

Any idea why? I suspect it has to do with old intermediates being
crosssigned as well.

Best,
Anze

On Thu, 6 Jan 2022 at 09:41 Werner Koch via Gnupg-users <
gnupg-users@gnupg.org> wrote:

> Hi!
>
> instead of working around the problem, I strongly suggest to update
> gpg4win to 4.0 or at least install gnupg 2.2.33 on top of an older
> gpg4win. This fixes the problem without a need to tweak the root cert
> store.
>
>
> Salam-Shalom,
>
> Werner
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

On Thu, 6 Jan 2022 12:02, Anze Jensterle said:

> Any idea why? I suspect it has to do with old intermediates being
> crosssigned as well.

If you don't have the current LE root certificate the old certification
path is tried.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

That's the weird thing: I had the new root installed all this time (I
checked multiple times). Only deleting the old intermediates instead of the
root helped. Do you also check all the intermediate paths?
So the path to verify was SERVER->INTERMEDIATE(R3 signed by DST Root)->DST
ROOT, both the SERVER->INTERMEDIATE (R3 signed by ISRG Root X1)->ISRG ROOT
(cross-signed by DST), or the SERVER->INTERMEDIATE (R3 signed by ISRG Root
X1)->ISRG ROOT (self-signed) never happened.
Best,
Anze

On Thu, Jan 6, 2022 at 3:30 PM Werner Koch <wk@gnupg.org> wrote:

> On Thu, 6 Jan 2022 12:02, Anze Jensterle said:
>
> > Any idea why? I suspect it has to do with old intermediates being
> > crosssigned as well.
>
> If you don't have the current LE root certificate the old certification
> path is tried.
>
>
> Shalom-Salam,
>
> Werner
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>

yes as well as for me. I was using latest gpg software

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon>
Virus-free.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

??, 6 ???. 2022 ?. ? 10:32 Werner Koch <wk@gnupg.org> ????:

> Hi!
>
> instead of working around the problem, I strongly suggest to update
> gpg4win to 4.0 or at least install gnupg 2.2.33 on top of an older
> gpg4win. This fixes the problem without a need to tweak the root cert
> store.
>
>
> Salam-Shalom,
>
> Werner
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>