Mailing List Archive

Am Mittwoch 05 Januar 2022 09:16:52 schrieb Alex Nadtoka via Gnupg-users:
> Is there a way to enable more detailed debug mode so I can see the path for
> the certificate that dirmngr is using?

Use dirmngr.conf to add more diagnostic output, e.g.

log-file c:\XYZ
debug-level advanced

and restart dirmngr and do a request.
(reload could be done by
gpgconf --reload dirmngr
)

Regards
Bernhard

--
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

On Thu, 6 Jan 2022 15:33, Anze Jensterle said:

> checked multiple times). Only deleting the old intermediates instead of the
> root helped. Do you also check all the intermediate paths?

Sure. My former answer was simply wrong.

For details please see https://dev.gnupg.org/T5639 which was fixed with
GnuPG 2.2.32 and 2.3.4.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

------ Original Message ------
From: "Werner Koch via Gnupg-users" <gnupg-users@gnupg.org>
To:
Sent: 11.01.2022 11:52:00
Subject: Gpg4win LetsEncrypt issue

>For details please see https://dev.gnupg.org/T5639 which was fixed with
>GnuPG 2.2.32 and 2.3.4.
Hello,
I'd say the problem is not fixed in neither GnuPG 2.2.32 nor 2.3.4. At
least not on Windows 10. Along with Alex Nadtoka & Anze Jesterle, I'm
another person suffering from the same issue.
If I try to search for some keys on some keyserver not using the Let's
Encrypt certificate, like hkp(s)://keyserver-01.2ndquadrant.com, there's
no problem.

If I try to search on hkp://keyserver.ubuntu.com, there's no problem as
well.

But If I try to search on hkps://keyserver.ubuntu.com or
hkp(s)://keys.openpgp.org, I'm getting:
C:\Users\David>gpg --keyserver hkps://keyserver.ubuntu.com --search-keys
opensuse
gpg: error searching keyserver: Certificate expired
gpg: keyserver search failed: Certificate expired
Both keyserver.ubuntu.com and keys.openpgp.org key servers use the LE
certificate. On a side note, I wonder why hkp://keys.openpgp.org doesn't
work either since hkp:// protokol works on top of HTTP and not HTTPS,
but that's another issue.

If I remove the invalid intermediate certificate R3, issued by DST Root
CA X3, expired on 09/29/2021 from certmgr.msc and then reload dirmngr,
"certificate expired" error no longer shows in any case.

I've checked I have the new valid intermediate certificate R3, issued by
ISRG Root X1, expiring on 09/15/2025 present in certmgt.msc and yet in
such a case dirmngr shows in its log that it still tries the old
verification path when the invalid R3 cert is installed. I would attach
the whole log but it's partly in Czech and I don't know how to switch
the output fully to English since it doesn't work despite setting the
LC_MESSAGES=C variable.

So to me, it seems that both GnuPG 2.2.32 and 2.3.4 (installed via
GnuPG4Win 4.0) on Win10 still suffer from the issue. So can we re-open
the bug report https://dev.gnupg.org/T5639 or
https://dev.gnupg.org/T5744 or should I create another one?

Thanks,
David K.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users