-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package: dirmngr Version: 2.1.18-8~deb9u4
When a client uses HKPS keyservers dirmngr fails hard due to TLS certificate validation errors: 2019-02-28 14:35:17 dirmngr[2155] listening on socket '/run/user/1000/gnupg/S.dirmngr' 2019-02-28 14:35:17 dirmngr[2156.0] permanently loaded certificates: 0 2019-02-28 14:35:17 dirmngr[2156.0] runtime cached certificates: 0 2019-02-28 14:35:18 dirmngr[2156.6] handler for fd 6 started 2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> # Home: /home/jimpop/.gnupg 2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> # Config: /home/jimpop/.gnupg/dirmngr.conf 2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> OK Dirmngr 2.1.18 at your service 2019-02-28 14:35:18 dirmngr[2156.6] connection from process 2153 (1000:1000) 2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 <- GETINFO version 2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> D 2.1.18 2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> OK 2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 <- KEYSERVER --clear hkps://ha.pool.sks-keyservers.net 2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> OK 2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 <- KEYSERVER 2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> S KEYSERVER hkps://ha.pool.sks-keyservers.net 2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> OK 2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 <- KEYSERVER --clear hkps://ha.pool.sks-keyservers.net 2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 -> OK 2019-02-28 14:35:18 dirmngr[2156.6] DBG: chan_6 <- KS_GET --quick -- 0xF4B8B79CC372FBE38580F4C241EED2521FD6B2CA 2019-02-28 14:35:19 dirmngr[2156.6] resolve_dns_addr for 'ha.pool.sks- keyservers.net': '192.146.137.99' 2019-02-28 14:35:19 dirmngr[2156.6] resolve_dns_addr for 'ha.pool.sks- keyservers.net': '192.146.137.98' 2019-02-28 14:35:19 dirmngr[2156.6] resolve_dns_addr for 'ha.pool.sks- keyservers.net': '178.32.66.144' 2019-02-28 14:35:19 dirmngr[2156.6] resolve_dns_addr for 'ha.pool.sks- keyservers.net': '46.4.246.179' 2019-02-28 14:35:19 dirmngr[2156.6] resolve_dns_addr for 'ha.pool.sks- keyservers.net': '37.191.231.105' 2019-02-28 14:35:19 dirmngr[2156.6] number of system provided CAs: 151 2019-02-28 14:35:20 dirmngr[2156.6] TLS verification of peer failed: hostname does not match 2019-02-28 14:35:20 dirmngr[2156.6] DBG: expected hostname: ha.pool.sks-keyservers.net 2019-02-28 14:35:20 dirmngr[2156.6] DBG: BEGIN Certificate 'server[0]': 2019-02-28 14:35:20 dirmngr[2156.6] DBG: serial: 031DA3EEAFB1931E9D70695C4F75EB13B412 2019-02-28 14:35:20 dirmngr[2156.6] DBG: notBefore: 2019-01-06 14:13:25 2019-02-28 14:35:20 dirmngr[2156.6] DBG: notAfter: 2019-04-06 14:13:25 2019-02-28 14:35:20 dirmngr[2156.6] DBG: issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US 2019-02-28 14:35:20 dirmngr[2156.6] DBG: subject: CN=sks.mj2.uk 2019-02-28 14:35:20 dirmngr[2156.6] DBG: aka: (8:dns- name10:sks.mj2.uk) 2019-02-28 14:35:20 dirmngr[2156.6] DBG: hash algo: 1.2.840.113549.1.1.11 2019-02-28 14:35:20 dirmngr[2156.6] DBG: SHA1 fingerprint: E9AF92BDFE5ACBEC36630FA51ABCBF18B7E42E7A 2019-02-28 14:35:20 dirmngr[2156.6] DBG: END Certificate 2019-02-28 14:35:20 dirmngr[2156.6] DBG: BEGIN Certificate 'server[1]': 2019-02-28 14:35:20 dirmngr[2156.6] DBG: serial: 0A0141420000015385736A0B85ECA708 2019-02-28 14:35:20 dirmngr[2156.6] DBG: notBefore: 2016-03-17 16:40:46 2019-02-28 14:35:20 dirmngr[2156.6] DBG: notAfter: 2021-03-17 16:40:46 2019-02-28 14:35:20 dirmngr[2156.6] DBG: issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. 2019-02-28 14:35:20 dirmngr[2156.6] DBG: subject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US 2019-02-28 14:35:20 dirmngr[2156.6] DBG: hash algo: 1.2.840.113549.1.1.11 2019-02-28 14:35:20 dirmngr[2156.6] DBG: SHA1 fingerprint: E6A3B45B062D509B3382282D196EFE97D5956CCB 2019-02-28 14:35:20 dirmngr[2156.6] DBG: END Certificate 2019-02-28 14:35:20 dirmngr[2156.6] TLS connection authentication failed: General error 2019-02-28 14:35:20 dirmngr[2156.6] error connecting to 'https://178.32 .66.144:443': General error 2019-02-28 14:35:20 dirmngr[2156.6] command 'KS_GET' failed: General error <Unspecified source> There's multiple ways to resolve this (use HPK instead of HPKS, etc), but the best way is for *.pool.sks-keyservers.net to fix their TLS certificates. Debian/Stretch Linux host 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64GNU/Linux -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlx4O6sACgkQdRlcPb+1 fkUrhQ/9Ge7cJXAUdYoINVszlrOFG1ePZoCIhU4LFnAUjRCsm/WojaQMHH3MJcv3 dKLWEsrXIQ0m5tXWmN3lUP5izsrsaMDFVTmP8nFogYhW8KL+wIaQRnpV2UFpArKV 45j59lirx6T0Iyf2kkCGgENFErbcVdVFuZ65Maph81Wkjqn/Ezb1uCNlXcpqDsE7 Gvnq569YlCM0dMR7pi+uiO+NJtP/mOWQfTYbgS1/C/hQW57is/zrE4Dz5EqJhp5U xaULhIIMDnAygMSLTUjeCVKwF04O0X1Y1rmx2wReq1MJ3B6tc3tCniuSMSDZAHHK Sj3+Ug49sfpzRNHHAgHEPeBD38bdARu1JUwttJWPpEPnpMmSEKLN0QULJODM/QQu 8agQFaunWkS7UU65VR7IxO7UciLWlmjDe/aQgBU9QzGBz9pMM69dBfk73qnTbv7S /p65zVkTFvz1V5QLdngDrq6ADd5XwYtG5MI3KSWn2HHq9CTeLMviaaDWUKs+LYSl 5FZimzCvu/dpXRFCGrTeXehAIv4OoUc5U2zyb+sDyW5G+iQ2wyul30raF/ZQn0lw 08ReJedDn/Z61Ut8vyhFDIwPWsCc1/42ElnOGtIJgVmkTPuj+SAj8AhhhTrndzJU 3TeUILj98SuAI/pCghO/2KM/yfkxjU+iCvI+YVquHNG33x7IXH8= =2zkb -----END PGP SIGNATURE-----
