Package: dirmngr
Version: 2.2.12-1~bpo9+1
Severity: important
Dear Maintainer,
* What led up to the situation?
My companys intranet has a broken (currently) HKP keyserver which responds to
all requests with an error 503. This server makes the dirmngr to go into
endless retry loop, eating 100% CPU and some network capacity.
* What exactly did you do (or not do) that was effective (or
ineffective)?
I have two keyservers configured: hkp://keys.gnupg.net (first) and the
internal. Running the dirmngr with diagnostics enabled shows the problem:
$ dirmngr -v -v -v --debug-all --debug-level guru --server
...
OK Dirmngr 2.2.12 at your service
KS_SEARCH inter...@email-address.com
dirmngr[28324.0]: DBG: chan_3 <- KS_SEARCH inter...@email-address.com
dirmngr[28324.0]: DBG: dns: libdns initialized
dirmngr[28324.0]: DBG: dns:
getsrv(_pgpkey-http._tcp.hkps.pool.sks-keyservers.net) -> 0 records
dirmngr[28324.0]: DBG: dns: resolve_dns_name(hkps.pool.sks-keyservers.net):
Success
dirmngr[28324.0]: DBG: dns: resolve_dns_addr(): Success
dirmngr[28324.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':
'[2001:41d0:800:d1e::82:0]'
dirmngr[28324.0]: DBG: dns: resolve_dns_addr(): Success
dirmngr[28324.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':
'[2001:67c:26b4::99:0]'
dirmngr[28324.0]: DBG: dns: resolve_dns_addr(): Success
dirmngr[28324.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':
'[2001:67c:26b4::98:0]'
dirmngr[28324.0]: DBG: dns: resolve_dns_addr(): Success
dirmngr[28324.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':
'209.244.105.201'
dirmngr[28324.0]: DBG: dns: resolve_dns_addr(): Success
dirmngr[28324.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':
'192.146.137.99'
dirmngr[28324.0]: DBG: dns: resolve_dns_addr(): Success
dirmngr[28324.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':
'192.146.137.98'
dirmngr[28324.0]: DBG: dns: resolve_dns_addr(): Success
dirmngr[28324.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':
'51.38.91.189'
dirmngr[28324.0]: DBG: dns: resolve_dns_addr(): Success
dirmngr[28324.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net':
'37.191.231.105'
dirmngr[28324.0]: DBG: Using TLS library: GNUTLS 3.6.6
dirmngr[28324.0]: DBG: http.c:connect_server: trying name='2001:67c:26b4::99:0'
port=11371
dirmngr[28324.0]: DBG: dns: resolve_dns_name(2001:67c:26b4::99:0): Success
dirmngr[28324.0]: can't connect to '2001:67c:26b4::99:0': Network is unreachable
dirmngr[28324.0]: error connecting to 'http://[2001:67c:26b4::99:0]:11371':
Network is unreachable
dirmngr[28324.0]: marking host '[2001:67c:26b4::99:0]' as dead
dirmngr[28324.0]: DBG: Using TLS library: GNUTLS 3.6.6
dirmngr[28324.0]: DBG: http.c:connect_server: trying
name='2001:41d0:800:d1e::82:0' port=11371
dirmngr[28324.0]: DBG: dns: resolve_dns_name(2001:41d0:800:d1e::82:0): Success
dirmngr[28324.0]: can't connect to '2001:41d0:800:d1e::82:0': Network is
unreachable
dirmngr[28324.0]: error connecting to 'http://[2001:41d0:800:d1e::82:0]:11371':
Network is unreachable
dirmngr[28324.0]: marking host '[2001:41d0:800:d1e::82:0]' as dead
dirmngr[28324.0]: DBG: Using TLS library: GNUTLS 3.6.6
dirmngr[28324.0]: DBG: http.c:connect_server: trying name='37.191.231.105'
port=11371
dirmngr[28324.0]: DBG: dns: resolve_dns_name(37.191.231.105): Success
dirmngr[28324.0]: DBG: http.c:1899:socket_new: object 0x000055dc0bf1a3a0 for fd
6 created
dirmngr[28324.0]: DBG: http.c:request:
dirmngr[28324.0]: DBG: >> GET
/pks/lookup?op=index&options=mr&search=inter...@email-address.com HTTP/1.0\r\n
dirmngr[28324.0]: DBG: >> Host: hkps.pool.sks-keyservers.net:11371\r\n
dirmngr[28324.0]: DBG: http.c:request-header:
dirmngr[28324.0]: DBG: >> \r\n
dirmngr[28324.0]: DBG: http.c:response:
dirmngr[28324.0]: DBG: >> HTTP/1.1 404 Not found\r\n
dirmngr[28324.0]: http.c:RESP: 'Date: Tue, 02 Jul 2019 13:15:31 GMT'
dirmngr[28324.0]: http.c:RESP: 'Content-Type: text/html; charset=UTF-8'
dirmngr[28324.0]: http.c:RESP: 'Content-Length: 546'
dirmngr[28324.0]: http.c:RESP: 'Connection: close'
dirmngr[28324.0]: http.c:RESP: 'Server: sks_www/1.1.6'
dirmngr[28324.0]: http.c:RESP: 'Cache-Control: no-cache'
dirmngr[28324.0]: http.c:RESP: 'Pragma: no-cache'
dirmngr[28324.0]: http.c:RESP: 'Expires: 0'
dirmngr[28324.0]: http.c:RESP: 'Access-Control-Allow-Origin: *'
dirmngr[28324.0]: http.c:RESP: ''
dirmngr[28324.0]: error accessing
'http://37.191.231.105:11371/pks/lookup?op=index&options=mr&search=internal%40email-address%2Ecom':
http status 404
dirmngr[28324.0]: DBG: chan_3 -> S SOURCE http://37.191.231.105:11371
S SOURCE http://37.191.231.105:11371
dirmngr[28324.0]: DBG: dns: getsrv(_pgpkey-http._tcp.internal.corp.company.com)
-> 0 records
dirmngr[28324.0]: DBG: dns: resolve_dns_name(internal.corp.company.com): Success
dirmngr[28324.0]: resolve_dns_addr for 'internal.corp.company.com':
'internal.corp.company.com' [already known]
dirmngr[28324.0]: number of system provided CAs: 152
dirmngr[28324.0]: DBG: Using TLS library: GNUTLS 3.6.6
dirmngr[28324.0]: DBG: http.c:connect_server: trying
name='internal.corp.company.com' port=11371
dirmngr[28324.0]: DBG: dns: resolve_dns_name(internal.corp.company.com): Success
dirmngr[28324.0]: DBG: http.c:1899:socket_new: object 0x000055dc0c265d00 for fd
6 created
dirmngr[28324.0]: DBG: http.c:request:
dirmngr[28324.0]: DBG: >> GET
/pks/lookup?op=index&options=mr&search=inter...@email-address.com HTTP/1.0\r\n
dirmngr[28324.0]: DBG: >> Host: internal.corp.company.com:11371\r\n
dirmngr[28324.0]: DBG: http.c:request-header:
dirmngr[28324.0]: DBG: >> \r\n
dirmngr[28324.0]: DBG: http.c:response:
dirmngr[28324.0]: DBG: >> HTTP/1.0 503 Service Not Available\r\n
dirmngr[28324.0]: http.c:RESP: 'Content-Type: text/html'
dirmngr[28324.0]: http.c:RESP: 'Content-Length: 369'
dirmngr[28324.0]: http.c:RESP: 'Connection: close'
dirmngr[28324.0]: http.c:RESP: 'Date: Tue, 02 Jul 2019 13:15:31 GMT'
dirmngr[28324.0]: http.c:RESP: 'Server: lighttpd/1.4.43'
dirmngr[28324.0]: http.c:RESP: ''
dirmngr[28324.0]: error accessing
'http://internal.corp.company.com:11371/pks/lookup?op=index&options=mr&search=internal%40email-address%2Ecom':
http status 503
dirmngr[28324.0]: selecting a different host due to a 503 (Service Unavailable)
dirmngr[28324.0]: DBG: Using TLS library: GNUTLS 3.6.6
dirmngr[28324.0]: DBG: http.c:connect_server: trying
name='internal.corp.company.com' port=11371
dirmngr[28324.0]: DBG: dns: resolve_dns_name(internal.corp.company.com): Success
dirmngr[28324.0]: DBG: http.c:1899:socket_new: object 0x000055dc0c16b560 for fd
6 created
dirmngr[28324.0]: DBG: http.c:request:
dirmngr[28324.0]: DBG: >> GET
/pks/lookup?op=index&options=mr&search=inter...@email-address.com HTTP/1.0\r\n
dirmngr[28324.0]: DBG: >> Host: internal.corp.company.com:11371\r\n
dirmngr[28324.0]: DBG: http.c:request-header:
dirmngr[28324.0]: DBG: >> \r\n
dirmngr[28324.0]: DBG: http.c:response:
dirmngr[28324.0]: DBG: >> HTTP/1.0 503 Service Not Available\r\n
dirmngr[28324.0]: http.c:RESP: 'Content-Type: text/html'
dirmngr[28324.0]: http.c:RESP: 'Content-Length: 369'
dirmngr[28324.0]: http.c:RESP: 'Connection: close'
dirmngr[28324.0]: http.c:RESP: 'Date: Tue, 02 Jul 2019 13:15:31 GMT'
dirmngr[28324.0]: http.c:RESP: 'Server: lighttpd/1.4.43'
dirmngr[28324.0]: http.c:RESP: ''
dirmngr[28324.0]: error accessing
'http://internal.corp.company.com:11371/pks/lookup?op=index&options=mr&search=internal%40email-address%2Ecom':
http status 503
* What was the outcome of this action?
The last request/response repeats endlessly.
* What outcome did you expect instead?
To abort the request. While the 503 error is often assumed to be temporary, it
is more often than not takes some time to resolve itself. Just blindly retrying
on the keyserver may cause the dirmngr to hang up.
On my system I plugged this problem with the patch below. I don't think this is
acceptable for everyone. May be a configuration option per-keyserver would be
better?
Regards,
Alex
commit c64f17c751d30df9be0943ad185075313954fdaf
Author: Alex Riesen <alexander.rie...@cetitec.com>
Date: Tue Jul 2 15:29:12 2019 +0200
Make http error 503 (Service unavailable) fatal for a keyserver
While the error is considered temporary, it is unlikely to be
resolve itself soon and marking the host dead is a better solution
than to retry quickly.
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 68d2064..c22ee0a 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -1353,13 +1353,13 @@ handle_send_request_error (ctrl_t ctrl, gpg_error_t
err, const char *request,
switch (http_status)
{
case 502: /* Bad Gateway */
+ case 503: /* Service Unavailable */
log_info ("marking host dead due to a %u (%s)\n",
http_status, http_status2string (http_status));
if (mark_host_dead (request) && *tries_left)
retry = 1;
break;
- case 503: /* Service Unavailable */
case 504: /* Gateway Timeout */
log_info ("selecting a different host due to a %u (%s)",
http_status, http_status2string (http_status));
-- System Information:
Debian Release: 9.9
APT prefers stable-debug
APT policy: (500, 'stable-debug'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.1.15 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages dirmngr depends on:
ii adduser 3.115
ii gpgconf 2.2.12-1~bpo9+1
ii libassuan0 2.5.2-1
ii libc6 2.28-2
ii libgcrypt20 1.8.4-5
ii libgnutls30 3.6.6-2
ii libgpg-error0 1.26-2
ii libksba8 1.3.5-2
ii libldap-2.4-2 2.4.44+dfsg-5+deb9u2
ii libnpth0 1.3-1
ii lsb-base 9.20161125
Versions of packages dirmngr recommends:
ii gnupg 2.2.12-1~bpo9+1
Versions of packages dirmngr suggests:
pn dbus-user-session <none>
pn libpam-systemd <none>
ii pinentry-gnome3 1.0.0-2
pn tor <none>
-- no debconf information
