You are not logged in.
- Topics: Active | Unanswered
#1 2020-11-02 11:46:55
- bartus
- Member
- Registered: 2013-05-13
- Posts: 50
PGP certificates missing for sks-keyserver.net in archstrap container.
When building package inside `arch-nspawn` container there's a problem with missing certificates for `sks-kyeserver.net`
`dirmngr` complains about: TLS verification of peer failed: The certificate is NOT trusted. The certificate issuer is unknown.
Wy are those certificates missing in the containser created with `archstrap` ?
dirmngr log:
[user@root phonon-qt4]$ dirmngr --daemon --verbose; gpg --recv-key B92A5F04EC949121
dirmngr[3119]: listening on socket '/home/user/.gnupg/S.dirmngr'
DIRMNGR_INFO=/home/user/.gnupg/S.dirmngr:3120:1; export DIRMNGR_INFO;
[user@root phonon-qt4]$ dirmngr[3120.0]: permanently loaded certificates: 139
dirmngr[3120.0]: runtime cached certificates: 0
dirmngr[3120.0]: trusted certificates: 139 (138,0,0,1)
dirmngr[3120.5]: handler for fd 5 started
dirmngr[3120.5]: connection from process 3121 (1000:1000)
dirmngr[3120.5]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'hkps.pool.sks-keyservers.net' [already known]
dirmngr[3120.5]: number of system provided CAs: 148
dirmngr[3120.5]: detected interfaces: IPv4 IPv6
dirmngr[3120.5]: TLS verification of peer failed: status=0x0042
dirmngr[3120.5]: TLS verification of peer failed: The certificate is NOT trusted. The certificate issuer is unknown.
dirmngr[3120.5]: DBG: expected hostname: hkps.pool.sks-keyservers.net
dirmngr[3120.5]: DBG: BEGIN Certificate 'server[0]':
dirmngr[3120.5]: DBG: serial: 00A3
dirmngr[3120.5]: DBG: notBefore: 2020-06-25 18:29:41
dirmngr[3120.5]: DBG: notAfter: 2021-06-25 18:29:41
dirmngr[3120.5]: DBG: issuer: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
dirmngr[3120.5]: DBG: subject: 1.2.840.113549.1.9.1=#746F646440666C6565747374726565746F70732E636F6D,CN=sks.pod02.fleetstreetops.com,OU=Ops,O=Fleet Street Operations\, LLC,ST=Virginia,C=
US
dirmngr[3120.5]: DBG: aka: (8:dns-name28:hkps.pool.sks-keyservers.net)
dirmngr[3120.5]: DBG: aka: (8:dns-name25:*.pool.sks-keyservers.net)
dirmngr[3120.5]: DBG: aka: (8:dns-name23:pool.sks-keyservers.net)
dirmngr[3120.5]: DBG: aka: (8:dns-name28:sks.pod02.fleetstreetops.com)
dirmngr[3120.5]: DBG: hash algo: 1.2.840.113549.1.1.11
dirmngr[3120.5]: DBG: SHA1 fingerprint: EA8EC89054D02547862D3F497DFC865F5E1EA80A
dirmngr[3120.5]: DBG: END Certificate
dirmngr[3120.5]: DBG: BEGIN Certificate 'server[1]':
dirmngr[3120.5]: DBG: serial: 00AF73C8B4CF9F808F
dirmngr[3120.5]: DBG: notBefore: 2012-10-09 00:33:37
dirmngr[3120.5]: DBG: notAfter: 2022-10-07 00:33:37
dirmngr[3120.5]: DBG: issuer: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
dirmngr[3120.5]: DBG: subject: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
dirmngr[3120.5]: DBG: hash algo: 1.2.840.113549.1.1.5
dirmngr[3120.5]: DBG: SHA1 fingerprint: 791B27A38E667F8027814D4E68E7C478A45D5A17
dirmngr[3120.5]: DBG: END Certificate
dirmngr[3120.5]: TLS connection authentication failed: General error
dirmngr[3120.5]: error connecting to 'https://hkps.pool.sks-keyservers.net:443': General error
dirmngr[3120.5]: command 'KS_GET' failed: General error <Unspecified source>
dirmngr[3120.5]: handler for fd 5 terminated
dirmngr[3120.0]: running scheduled tasks (with network)Can be override by specifying `hkp://` protocol in server url as described in `gnupg` docs, but it's a hacky solution.
Offline
#2 2020-11-02 12:10:01
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,279
Re: PGP certificates missing for sks-keyserver.net in archstrap container.
They are missing everywhere. As of now, the only way to get them is a download from https://sks-keyservers.net/verify_tls.php and setting that in dirmngr.conf.
Sorry, wrong. They are included in the gnupg package, but you'll have to manually set them in dirmngr.conf or on the commandline. No idea what would have to be changed for that to be the default.
--hkp-cacert=/usr/share/gnupg/sks-keyservers.netCA.pem.
Edit: The error message is also a very helpful "General error" instead of "Untrusted TLS certificate" ...
Last edited by progandy (2020-11-02 12:14:58)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline