Page MenuHome GnuPG
Create Task
Maniphest T2682

Keys cannot be refreshed via "gpg2 --refresh-keys"
Closed, ResolvedPublic
Actions

Description

gpg2 --refresh-keys yields the following:

gpg: keyserver refresh failed: No keyserver available

However, I have everything set up in dirmngr.conf:

keyserver hkp://jirk5u4osbsr34t5.onion
keyserver hkps://hkps.pool.sks-keyservers.net
hkp-cacert /home/colan/.gnupg/sks-keyservers.netCA.pem

...and dirmngr can find it:

colan@snake[Tue 13 14:30]% dirmngr
dirmngr[26401.0]: permanently loaded certificates: 0
dirmngr[26401.0]: runtime cached certificates: 0

  1. Home: ~/.gnupg
  2. Config: /home/colan/.gnupg/dirmngr.conf

OK Dirmngr 2.1.11 at your service
keyserver
S KEYSERVER hkps://hkps.pool.sks-keyservers.net
OK

Looks like gpg2 isn't grabbing the correct information from the response as here's
what's happening with debugging turned on:

colan@snake[Tue 13 14:30]% gpg2 --refresh-keys --debug-all
[...]
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_6 -> GETINFO version
gpg: DBG: chan_6 <- D 2.1.11
gpg: DBG: chan_6 <- OK
gpg: DBG: chan_6 -> KEYSERVER
gpg: DBG: chan_6 <- OK
gpg: keyserver refresh failed: No keyserver available
gpg: DBG: chan_6 -> BYE

The downstream Ubuntu bug for this is
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/1623159.

Details

Version
2.1.11

Event Timeline

colan set Version to 2.1.11.Sep 13 2016, 10:31 PM
colan added projects: gnupg, Bug Report.
colan added a subscriber: colan.
justus added a subscriber: justus.Sep 15 2016, 4:34 PM

Sorry, I cannot reproduce this problem using 2.1.11:

% export GNUPGHOME=$(mktemp -d)
% echo "keyserver hkps://hkps.pool.sks-keyservers.net
hkp-cacert
/home/teythoon/repos/g10/gnupg-2.1.11/dirmng/sks-keyservers.netCA.pem" >
$GNUPGHOME/dirmngr.conf
% g10/gpg2 --recv-keys 99B03CE455DB476E737057B44FD0FA5528DB9E3F
gpg: /tmp/tmp.QINMXRcRqH/trustdb.gpg: trustdb created
gpg: key 28DB9E3F: public key "Justus Winter <justus@gnupg.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
% g10/gpg2 --refresh-keys
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: key 28DB9E3F: "Justus Winter <justus@gnupg.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

(Adding the .onion service makes no difference for me either.)

Ram-Z added a subscriber: Ram-Z.Apr 21 2017, 1:33 AM

I can repropduce this with gpg (GnuPG) 2.1.17 on Chakra Linux.

% export GNUPGHOME=$(mktemp -d)
% echo "keyserver  hkps://hkps.pool.sks-keyservers.net
hkp-cacert /home/ramsi/.config/gnupg/sks-keyservers.netCA.pem" > $GNUPGHOME/dirmngr.conf
% gpg --debug-all --search-keys 82600055EBC85A93
gpg: Note: no default option file '/tmp/tmp.XX38OOQCvR/gpg.conf'
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_3 <- # Home: /tmp/tmp.XX38OOQCvR
gpg: DBG: chan_3 <- # Config: /tmp/tmp.XX38OOQCvR/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.1.17 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.1.17
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_SEARCH -- 82600055EBC85A93
gpg: DBG: chan_3 <- ERR 1 General error <Unspecified source>
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error
gpg: DBG: chan_3 -> BYE
gpg: DBG: [not enabled in the source] stop
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: secmem usage: 0/32768 bytes in 0 blocks

There seems to be some kind of TLS issue, @colan can you reproduce this output?

% echo -e "KS_SEARCH 82600055EBC85A93" | dirmngr
dirmngr[8567]: error opening '/tmp/tmp.XX38OOQCvR/dirmngr_ldapservers.conf': No such file or directory
dirmngr[8567.0]: permanently loaded certificates: 0
dirmngr[8567.0]:     runtime cached certificates: 0
# Home: /tmp/tmp.XX38OOQCvR
# Config: /tmp/tmp.XX38OOQCvR/dirmngr.conf
OK Dirmngr 2.1.17 at your service
OK
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'b4ckbone.de'
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'sks.spodhuis.org'
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'bone.digitalis.org'
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'gpg.NebrWesleyan.edu'
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:bc8:4700:2300::10:f15]'
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'hufu.ki.iif.hu'
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'gozer.rediris.es'
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'mud.stack.nl'
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'bone.digitalis.org' [already known]
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'hufu.ki.iif.hu' [already known]
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'b4ckbone.de' [already known]
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'gpg.NebrWesleyan.edu' [already known]
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'mud.stack.nl' [already known]
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'gozer.rediris.es' [already known]
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'sks.spodhuis.org' [already known]
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'ams.sks.heypete.com'
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'host-37-191-236-118.lynet.no'
dirmngr[8567.0]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': 'cryptonomicon.mit.edu'
dirmngr[8567.0]: TLS handshake failed: The server name sent was not recognized (alert 112)
dirmngr[8567.0]:   (sent server name 'cryptonomicon.mit.edu')
dirmngr[8567.0]: error connecting to 'https://cryptonomicon.mit.edu:443': Network error
dirmngr[8567.0]: marking host 'cryptonomicon.mit.edu' as dead
dirmngr[8567.0]: TLS handshake failed: The server name sent was not recognized (alert 112)
dirmngr[8567.0]:   (sent server name 'hufu.ki.iif.hu')
dirmngr[8567.0]: error connecting to 'https://hufu.ki.iif.hu:443': Network error
dirmngr[8567.0]: marking host 'hufu.ki.iif.hu' as dead
dirmngr[8567.0]: TLS verification of peer failed: hostname does not match
dirmngr[8567.0]: DBG: expected hostname: hkps.pool.sks-keyservers.net.
dirmngr[8567.0]: DBG: BEGIN Certificate 'server[0]':
dirmngr[8567.0]: DBG:      serial: 75
dirmngr[8567.0]: DBG:   notBefore: 2016-04-24 18:44:05
dirmngr[8567.0]: DBG:    notAfter: 2017-04-24 18:44:05
dirmngr[8567.0]: DBG:      issuer: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
dirmngr[8567.0]: DBG:     subject: CN=sks.spodhuis.org,OU=PGP Keyserver,O=GlobNIX Systems,C=NL
dirmngr[8567.0]: DBG:   hash algo: 1.2.840.113549.1.1.11
dirmngr[8567.0]: DBG:   SHA1 fingerprint: 3B7F90096DBE8BCEC510652FB0485841A4F4062D
dirmngr[8567.0]: DBG: END Certificate
dirmngr[8567.0]: DBG: BEGIN Certificate 'server[1]':
dirmngr[8567.0]: DBG:      serial: 00AF73C8B4CF9F808F
dirmngr[8567.0]: DBG:   notBefore: 2012-10-09 00:33:37
dirmngr[8567.0]: DBG:    notAfter: 2022-10-07 00:33:37
dirmngr[8567.0]: DBG:      issuer: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
dirmngr[8567.0]: DBG:     subject: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
dirmngr[8567.0]: DBG:   hash algo: 1.2.840.113549.1.1.5
dirmngr[8567.0]: DBG:   SHA1 fingerprint: 791B27A38E667F8027814D4E68E7C478A45D5A17
dirmngr[8567.0]: DBG: END Certificate
dirmngr[8567.0]: TLS connection authentication failed: General error
dirmngr[8567.0]: error connecting to 'https://sks.spodhuis.org:443': General error
dirmngr[8567.0]: command 'KS_SEARCH' failed: General error <Unspecified source>
ERR 1 General error <Unspecified source>
colan added a comment.Apr 25 2017, 4:56 AM

I can't seem to reproduce the above or my original issue. I just upgraded to a newer Ubuntu release where gpg2 is now the default instead of gpg. Maybe that's what fixed it.

werner added a subscriber: werner.Jul 4 2017, 10:45 AM

We have fixed a couple of bugs related to keyservers between 2.1.17 and the current .21.

May we close this bug?

colan added a comment.Jul 4 2017, 7:09 PM

Fine by me, unless someone else is still running into this.

marcus closed this task as Resolved.Jul 4 2017, 10:45 PM
marcus claimed this task.