gpg cannot retrieve key via wkd from http2 server
Open, NormalPublic

Description

If "http2" is set in nginx' config file for the server running the wkd, gpg is unable to retrieve the key: "gpg: error retrieving 'buildmaster@archlinux32.org' via WKD: General error"
No (failed or successful) accesses are logged on the server during a gpg --locate-key ....
Removing the "http2" from nginx' listen directive ("listen 443 ssl http2 default_server;" -> "listen 443 ssl default_server;") and restarting nginx fixes this issue.

This happened on arch linux with versions:
gpg (GnuPG) 2.2.17
libgcrypt 1.8.5

Details

Version
2.2.17
werner added a subscriber: werner.

Does your ngix configuration mean that there is no fallback to standard http?

I believe, it means, that it may fall back to http1.1 - the documentation is not clear to me on this.
A simple test however shows, that at least curl has no problems to use http1.1 or http1.0 with the http2 enabled nginx.

I set archlinux32.org back to http2 - so you can see for yourself, how gpg fails to retrieve the key for buildmaster@archlinux32.org

Thanks. Here is a dirmngr log:

4 - 09:10:32 dirmngr[1055.129]:ntbtls:      serial: 03025598274c01e6b4add7ab04e2a45bb06b
4 - 09:10:32 dirmngr[1055.129]: ntbtls:      issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
4 - 09:10:32 dirmngr[1055.129]: ntbtls:     subject: CN=archlinux32.org
4 - 09:10:32 dirmngr[1055.129]: ntbtls:         aka: (8:dns-name15:archlinux32.org)
4 - 09:10:32 dirmngr[1055.129]: ntbtls:         aka: (8:dns-name24:packages.archlinux32.org)
4 - 09:10:32 dirmngr[1055.129]: ntbtls:         aka: (8:dns-name27:pool.mirror.archlinux32.org)
4 - 09:10:32 dirmngr[1055.129]: ntbtls:         aka: (8:dns-name19:www.archlinux32.org)
4 - 09:10:32 dirmngr[1055.129]: ntbtls:   notBefore: 2019-08-05 23:42:36
4 - 09:10:32 dirmngr[1055.129]: ntbtls:    notAfter: 2019-11-03 23:42:36
4 - 09:10:32 dirmngr[1055.129]: ntbtls:   hashAlgo: 1.2.840.113549.1.1.11
[...]
4 - 09:10:32 dirmngr[1055.129]: DBG: ntbtls(1): comparing hostname 'archlinux32.org' to 'openpgpkey.archlinux32.org'
4 - 09:10:32 dirmngr[1055.129]: DBG: ntbtls(1): comparing hostname 'packages.archlinux32.org' to 'openpgpkey.archlinux32.org'
4 - 09:10:32 dirmngr[1055.129]: DBG: ntbtls(1): comparing hostname 'pool.mirror.archlinux32.org' to 'openpgpkey.archlinux32.org'
4 - 09:10:32 dirmngr[1055.129]: DBG: ntbtls(1): comparing hostname 'www.archlinux32.org' to 'openpgpkey.archlinux32.org'
4 - 09:10:32 dirmngr[1055.129]: DBG: ntbtls(1): comparing hostname 'archlinux32.org' to 'openpgpkey.archlinux32.org'
4 - 09:10:32 dirmngr[1055.129]: DBG: ntbtls(1): x509_check_hostname returned: Wrong name <TLS>
4 - 09:10:32 dirmngr[1055.129]: DBG: ntbtls(2): handshake ready
4 - 09:10:32 dirmngr[1055.129]: TLS handshake failed: Wrong name <TLS>

So to me this looks like you missed to add openpgpkey.archlinux32.org into the cert. I did this test with an NTBTLS build but it should be the same for GNUTLS. What I do not understand is that it worked for you when disabling HTTP/2. If you disable again, I can check the difference .-)

werner triaged this task as Normal priority.Sep 20 2019, 9:16 AM

ok, I disabled it again. btw: why do we need openpgpkey.archlinux32.org in the cert? Is this standard or did I misconfigure something?

The test above was with gpg master but I got the same result with current 2.2:

$ ~/b/gnupg-2.2/g10/gpg --locate-external-key --no-verbose buildmaster@archlinux32.org
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: WARNING: using experimental features from RFC4880bis!
gpg: error retrieving 'buildmaster@archlinux32.org' via WKD: Wrong name
gpg: error reading key: Wrong name
wk@wheatstone:~$ gpg-connect-agent --dirmngr
> getinfo version
D 2.2.18-beta15
OK

I also wonder why you get General Error and not Wrong name. I can see no code changes related to this in the 2.2 branch since 2.2.17.

It does not work either. Your problem is the use of a wildcard DNS for archlinux32.org:

$ host foosomething.archlinux32.org
foosomething.archlinux32.org is an alias for archlinux32.org.

Now dirmngr does an initial DNS lookup for openpgpkey.archlinux32.org and the wildcard DNS entry hits. dirmngr knows that the modern subdomain lookup is possible and uses this. Because you don't have that domain in your cert it fails. The solution to this is given in the latest WKD draft:

Sites which do not use the advanced method but employ wildcard DNS for
their sub-domains MUST make sure that the ~openpgpkey~ sub-domain is
not subject to the wildcarding. This can be done by inserting an
empty TXT RR for this sub-domain.

Now, why we have different results with HTTP/2 and without not clear to me. It could be a DNS caching issue but it might also be that you are not running 2.2.17 but an older version of dirmngr. We chnaged the way of looking up the openpgpkey sub-domain only in 2.2.17 to get better error messages.

thanks for the dns explanation - IMHO, there should be added something about that in the wiki
When it does not work for you on http1 either, then I guess, it's really just some outdatedness of my gpg/dirmngr and this ticket can be closed.

Can you check which dirmngr version you are running

gpg-connect-agent --dirmngr 'getinfo version' /bye

The wiki is a bit outdated anyway, we better write a standard FAQ for the web key directory.

$ gpg-connect-agent --dirmngr 'getinfo version' /bye
D 2.2.17
OK

werner edited projects, added Documentation, FAQ; removed Bug Report.Sep 30 2019, 9:39 AM