On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	mpilgrem
	Aug 18 2022, 1:32 PM

Description

I have experienced the same problem on two Windows 11 PCs, each with fresh installs of gpg 2.3.7 (via https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.3.7_20220711.exe). The problem seems to be similar in nature to what was reported about earlier versions of gpg on Windows (see https://lists.wald.intevation.org/pipermail/gpg4win-announce/2021-October/000093.html)

Command gpg --version yields (extract):

gpg (GnuPG) 2.3.7
libgcrypt 1.10.1
Copyright (C) 2021 g10 Code GmbH
Home: C:\Users\mike\AppData\Roaming\gnupg

Command gpg --search-keys 575159689BEFB442 yields (in error, this is the bug):

gpg: error searching keyserver: Certificate expired
gpg: keyserver search failed: Certificate expired

I have gpg.conf (type C:\Users\mike\AppData\Roaming\gnupg\gpg.conf):

keyserver hkps://keys.openpgp.org

The same happens with other major keyservers (eg Ubuntu's)

I have tried this dirmngr.conf (type C:\Users\mike\AppData\Roaming\gnupg\gpg.conf):

log-file C:\Users\mike\AppData\Roaming\gnupg\dirmngr.log
debug-all

The log's contents are below (after, first, command gpgconf --kill dirmngr):

2022-08-18 12:17:29 dirmngr[28612] listening on socket 'C:\\Users\\mike\\AppData\\Local\\gnupg\\S.dirmngr'
2022-08-18 12:17:29 dirmngr[28612] DBG: number of certs loaded from store 'ROOT': 69
2022-08-18 12:17:29 dirmngr[28612] DBG: certificate 'CA' already cached
2022-08-18 12:17:29 dirmngr[28612] DBG: number of certs loaded from store 'CA': 151
2022-08-18 12:17:29 dirmngr[28612] permanently loaded certificates: 220
2022-08-18 12:17:29 dirmngr[28612]     runtime cached certificates: 0
2022-08-18 12:17:29 dirmngr[28612]            trusted certificates: 220 (220,0,0,0)
2022-08-18 12:17:29 dirmngr[28612] handler for fd 700 started
2022-08-18 12:17:29 dirmngr[28612] DBG: chan_0x000002bc -> # Home: C:\Users\mike\AppData\Roaming\gnupg
2022-08-18 12:17:29 dirmngr[28612] DBG: chan_0x000002bc -> # Config: C:/Users/mike/AppData/Roaming/gnupg/dirmngr.conf
2022-08-18 12:17:29 dirmngr[28612] DBG: chan_0x000002bc -> OK Dirmngr 2.3.7 at your service
2022-08-18 12:17:29 dirmngr[28612] DBG: chan_0x000002bc <- GETINFO version
2022-08-18 12:17:29 dirmngr[28612] DBG: chan_0x000002bc -> D 2.3.7
2022-08-18 12:17:29 dirmngr[28612] DBG: chan_0x000002bc -> OK
2022-08-18 12:17:29 dirmngr[28612] DBG: chan_0x000002bc <- KEYSERVER --clear hkps://keys.openpgp.org
2022-08-18 12:17:29 dirmngr[28612] DBG: chan_0x000002bc -> OK
2022-08-18 12:17:29 dirmngr[28612] DBG: chan_0x000002bc <- KS_SEARCH -- 575159689BEFB442
2022-08-18 12:17:29 dirmngr[28612] DBG: dns: dnsserver[0] '192.168.1.254'
2022-08-18 12:17:29 dirmngr[28612] DBG: dns: libdns initialized
2022-08-18 12:17:29 dirmngr[28612] DBG: dns: getsrv(_pgpkey-https._tcp.keys.openpgp.org) -> 0 records
2022-08-18 12:17:31 dirmngr[28612] DBG: dns: resolve_dns_name(keys.openpgp.org): Success
2022-08-18 12:17:31 dirmngr[28612] resolve_dns_addr for 'keys.openpgp.org': 'keys.openpgp.org' [already known]
2022-08-18 12:17:31 dirmngr[28612] resolve_dns_addr for 'keys.openpgp.org': 'keys.openpgp.org' [already known]
2022-08-18 12:17:31 dirmngr[28612] DBG: Using TLS library: NTBTLS 0.3.1
2022-08-18 12:17:31 dirmngr[28612] DBG: check_inet_support:  family: 23
2022-08-18 12:17:31 dirmngr[28612] DBG: check_inet_support:     addr: fe80::dc27:6f:dcb5:531e%4
2022-08-18 12:17:31 dirmngr[28612] DBG: check_inet_support:  family: 23
2022-08-18 12:17:31 dirmngr[28612] DBG: check_inet_support:     addr: 2a00:23c7:c181:f01:394b:d408:2ba:b7f2
2022-08-18 12:17:31 dirmngr[28612] DBG: check_inet_support:  family: 23
2022-08-18 12:17:31 dirmngr[28612] DBG: check_inet_support:     addr: 2a00:23c7:c181:f01:dc27:6f:dcb5:531e
2022-08-18 12:17:31 dirmngr[28612] DBG: check_inet_support:  family: 2
2022-08-18 12:17:31 dirmngr[28612] DBG: check_inet_support:     addr: 192.168.1.101
2022-08-18 12:17:31 dirmngr[28612] DBG: http.c:connect_server: trying name='keys.openpgp.org' port=443
2022-08-18 12:17:31 dirmngr[28612] DBG: dns: resolve_dns_name(keys.openpgp.org): Success
2022-08-18 12:17:31 dirmngr[28612] DBG: http.c:1951:socket_new: object 0x036d4320 for fd 1016 created
2022-08-18 12:17:31 dirmngr[28612] certificate already cached
2022-08-18 12:17:31 dirmngr[28612] certificate cached
2022-08-18 12:17:31 dirmngr[28612] DBG: BEGIN Certificate 'subject':
2022-08-18 12:17:31 dirmngr[28612] DBG:      serial: 0428BE7103124DD61DC852650A73175EA0E9
2022-08-18 12:17:31 dirmngr[28612] DBG:   notBefore: 2022-07-21 04:32:08
2022-08-18 12:17:31 dirmngr[28612] DBG:    notAfter: 2022-10-19 04:32:07
2022-08-18 12:17:31 dirmngr[28612] DBG:      issuer: CN=R3,O=Let's Encrypt,C=US
2022-08-18 12:17:31 dirmngr[28612] DBG:     subject: CN=keys.openpgp.org
2022-08-18 12:17:31 dirmngr[28612] DBG:         aka: (8:dns-name16:keys.openpgp.org)
2022-08-18 12:17:31 dirmngr[28612] DBG:   hash algo: 1.2.840.113549.1.1.11
2022-08-18 12:17:31 dirmngr[28612] DBG:   SHA1 fingerprint: 0C0E25AFBA7B0B27334A17DBC3743415D5FBE0F6
2022-08-18 12:17:31 dirmngr[28612] DBG: END Certificate
2022-08-18 12:17:31 dirmngr[28612] Note: non-critical certificate policy not allowed
2022-08-18 12:17:31 dirmngr[28612] DBG: find_cert_bysubject: certificate found in the cache by subject DN
2022-08-18 12:17:31 dirmngr[28612] DBG: got issuer's certificate:
2022-08-18 12:17:31 dirmngr[28612] DBG: BEGIN Certificate 'issuer':
2022-08-18 12:17:31 dirmngr[28612] DBG:      serial: 400175048314A4C8218C84A90C16CDDF
2022-08-18 12:17:31 dirmngr[28612] DBG:   notBefore: 2020-10-07 19:21:40
2022-08-18 12:17:31 dirmngr[28612] DBG:    notAfter: 2021-09-29 19:21:40
2022-08-18 12:17:31 dirmngr[28612] DBG:      issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
2022-08-18 12:17:31 dirmngr[28612] DBG:     subject: CN=R3,O=Let's Encrypt,C=US
2022-08-18 12:17:31 dirmngr[28612] DBG:   hash algo: 1.2.840.113549.1.1.11
2022-08-18 12:17:31 dirmngr[28612] DBG:   SHA1 fingerprint: 48504E974C0DAC5B5CD476C8202274B24C8C7172
2022-08-18 12:17:31 dirmngr[28612] DBG: END Certificate
2022-08-18 12:17:31 dirmngr[28612] DBG: sigval: (sig-val 
2022-08-18 12:17:31 dirmngr[28612] DBG:          (rsa 
2022-08-18 12:17:31 dirmngr[28612] DBG:           (s #A59F4F311BD47B02B46CDBAE7DF8FDE07A7FDFA9642AB3B77BD9935EEA577812F52C27C75D2B95F39C1116DCFA9A90AA65A1216D96BE189A3AE2E6C386E2DD9D457650430954744721F32AB0BAA8C4828A4359701443F85B677AFEE16D0F3BACF0902250C5E7BA1226BDECD56BF7C79817AE50A45A61E51E93A288371DDDC210B8674B830D123EAF1CDEFB4A0620E5B4C07341E94E2C9B77F2B416BCBC2394BC6E200800773053A7237D574F01485470630BBDC15AEE4556AC64F9A718E8AE85AAE5B391ACC36FF8F1DE5903516A192825AF6BEDEB580894445A65339118926F78E95026679AB9CCBC23CE74703D90B98D34CF51D6E8853C015C79D44A2557AD#)
2022-08-18 12:17:31 dirmngr[28612] DBG:           )
2022-08-18 12:17:31 dirmngr[28612] DBG:          (hash sha256))
2022-08-18 12:17:31 dirmngr[28612] DBG: PKCS#1 block type 1 encoded data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                                   ffffffffffffffffffffff003031300d060960864801650304020105000420d5 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                                   de656a63a6179141dc7d68d9d0be0e9defda956cb452925a6b057e42b192d3
2022-08-18 12:17:31 dirmngr[28612] DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffff003031300d060960864801650304020105000420d5 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  de656a63a6179141dc7d68d9d0be0e9defda956cb452925a6b057e42b192d3
2022-08-18 12:17:31 dirmngr[28612] DBG: rsa_verify  sig:+a59f4f311bd47b02b46cdbae7df8fde07a7fdfa9642ab3b77bd9935eea577812 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  f52c27c75d2b95f39c1116dcfa9a90aa65a1216d96be189a3ae2e6c386e2dd9d \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  457650430954744721f32ab0baa8c4828a4359701443f85b677afee16d0f3bac \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  f0902250c5e7ba1226bdecd56bf7c79817ae50a45a61e51e93a288371dddc210 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  b8674b830d123eaf1cdefb4a0620e5b4c07341e94e2c9b77f2b416bcbc2394bc \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  6e200800773053a7237d574f01485470630bbdc15aee4556ac64f9a718e8ae85 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  aae5b391acc36ff8f1de5903516a192825af6bedeb580894445a65339118926f \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  78e95026679ab9ccbc23ce74703d90b98d34cf51d6e8853c015c79d44a2557ad
2022-08-18 12:17:31 dirmngr[28612] DBG: rsa_verify    n:+bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c5 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  4cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53b \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  c32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cac \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  e19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add2 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  86583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f1 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  18f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb15
2022-08-18 12:17:31 dirmngr[28612] DBG: rsa_verify    e:+010001
2022-08-18 12:17:31 dirmngr[28612] DBG: rsa_verify  cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffff003031300d060960864801650304020105000420d5 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  de656a63a6179141dc7d68d9d0be0e9defda956cb452925a6b057e42b192d3
2022-08-18 12:17:31 dirmngr[28612] DBG: rsa_verify    => Good
2022-08-18 12:17:31 dirmngr[28612] DBG: gcry_pk_verify: Success
2022-08-18 12:17:31 dirmngr[28612] certificate is good
2022-08-18 12:17:31 dirmngr[28612] certificate has expired
2022-08-18 12:17:31 dirmngr[28612] (expired at 2021-09-29 19:21:40)
2022-08-18 12:17:31 dirmngr[28612] Note: non-critical certificate policy not allowed
2022-08-18 12:17:31 dirmngr[28612] DBG: find_cert_bysubject: certificate found in the cache by subject DN
2022-08-18 12:17:31 dirmngr[28612] DBG: got issuer's certificate:
2022-08-18 12:17:31 dirmngr[28612] DBG: BEGIN Certificate 'issuer':
2022-08-18 12:17:31 dirmngr[28612] DBG:      serial: 44AFB080D6A327BA893039862EF8406B
2022-08-18 12:17:31 dirmngr[28612] DBG:   notBefore: 2000-09-30 21:12:19
2022-08-18 12:17:31 dirmngr[28612] DBG:    notAfter: 2021-09-30 14:01:15
2022-08-18 12:17:31 dirmngr[28612] DBG:      issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
2022-08-18 12:17:31 dirmngr[28612] DBG:     subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
2022-08-18 12:17:31 dirmngr[28612] DBG:   hash algo: 1.2.840.113549.1.1.5
2022-08-18 12:17:31 dirmngr[28612] DBG:   SHA1 fingerprint: DAC9024F54D8F6DF94935FB1732638CA6AD77C13
2022-08-18 12:17:31 dirmngr[28612] DBG: END Certificate
2022-08-18 12:17:31 dirmngr[28612] DBG: sigval: (sig-val 
2022-08-18 12:17:31 dirmngr[28612] DBG:          (rsa 
2022-08-18 12:17:31 dirmngr[28612] DBG:           (s #D94CE0C9F584883731DBBB13E2B3FC8B6B62126C58B7497E3C02B7A81F2861EBCEE02E73EF49077A35841F1DAD68F0D8FE56812F6D7F58A66E3536101C73C3E5BD6D5E01D76E72FB2AA0B8D35764E55BC269D4D0B2F77C4BC3178E887273DCFDFC6DBDE3C90B8E613A16587D74362B55803DC763BE8443C639A10E6B579E3F29C180F6B2BD47CBAA306CB732E159540B1809175E636CFB96673C1C730C938BC611762486DE400707E47D2D66B525A39658C8EA80EECF693B96FCE68DC033F389F8292D14142D7EF06170955DF70BE5C0FB24FAEC8ECB61C8EE637128A82C053B77EF9B5E0364F051D1E485535CB00297D47EC634D2CE1000E4B1DF3AC2EA17BE#)
2022-08-18 12:17:31 dirmngr[28612] DBG:           )
2022-08-18 12:17:31 dirmngr[28612] DBG:          (hash sha256))
2022-08-18 12:17:31 dirmngr[28612] DBG: PKCS#1 block type 1 encoded data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                                   ffffffffffffffffffffff003031300d06096086480165030402010500042032 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                                   86ff65a65faf32085eea1388c3738ba7e37873c906cce3c4a28b4cc2a58988
2022-08-18 12:17:31 dirmngr[28612] DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffff003031300d06096086480165030402010500042032 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  86ff65a65faf32085eea1388c3738ba7e37873c906cce3c4a28b4cc2a58988
2022-08-18 12:17:31 dirmngr[28612] DBG: rsa_verify  sig:+d94ce0c9f584883731dbbb13e2b3fc8b6b62126c58b7497e3c02b7a81f2861eb \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  cee02e73ef49077a35841f1dad68f0d8fe56812f6d7f58a66e3536101c73c3e5 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  bd6d5e01d76e72fb2aa0b8d35764e55bc269d4d0b2f77c4bc3178e887273dcfd \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  fc6dbde3c90b8e613a16587d74362b55803dc763be8443c639a10e6b579e3f29 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  c180f6b2bd47cbaa306cb732e159540b1809175e636cfb96673c1c730c938bc6 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  11762486de400707e47d2d66b525a39658c8ea80eecf693b96fce68dc033f389 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  f8292d14142d7ef06170955df70be5c0fb24faec8ecb61c8ee637128a82c053b \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  77ef9b5e0364f051d1e485535cb00297d47ec634d2ce1000e4b1df3ac2ea17be
2022-08-18 12:17:31 dirmngr[28612] DBG: rsa_verify    n:+dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c11814 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  8be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8c \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  e5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d
2022-08-18 12:17:31 dirmngr[28612] DBG: rsa_verify    e:+010001
2022-08-18 12:17:31 dirmngr[28612] DBG: rsa_verify  cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  ffffffffffffffffffffff003031300d06096086480165030402010500042032 \
2022-08-18 12:17:31 dirmngr[28612] DBG:                  86ff65a65faf32085eea1388c3738ba7e37873c906cce3c4a28b4cc2a58988
2022-08-18 12:17:31 dirmngr[28612] DBG: rsa_verify    => Good
2022-08-18 12:17:31 dirmngr[28612] DBG: gcry_pk_verify: Success
2022-08-18 12:17:31 dirmngr[28612] certificate is good
2022-08-18 12:17:31 dirmngr[28612] certificate has expired
2022-08-18 12:17:31 dirmngr[28612] (expired at 2021-09-30 14:01:15)
2022-08-18 12:17:31 dirmngr[28612] root certificate is good and trusted
2022-08-18 12:17:31 dirmngr[28612] target certificate is NOT valid
2022-08-18 12:17:31 dirmngr[28612] TLS handshake failed: Certificate expired <Dirmngr>
2022-08-18 12:17:31 dirmngr[28612] error connecting to 'https://keys.openpgp.org:443': Certificate expired
2022-08-18 12:17:31 dirmngr[28612] command 'KS_SEARCH' failed: Certificate expired
2022-08-18 12:17:31 dirmngr[28612] DBG: chan_0x000002bc -> ERR 167772261 Certificate expired <Dirmngr>
2022-08-18 12:17:31 dirmngr[28612] DBG: chan_0x000002bc <- BYE
2022-08-18 12:17:31 dirmngr[28612] DBG: chan_0x000002bc -> OK closing connection
2022-08-18 12:17:31 dirmngr[28612] handler for fd 700 terminated

As an aside, I also have a MSYS2-supplied version of gpg (2.2.35) (on my system, but not on the PATH). That version works as expected, with gpg --version yielding (extract):

gpg (GnuPG) 2.2.35
libgcrypt 1.10.1-unknown
Copyright (C) 2022 g10 Code GmbH
Home: /home/mike/.gnupg

and gpg --search-keys 575159689BEFB442 yielding (as expected):

gpg: data source: https://162.213.33.9:443
(1)     FPComplete <dev@fpcomplete.com>
          2048 bit RSA key 575159689BEFB442, created: 2015-06-02
Keys 1-1 of 1 for "575159689BEFB442".  Enter number(s), N)ext, or Q)uit > n

Details

Version: 2.3.7

Revisions and Commits

rG GnuPG
	rG14ccabe7f82f dirmngr: Reject certificate which is not valid into cache.
	rG0662b9444b5b dirmngr: Reject certificate which is not valid into cache.

Related Objects
Search...

		Status	Assigned	Task
		Open	None	T5882 Cross signing certificate in X.509 support
		Resolved	• werner	T6142 On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired

Event Timeline

mpilgrem created this task.Aug 18 2022, 1:32 PM

It seems we were still providing the expired DST certificate, which led to an additional yet invalid trust path, which gnupg didn't consider "valid" overall. Mainstream TLS implementations are more lenient here which masked the issue for a bit.

I changed this on our end (keys.openpgp.org), hopefully that fixes it at least in our case. There are probably a whole bunch of broken WKD servers out there still.

Thank you Valodim. I am new to GnuPG etc, so not sure if I should be doing something at my end. At the moment, whatever you have changed does not seem to have affected my experience. This is my current log for the same failed commands as above:

2022-08-22 21:31:19 dirmngr[1152] listening on socket 'C:\\Users\\mike\\AppData\\Local\\gnupg\\S.dirmngr'
2022-08-22 21:31:19 dirmngr[1152] DBG: number of certs loaded from store 'ROOT': 70
2022-08-22 21:31:19 dirmngr[1152] DBG: certificate 'CA' already cached
2022-08-22 21:31:19 dirmngr[1152] DBG: number of certs loaded from store 'CA': 151
2022-08-22 21:31:19 dirmngr[1152] permanently loaded certificates: 221
2022-08-22 21:31:19 dirmngr[1152]     runtime cached certificates: 0
2022-08-22 21:31:19 dirmngr[1152]            trusted certificates: 221 (221,0,0,0)
2022-08-22 21:31:19 dirmngr[1152] handler for fd 704 started
2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 -> # Home: C:\Users\mike\AppData\Roaming\gnupg
2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 -> # Config: C:/Users/mike/AppData/Roaming/gnupg/dirmngr.conf
2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 -> OK Dirmngr 2.3.7 at your service
2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 <- GETINFO version
2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 -> D 2.3.7
2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 -> OK
2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 <- KEYSERVER --clear hkps://keys.openpgp.org
2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 -> OK
2022-08-22 21:31:19 dirmngr[1152] DBG: chan_0x000002c0 <- KS_SEARCH -- 575159689BEFB442
2022-08-22 21:31:19 dirmngr[1152] DBG: dns: dnsserver[0] '192.168.1.254'
2022-08-22 21:31:19 dirmngr[1152] DBG: dns: libdns initialized
2022-08-22 21:31:20 dirmngr[1152] DBG: dns: getsrv(_pgpkey-https._tcp.keys.openpgp.org) -> 0 records
2022-08-22 21:31:20 dirmngr[1152] DBG: dns: resolve_dns_name(keys.openpgp.org): Success
2022-08-22 21:31:20 dirmngr[1152] resolve_dns_addr for 'keys.openpgp.org': 'keys.openpgp.org' [already known]
2022-08-22 21:31:20 dirmngr[1152] resolve_dns_addr for 'keys.openpgp.org': 'keys.openpgp.org' [already known]
2022-08-22 21:31:20 dirmngr[1152] DBG: Using TLS library: NTBTLS 0.3.1
2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support:  family: 23
2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support:     addr: fe80::dc27:6f:dcb5:531e%4
2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support:  family: 23
2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support:     addr: 2a00:23c7:c181:f01:246b:c705:4a54:3265
2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support:  family: 23
2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support:     addr: 2a00:23c7:c181:f01:dc27:6f:dcb5:531e
2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support:  family: 23
2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support:     addr: fe80::9055:5c7f:95b9:e13d%47
2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support:  family: 2
2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support:     addr: 192.168.1.101
2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support:  family: 2
2022-08-22 21:31:20 dirmngr[1152] DBG: check_inet_support:     addr: 172.22.176.1
2022-08-22 21:31:20 dirmngr[1152] DBG: http.c:connect_server: trying name='keys.openpgp.org' port=443
2022-08-22 21:31:20 dirmngr[1152] DBG: dns: resolve_dns_name(keys.openpgp.org): Success
2022-08-22 21:31:21 dirmngr[1152] DBG: http.c:1951:socket_new: object 0x036a2810 for fd 1020 created
2022-08-22 21:31:21 dirmngr[1152] certificate already cached
2022-08-22 21:31:21 dirmngr[1152] DBG: BEGIN Certificate 'subject':
2022-08-22 21:31:21 dirmngr[1152] DBG:      serial: 0431B075AFEFF12EBDD26C62BECFF6F47A91
2022-08-22 21:31:21 dirmngr[1152] DBG:   notBefore: 2022-08-22 14:26:24
2022-08-22 21:31:21 dirmngr[1152] DBG:    notAfter: 2022-11-20 14:26:23
2022-08-22 21:31:21 dirmngr[1152] DBG:      issuer: CN=R3,O=Let's Encrypt,C=US
2022-08-22 21:31:21 dirmngr[1152] DBG:     subject: CN=keys.openpgp.org
2022-08-22 21:31:21 dirmngr[1152] DBG:         aka: (8:dns-name16:keys.openpgp.org)
2022-08-22 21:31:21 dirmngr[1152] DBG:   hash algo: 1.2.840.113549.1.1.11
2022-08-22 21:31:21 dirmngr[1152] DBG:   SHA1 fingerprint: 8647D98EE3F7ADF2BB151AEAAF462BA2BDAFCDA4
2022-08-22 21:31:21 dirmngr[1152] DBG: END Certificate
2022-08-22 21:31:21 dirmngr[1152] Note: non-critical certificate policy not allowed
2022-08-22 21:31:21 dirmngr[1152] DBG: find_cert_bysubject: certificate found in the cache by subject DN
2022-08-22 21:31:21 dirmngr[1152] DBG: got issuer's certificate:
2022-08-22 21:31:21 dirmngr[1152] DBG: BEGIN Certificate 'issuer':
2022-08-22 21:31:21 dirmngr[1152] DBG:      serial: 400175048314A4C8218C84A90C16CDDF
2022-08-22 21:31:21 dirmngr[1152] DBG:   notBefore: 2020-10-07 19:21:40
2022-08-22 21:31:21 dirmngr[1152] DBG:    notAfter: 2021-09-29 19:21:40
2022-08-22 21:31:21 dirmngr[1152] DBG:      issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
2022-08-22 21:31:21 dirmngr[1152] DBG:     subject: CN=R3,O=Let's Encrypt,C=US
2022-08-22 21:31:21 dirmngr[1152] DBG:   hash algo: 1.2.840.113549.1.1.11
2022-08-22 21:31:21 dirmngr[1152] DBG:   SHA1 fingerprint: 48504E974C0DAC5B5CD476C8202274B24C8C7172
2022-08-22 21:31:21 dirmngr[1152] DBG: END Certificate
2022-08-22 21:31:21 dirmngr[1152] DBG: sigval: (sig-val 
2022-08-22 21:31:21 dirmngr[1152] DBG:          (rsa 
2022-08-22 21:31:21 dirmngr[1152] DBG:           (s #33074E9B2D6823CFFEBF5744AAD2A132B42ED88ACFEE01AF908D51F04D582E5EE29126D705F0BA2734504EF143B8FFFEE9BBA6DBDDAE010450A3B0AA42CAEED9ADBC3AC22B45E4FEEC6E49AAABF4C557BE8D9833F4815AC8080F3ADADAE654BBBA5328DBB7FFC1EB5EAE166076884BF57B4F052B155843EF17236529CE9D702D6E4FE8DFDC69BD713758140457EE85C8E8D07F48EFC8F3E256518527D02F177356AF10DB5B23BEC31D10208733FFA48667C887E42F7EE03466CFEFD0E068403C5A539CA041CB062571AE38827DDEE24E6EBC376D3C59DCF3E594B516398AE9C35CFE816FA4CFAE2A240FDAF21BF298B68501A967A6AE967017534FC40406E33B#)
2022-08-22 21:31:21 dirmngr[1152] DBG:           )
2022-08-22 21:31:21 dirmngr[1152] DBG:          (hash sha256))
2022-08-22 21:31:21 dirmngr[1152] DBG: PKCS#1 block type 1 encoded data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                                   ffffffffffffffffffffff003031300d0609608648016503040201050004207d \
2022-08-22 21:31:21 dirmngr[1152] DBG:                                   20adb93aafb8ffddebf14f6bf2430074c4967b9f55a80f31a62556bf74ac98
2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffff003031300d0609608648016503040201050004207d \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  20adb93aafb8ffddebf14f6bf2430074c4967b9f55a80f31a62556bf74ac98
2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify  sig:+33074e9b2d6823cffebf5744aad2a132b42ed88acfee01af908d51f04d582e5e \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  e29126d705f0ba2734504ef143b8fffee9bba6dbddae010450a3b0aa42caeed9 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  adbc3ac22b45e4feec6e49aaabf4c557be8d9833f4815ac8080f3adadae654bb \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ba5328dbb7ffc1eb5eae166076884bf57b4f052b155843ef17236529ce9d702d \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  6e4fe8dfdc69bd713758140457ee85c8e8d07f48efc8f3e256518527d02f1773 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  56af10db5b23bec31d10208733ffa48667c887e42f7ee03466cfefd0e068403c \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  5a539ca041cb062571ae38827ddee24e6ebc376d3c59dcf3e594b516398ae9c3 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  5cfe816fa4cfae2a240fdaf21bf298b68501a967a6ae967017534fc40406e33b
2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify    n:+bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c5 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  4cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53b \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  c32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cac \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  e19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add2 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  86583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f1 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  18f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb15
2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify    e:+010001
2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify  cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffff003031300d0609608648016503040201050004207d \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  20adb93aafb8ffddebf14f6bf2430074c4967b9f55a80f31a62556bf74ac98
2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify    => Good
2022-08-22 21:31:21 dirmngr[1152] DBG: gcry_pk_verify: Success
2022-08-22 21:31:21 dirmngr[1152] certificate is good
2022-08-22 21:31:21 dirmngr[1152] certificate has expired
2022-08-22 21:31:21 dirmngr[1152] (expired at 2021-09-29 19:21:40)
2022-08-22 21:31:21 dirmngr[1152] Note: non-critical certificate policy not allowed
2022-08-22 21:31:21 dirmngr[1152] DBG: find_cert_bysubject: certificate found in the cache by subject DN
2022-08-22 21:31:21 dirmngr[1152] DBG: got issuer's certificate:
2022-08-22 21:31:21 dirmngr[1152] DBG: BEGIN Certificate 'issuer':
2022-08-22 21:31:21 dirmngr[1152] DBG:      serial: 44AFB080D6A327BA893039862EF8406B
2022-08-22 21:31:21 dirmngr[1152] DBG:   notBefore: 2000-09-30 21:12:19
2022-08-22 21:31:21 dirmngr[1152] DBG:    notAfter: 2021-09-30 14:01:15
2022-08-22 21:31:21 dirmngr[1152] DBG:      issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
2022-08-22 21:31:21 dirmngr[1152] DBG:     subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
2022-08-22 21:31:21 dirmngr[1152] DBG:   hash algo: 1.2.840.113549.1.1.5
2022-08-22 21:31:21 dirmngr[1152] DBG:   SHA1 fingerprint: DAC9024F54D8F6DF94935FB1732638CA6AD77C13
2022-08-22 21:31:21 dirmngr[1152] DBG: END Certificate
2022-08-22 21:31:21 dirmngr[1152] DBG: sigval: (sig-val 
2022-08-22 21:31:21 dirmngr[1152] DBG:          (rsa 
2022-08-22 21:31:21 dirmngr[1152] DBG:           (s #D94CE0C9F584883731DBBB13E2B3FC8B6B62126C58B7497E3C02B7A81F2861EBCEE02E73EF49077A35841F1DAD68F0D8FE56812F6D7F58A66E3536101C73C3E5BD6D5E01D76E72FB2AA0B8D35764E55BC269D4D0B2F77C4BC3178E887273DCFDFC6DBDE3C90B8E613A16587D74362B55803DC763BE8443C639A10E6B579E3F29C180F6B2BD47CBAA306CB732E159540B1809175E636CFB96673C1C730C938BC611762486DE400707E47D2D66B525A39658C8EA80EECF693B96FCE68DC033F389F8292D14142D7EF06170955DF70BE5C0FB24FAEC8ECB61C8EE637128A82C053B77EF9B5E0364F051D1E485535CB00297D47EC634D2CE1000E4B1DF3AC2EA17BE#)
2022-08-22 21:31:21 dirmngr[1152] DBG:           )
2022-08-22 21:31:21 dirmngr[1152] DBG:          (hash sha256))
2022-08-22 21:31:21 dirmngr[1152] DBG: PKCS#1 block type 1 encoded data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                                   ffffffffffffffffffffff003031300d06096086480165030402010500042032 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                                   86ff65a65faf32085eea1388c3738ba7e37873c906cce3c4a28b4cc2a58988
2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffff003031300d06096086480165030402010500042032 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  86ff65a65faf32085eea1388c3738ba7e37873c906cce3c4a28b4cc2a58988
2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify  sig:+d94ce0c9f584883731dbbb13e2b3fc8b6b62126c58b7497e3c02b7a81f2861eb \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  cee02e73ef49077a35841f1dad68f0d8fe56812f6d7f58a66e3536101c73c3e5 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  bd6d5e01d76e72fb2aa0b8d35764e55bc269d4d0b2f77c4bc3178e887273dcfd \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  fc6dbde3c90b8e613a16587d74362b55803dc763be8443c639a10e6b579e3f29 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  c180f6b2bd47cbaa306cb732e159540b1809175e636cfb96673c1c730c938bc6 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  11762486de400707e47d2d66b525a39658c8ea80eecf693b96fce68dc033f389 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  f8292d14142d7ef06170955df70be5c0fb24faec8ecb61c8ee637128a82c053b \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  77ef9b5e0364f051d1e485535cb00297d47ec634d2ce1000e4b1df3ac2ea17be
2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify    n:+dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c11814 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  8be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8c \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  e5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d
2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify    e:+010001
2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify  cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  ffffffffffffffffffffff003031300d06096086480165030402010500042032 \
2022-08-22 21:31:21 dirmngr[1152] DBG:                  86ff65a65faf32085eea1388c3738ba7e37873c906cce3c4a28b4cc2a58988
2022-08-22 21:31:21 dirmngr[1152] DBG: rsa_verify    => Good
2022-08-22 21:31:21 dirmngr[1152] DBG: gcry_pk_verify: Success
2022-08-22 21:31:21 dirmngr[1152] certificate is good
2022-08-22 21:31:21 dirmngr[1152] certificate has expired
2022-08-22 21:31:21 dirmngr[1152] (expired at 2021-09-30 14:01:15)
2022-08-22 21:31:21 dirmngr[1152] root certificate is good and trusted
2022-08-22 21:31:21 dirmngr[1152] target certificate is NOT valid
2022-08-22 21:31:21 dirmngr[1152] TLS handshake failed: Certificate expired <Dirmngr>
2022-08-22 21:31:21 dirmngr[1152] error connecting to 'https://keys.openpgp.org:443': Certificate expired
2022-08-22 21:31:21 dirmngr[1152] command 'KS_SEARCH' failed: Certificate expired
2022-08-22 21:31:21 dirmngr[1152] DBG: chan_0x000002c0 -> ERR 167772261 Certificate expired <Dirmngr>
2022-08-22 21:31:21 dirmngr[1152] DBG: chan_0x000002c0 <- BYE
2022-08-22 21:31:21 dirmngr[1152] DBG: chan_0x000002c0 -> OK closing connection
2022-08-22 21:31:21 dirmngr[1152] handler for fd 704 terminated

In that case, it's a bug in gnupg and there's nothing I can further do from my side 🤷

mpilgrem added a project: gnupg.Aug 23 2022, 11:22 AM

Basically, the website in question (e.g. https://openpgpkey.gnupg.org/, which exhibits this problem) serves up three certificates:

its own end-entity certificate
the let's encrypt CA's certificate, which is signed by IRSG Root X1, and
a cross-signed version of IRSG Root X1's certificate, which was issued by DST Root CA X3

But although the DST Root CA X3 cert was widely accepted in root stores, it expired on 2021-09-30 (nearly a year ago!)

however, at the time of expiration, most root stores already contained a legitimate and trusted copy of the IRSG Root X1 cert. So a TLS implementation can simply ignore the third certificate shipped by the server, and find a valid chain from the end-entity cert to a cert in its trusted root store.

It sounds like ntbtls either (a) does not know about IRSG Root X1, or (b) isn't checking for a the ability to form a valid chain while ignoring one of the certificates provided by the remote server.

Other TLS implementations have made the (b) mistake as well: for example, this looks very much like https://gitlab.com/gnutls/gnutls/-/issues/1008. I think ntbtls needs to be a bit more clever about finding a certificate path, and not relying exclusively on the full chain from the website it reaches.

The other way that this could be fixed in the meantime is for websites like openpgpkey.gnupg.org that current serve three certs to drop the final cert (there's no point in shipping it today, since its issuer is indeed expired). But that would be a temporary fix -- the next time there's a reshuffling of the widely-accepted certificate authorities, ntbtls would find itself in the same situation.

@mpilgrem: in the meantime, for connecting to keys.openpgp.org, which *has* cleaned up its certificate chain, you might also want to try killing your dirmngr process, and/or cleaning up the data in .gnupg/dirmngr-cache.d/.

I mention this because your log contains the line certificate already cached. Perhaps clearing up the cache and restarting the dirmngr process will let you connect again to keys.openpgp.org (though it will probably run into the same problem if you try to do some sort of WKD fetch of anything from the gnupg.org domain, for example:

gpg --locate-external-keys wk@gnupg.org

If it has the same failure there, that's because openpgpkey.gnupg.org is serving up the three-part chain, as documented above.

Thank you dkg. I am new to 'certificates' generally - and a little knowledge is a dangerous thing - but this is what I did:

I did not have a directory C:\Users\mikep\AppData\Roaming\gnupg\dirmngr-cache.d.

However, searching in Windows 11 'Start' for certificates, I found Manage user certificates (the certmgr snap-in for Control Panel). In some of the listed 'Logical Store Names', under 'Certificates' folders, by sorting by 'Expiration Date', I found items with references to 'DST Root CA X3' expiring at the end of September 2021. I deleted those items and ... gpg then worked!

❯ gpg --search-keys 575159689BEFB442
gpg: data source: https://keys.openpgp.org:443
(1)       2048 bit RSA key 575159689BEFB442, created: 2015-06-02
Keys 1-1 of 1 for "575159689BEFB442".  Enter number(s), N)ext, or Q)uit > n

It also now worked with keyserver keyserver.ubuntu.com:

❯ gpg --search-keys 575159689BEFB442
gpg: data source: http://162.213.33.8:11371
(1)     FPComplete <dev@fpcomplete.com>
          2048 bit RSA key 575159689BEFB442, created: 2015-06-02
Keys 1-1 of 1 for "575159689BEFB442".  Enter number(s), N)ext, or Q)uit > n

Hopefully, by deleting things that have expired, I have not broken something else somewhere.

mpilgrem closed this task as Resolved.Aug 24 2022, 2:04 AM

mpilgrem claimed this task.

I'll reopen this ticket here, since the underlying issue is not quite resolved yet as @dkg helpfully outlined above.

Doing the same thing on my second PC, I can be more precise:

I had a certificate issued to R3 and issued by 'DST Root CA X3' that expired on 29/09/2021 and was listed under 'Logical Store Name' 'Intermediate Certification Authorities'. Deleting just that certificate solved the problem on my second PC.

mpilgrem removed mpilgrem as the assignee of this task.Aug 24 2022, 11:32 AM

• werner closed this task as Resolved.Aug 24 2022, 6:26 PM

• werner claimed this task.

@mpilgrem, i'm glad that removing the DST Root CA X3 from your windows control panel worked for you, but it still doesn't seem to be a reasonable fix from a GnuPG user perspective

Removing a trusted root CA should never make a given invalid certificate become valid.

It sounds to me like the problem is in dirmngr's (ntbtls's?) certificate validation code. By removing DST Root CA X3's cert from your trusted root store, you've managed to hide the problem for yourself, but the next time a root certificate expires, you'll have the same problem all over again.

I don't have a windows installation or an ntbtls build of GnuPG to test against, but a bit of tracing of the source code suggests that certificate validation is happening in validate_cert_chain in dirmngr/validate.c in the GnuPG sources. Background: ntbtls appears to rely on a certificate validation callback, and some wrapper around this function is what gets passed in.

Maybe this is the place to look for the problem?

Thanks for the followup about R3, @mpilgrem! Looking at your logs in more details, and the source code for find_cert_bysubject in dirmngr/certcache.c, i think i see what the issue is. It's slightly more subtle than not terminating early if a known trusted root can validate a truncated chain.

Here's the situation:

dirmngr had cached a certificate for Let's Encrypt's R3 intermediate that itself was issued by DST Root CA X3. (that's this cert,
R3-issued-by-DST.pem1 KBDownload
)
dirmngr also presumably had cached a certificate for Let's Encrypt's R3 intermediate that was issued by the ISRG Root X1, since that intermediate cert is what is being offered by the website operators.(that's this cert,
R3-issued-by-ISRG.pem1 KBDownload
)

Note that both of these R3 certificates have the same SubjectKeyIdentifier extension as each other, and also have the same Subject field as each other (their issuer differs, of course).

But neither of the two certificates for this intermediate CA are explicitly in the trust list. OTOH, both IRSG Root X1 and DST Root CA X3 are trusted root authorities.

The end-entity cert for the services @mpilgrem was issued by R3, with its appropriate AuthorityKeyIdentifier.

In find_cert_bysubject, certificates are pulled from dirmngr's cache based on the dependent cert's authorityKeyIdentifier (which is intended to match the subjectKeyIdentifier) and the dependent cert's Issuer field (which is intended to match the Subject field). This walks through the certificate cache and tries to find the right choice.

Indeed, if it finds a matching certificate that happens to already be a trusted root, it will happily handle such a truncated chain:

/* We stop at the first trusted certificate and ignore
 * any yet found non-trusted certificates.   */

So far, so good.

The problem is that the logic for selecting intermediate (not trusted) certificates is brittle, and subject to the order in which dirmngr encounters the intermediate certs. When it encounters a cached, non-trusted cert, the comment reads:

/* Not trusted.  Save only the first one but continue
 * the loop in case there is also a trusted one.  */

So, if it encountered the DST-issued cert for the intermediate R3 CA first, it would chain back to the expired DST trust root.

But if it encountered the IRSG-issued cert for the intermeidate R3 CA first, it would chain back to the non-expired IRSG root.

This seems like a fundamental problem with this approach to iterative path-walking in a potentially fully-connected tree. A proper depth-first-search algorithm ought to be able to do this right, but it would require rearchitecting the code in dirmngr/certcache.c.

As a workaround, dirmngr could try to prune or reorder its certificate cache more aggressively, to minimize the number of chances for this to happen. For example, during some sort of scheduled housekeeping, it could make a list of all the non-expired trusted root certs, find every cached intermediate certificate issued by any of them, and move those certificates to the "front" of the certificate cache, so that they're found "first". To handle something like that happens another layer deeper, it seems like you'd need to then find all certs issued by those intermediate CAs and move them to the "front", and so on. (how to schedule such housekeeping and perform it efficiently is left as an exercise to the reader)

This is not something i have the capacity to do, but i don't think this issue is currently resolved, so i'm reopening it.

I believe you ought to be able to replicate this problem from a fresh dirmngr that uses ntbtls by exposing it to

R3-issued-by-DST.pem1 KBDownload

and then trying to connect to any server (like openpgpkey.gnupg.org) whose end-entity certificate is directly certified by R3.

Thank you @dkg for the analysis. Unfortunately, the certificate cache is hashed by SHA-1 FPR, so, I think that it is a bit difficult to implement moving certs "front" / "back".

Easier workaround (no major architecutual changes for certcache.c) would be to validate expiration time at the time of putting root certificate into the cache (not to cache if it's expired).
I'm considering this:

diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index 7f29ec859..30d4d89fa 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -271,6 +271,20 @@ put_cert (ksba_cert_t cert, int permanent, unsigned int trustclass,
   cert_item_t ci;
   fingerprint_list_t ignored;
 
+  if (permanent)
+    {                           /* Do a little validation.  */
+      ksba_isotime_t not_after;
+      ksba_isotime_t current_time;
+
+      if (ksba_cert_get_validity (cert, 1, not_after))
+        return gpg_error (GPG_ERR_BAD_CERT);
+
+      gnupg_get_isotime (current_time);
+
+      if (*not_after && strcmp (current_time, not_after) > 0)
+        return gpg_error (GPG_ERR_CERT_EXPIRED);
+    }
+
   fpr = fpr_buffer? fpr_buffer : &help_fpr_buffer;
 
   /* If we already reached the caching limit, drop a couple of certs

@dkg: Thanks for the detailed description of the problem.

@gniibe: That is a good idea.

BTW, the certificate validation code is used by ntbtls and gnutls.

• werner triaged this task as Wishlist priority.Aug 25 2022, 8:42 AM

• werner edited projects, added workaround; removed Windows.

• gniibe added a commit: rG0662b9444b5b: dirmngr: Reject certificate which is not valid into cache..Aug 26 2022, 2:36 AM

Pushed the change of mine to master, since I can confirm that it results validate_cert_chain working better, because of put_cert's rejecting an intermediate certificate too.

rejecting an intermediate certificate too.

I meant,:

by not registering invalid certificates from system, questionable intermediate certificates will be rejected at put_cert.
Then, there will be less invalid certificates in cache.
It results validate_cert_chain working better.

• gniibe added a parent task: T5882: Cross signing certificate in X.509 support.Aug 26 2022, 7:41 AM

• gniibe mentioned this in T5882: Cross signing certificate in X.509 support.

Thanks, @gniibe -- i agree that this change to put_cert should be helpful, when encountering a certificate that is already invalid.

What happens when the certificate is not yet invalid, but it is put in the cache? then, later, the certificate expires. will this problem resurface?

In the situation of a certificate about to be expired in the cache:

will this problem resurface?

Yes, it will cause same problem, as this is only workaround (rejecting already expired one). Serious fix should be into: T5882

I am not good at about X.509 things, but looking around the existing practice (maximum depth is only two or so, cross-signing is a kind of exceptional (not common)), full support of checking all the possible paths by validate_cert_chain would not be computationally expensive.

• werner added a commit: rG14ccabe7f82f: dirmngr: Reject certificate which is not valid into cache..Aug 31 2022, 3:34 PM

• werner mentioned this in T6159: Release GnuPG 2.2.38.Aug 31 2022, 6:31 PM

• werner changed the task status from Open to Testing.Sep 22 2022, 10:46 AM

• werner removed a project: Restricted Project.

We should close this. The recent fix in 2.2 and the forthcoming 2.3 does everything we want. In the meantiime or if further problems turn up, --ignore-cert is a good workaround.

• werner closed this task as Resolved.Oct 5 2022, 4:20 PM

• werner mentioned this in T6106: Release GnuPG 2.3.8.Oct 14 2022, 6:02 PM

On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expiredClosed, ResolvedPublicActions