Re: Gpg4win LetsEncrypt issue

Mon, 14 Feb 2022 13:22:00 -0800 

------ Original Message ------
From: "Werner Koch via Gnupg-users" <gnupg-users@gnupg.org>
To:
Sent: 11.01.2022 11:52:00
Subject: Gpg4win LetsEncrypt issue


For details please see https://dev.gnupg.org/T5639 which was fixed with
GnuPG 2.2.32 and 2.3.4.

Hello,
I'd say the problem is not fixed in neither GnuPG 2.2.32 nor 2.3.4. At least not on Windows 10. Along with Alex Nadtoka & Anze Jesterle, I'm another person suffering from the same issue. If I try to search for some keys on some keyserver not using the Let's Encrypt certificate, like hkp(s)://keyserver-01.2ndquadrant.com, there's no problem.
If I try to search on hkp://keyserver.ubuntu.com, there's no problem as well.
But If I try to search on hkps://keyserver.ubuntu.com or hkp(s)://keys.openpgp.org, I'm getting: C:\Users\David>gpg --keyserver hkps://keyserver.ubuntu.com --search-keys opensuse 
gpg: error searching keyserver: Certificate expired
gpg: keyserver search failed: Certificate expired
Both keyserver.ubuntu.com and keys.openpgp.org key servers use the LE certificate. On a side note, I wonder why hkp://keys.openpgp.org doesn't work either since hkp:// protokol works on top of HTTP and not HTTPS, but that's another issue.
If I remove the invalid intermediate certificate R3, issued by DST Root CA X3, expired on 09/29/2021 from certmgr.msc and then reload dirmngr, "certificate expired" error no longer shows in any case.
I've checked I have the new valid intermediate certificate R3, issued by ISRG Root X1, expiring on 09/15/2025 present in certmgt.msc and yet in such a case dirmngr shows in its log that it still tries the old verification path when the invalid R3 cert is installed. I would attach the whole log but it's partly in Czech and I don't know how to switch the output fully to English since it doesn't work despite setting the LC_MESSAGES=C variable.
So to me, it seems that both GnuPG 2.2.32 and 2.3.4 (installed via GnuPG4Win 4.0) on Win10 still suffer from the issue. So can we re-open the bug report https://dev.gnupg.org/T5639 or https://dev.gnupg.org/T5744 or should I create another one? 

Thanks,
David K.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to