dirmngr: Wrong certificate error?
Patrick Brunschwig
patrick at enigmail.net
Mon Aug 1 21:34:01 CEST 2016
On 01.08.16 17:56, Bernhard Reiter wrote:
> Am Samstag, 16. Juli 2016 15:44:47 schrieb Patrick Brunschwig:
>> This gave me the error "TLS connection authentication failed: General
>> error"
>
> | dirmngr[53927.0]: TLS verification of peer failed: The certificate is NOT
> | trusted. The certificate issuer is unknown.
> | dirmngr[53927.0]: TLS verification of peer failed: hostname does not match
>
> seems to come from the code calling GNUTLS.
> Can you do a TLS connection to keys.mailvelope.com
> with gnutls-cli?
It looks like gnutls-cli is not successful (see below). How can the root
certificates be added to gnutls (and dirmngr)?
Error setting the x509 trust file
Resolving 'keys.mailvelope.com:443'...
Connecting to '52.208.40.58:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
- subject `CN=keys.mailvelope.com', issuer `C=US,O=Amazon,OU=Server CA
1B,CN=Amazon', RSA key 2048 bits, signed using RSA-SHA256, activated
`2016-06-07 00:00:00 UTC', expires `2017-07-07 12:00:00 UTC', SHA-1
fingerprint `ca8f102975140402d7a63f4a7133044a52662db4'
Public Key ID:
79229670c9c21919fc91824ff1f5effa4992866f
Public key's random art:
+--[ RSA 2048]----+
| o++ .. |
| ..==oo . |
| o=o=. . |
| .+.. . . |
| + S . . |
| . . + o |
| . + o |
| oE+ . |
| .o.o |
+-----------------+
- Certificate[1] info:
- subject `C=US,O=Amazon,OU=Server CA 1B,CN=Amazon', issuer
`C=US,O=Amazon,CN=Amazon Root CA 1', RSA key 2048 bits, signed using
RSA-SHA256, activated `2015-10-22 00:00:00 UTC', expires `2025-10-19
00:00:00 UTC', SHA-1 fingerprint `917e732d330f9a12404f73d8bea36948b929dffc'
- Certificate[2] info:
- subject `C=US,O=Amazon,CN=Amazon Root CA 1', issuer
`C=US,ST=Arizona,L=Scottsdale,O=Starfield Technologies\,
Inc.,CN=Starfield Services Root Certificate Authority - G2', RSA key
2048 bits, signed using RSA-SHA256, activated `2015-05-25 12:00:00 UTC',
expires `2037-12-31 01:00:00 UTC', SHA-1 fingerprint
`06b25927c42a721631c1efd9431e648fa62e1e39'
- Certificate[3] info:
- subject `C=US,ST=Arizona,L=Scottsdale,O=Starfield Technologies\,
Inc.,CN=Starfield Services Root Certificate Authority - G2', issuer
`C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification
Authority', RSA key 2048 bits, signed using RSA-SHA256, activated
`2009-09-02 00:00:00 UTC', expires `2034-06-28 17:39:16 UTC', SHA-1
fingerprint `9e99a48a9960b14926bb7f3b02e22da2b0ab7280'
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
-Patrick
More information about the Gnupg-devel
mailing list