dirmngr: Wrong certificate error?

Patrick Brunschwig patrick at enigmail.net
Mon Aug 1 21:34:01 CEST 2016 

On 01.08.16 17:56, Bernhard Reiter wrote:
> Am Samstag, 16. Juli 2016 15:44:47 schrieb Patrick Brunschwig:
>> This gave me the error "TLS connection authentication failed: General
>> error"
> 
> | dirmngr[53927.0]: TLS verification of peer failed: The certificate is NOT  
> | trusted. The certificate issuer is unknown.  
> | dirmngr[53927.0]: TLS verification of peer failed: hostname does not match
> 
> seems to come from the code calling GNUTLS.
> Can you do a TLS connection to keys.mailvelope.com
> with gnutls-cli? 


It looks like gnutls-cli is not successful (see below). How can the root
certificates be added to gnutls (and dirmngr)?

Error setting the x509 trust file
Resolving 'keys.mailvelope.com:443'...
Connecting to '52.208.40.58:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=keys.mailvelope.com', issuer `C=US,O=Amazon,OU=Server CA
1B,CN=Amazon', RSA key 2048 bits, signed using RSA-SHA256, activated
`2016-06-07 00:00:00 UTC', expires `2017-07-07 12:00:00 UTC', SHA-1
fingerprint `ca8f102975140402d7a63f4a7133044a52662db4'
	Public Key ID:
		79229670c9c21919fc91824ff1f5effa4992866f
	Public key's random art:
		+--[ RSA 2048]----+
		|   o++ ..        |
		|  ..==oo .       |
		|   o=o=.  .      |
		|    .+.. . .     |
		|      + S . .    |
		|     . . + o     |
		|        . + o    |
		|         oE+ .   |
		|         .o.o    |
		+-----------------+

- Certificate[1] info:
 - subject `C=US,O=Amazon,OU=Server CA 1B,CN=Amazon', issuer
`C=US,O=Amazon,CN=Amazon Root CA 1', RSA key 2048 bits, signed using
RSA-SHA256, activated `2015-10-22 00:00:00 UTC', expires `2025-10-19
00:00:00 UTC', SHA-1 fingerprint `917e732d330f9a12404f73d8bea36948b929dffc'
- Certificate[2] info:
 - subject `C=US,O=Amazon,CN=Amazon Root CA 1', issuer
`C=US,ST=Arizona,L=Scottsdale,O=Starfield Technologies\,
Inc.,CN=Starfield Services Root Certificate Authority - G2', RSA key
2048 bits, signed using RSA-SHA256, activated `2015-05-25 12:00:00 UTC',
expires `2037-12-31 01:00:00 UTC', SHA-1 fingerprint
`06b25927c42a721631c1efd9431e648fa62e1e39'
- Certificate[3] info:
 - subject `C=US,ST=Arizona,L=Scottsdale,O=Starfield Technologies\,
Inc.,CN=Starfield Services Root Certificate Authority - G2', issuer
`C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification
Authority', RSA key 2048 bits, signed using RSA-SHA256, activated
`2009-09-02 00:00:00 UTC', expires `2034-06-28 17:39:16 UTC', SHA-1
fingerprint `9e99a48a9960b14926bb7f3b02e22da2b0ab7280'
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

-Patrick

More information about the Gnupg-devel mailing list