dirmngr: Wrong certificate error?

Patrick Brunschwig patrick at enigmail.net
Sat Jul 16 15:44:47 CEST 2016 

I tried to use dirmngr (2.1.14) with hkps://keys.mailvelope.com and got
a failure.

I first visited the web page using Firefox, exported the root CA
certificate (Starfield), and copied it into /etc/gnupg/trusted-certs.
Then I run dirmngr from the command line using:

dirmngr <<EOT
keyserver hkps://keys.mailvelope.com
ks_search patrick at enigmail.net
EOT

This gave me the error "TLS connection authentication failed: General error"

I have attached the complete output from dirmngr. I get the impression
that the reverse DNS lookup causes a problem here.

-Patrick

-------------- next part --------------
dirmngr[53927.0]: trusted certificate '/usr/local/gnupg-2.1/etc/gnupg/trusted-certs/StarfieldServicesRootCertificateAuthority-G2.crt' loaded
dirmngr[53927.0]: permanently loaded certificates: 1
dirmngr[53927.0]:     runtime cached certificates: 0
# Home: /Users/pbr/.gnupg
# Config: [none]
OK Dirmngr 2.1.14 at your service
keyserver hkps://keys.mailvelope.com
OK
ks_search test
dirmngr[53927.0]: DNS query returned an error or no records: No such domain (nxdomain)
dirmngr[53927.0]: resolve_dns_addr for 'keys.mailvelope.com': 'ec2-52-30-29-22.eu-west-1.compute.amazonaws.com'
dirmngr[53927.0]: resolve_dns_addr for 'keys.mailvelope.com': 'ec2-52-208-40-58.eu-west-1.compute.amazonaws.com'
dirmngr[53927.0]: TLS verification of peer failed: status=0x0042
dirmngr[53927.0]: TLS verification of peer failed: The certificate is NOT trusted. The certificate issuer is unknown.
dirmngr[53927.0]: TLS verification of peer failed: hostname does not match
dirmngr[53927.0]: DBG: expected hostname: awseb-e-m-AWSEBLoa-DN7KGVOVU5WM-1656017105.eu-west-1.elb.amazonaws.com
dirmngr[53927.0]: DBG: BEGIN Certificate 'server[0]':
dirmngr[53927.0]: DBG:      serial: 0527087BF1E7D0DE11D278EAE063DA46
dirmngr[53927.0]: DBG:   notBefore: 2016-06-07 00:00:00
dirmngr[53927.0]: DBG:    notAfter: 2017-07-07 12:00:00
dirmngr[53927.0]: DBG:      issuer: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US
dirmngr[53927.0]: DBG:     subject: CN=keys.mailvelope.com
dirmngr[53927.0]: DBG:   hash algo: 1.2.840.113549.1.1.11
dirmngr[53927.0]: DBG:   SHA1 fingerprint: CA8F102975140402D7A63F4A7133044A52662DB4
dirmngr[53927.0]: DBG: END Certificate
dirmngr[53927.0]: DBG: BEGIN Certificate 'server[1]':
dirmngr[53927.0]: DBG:      serial: 067F94578587E8AC77DEB253325BBC998B560D
dirmngr[53927.0]: DBG:   notBefore: 2015-10-22 00:00:00
dirmngr[53927.0]: DBG:    notAfter: 2025-10-19 00:00:00
dirmngr[53927.0]: DBG:      issuer: CN=Amazon Root CA 1,O=Amazon,C=US
dirmngr[53927.0]: DBG:     subject: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US
dirmngr[53927.0]: DBG:   hash algo: 1.2.840.113549.1.1.11
dirmngr[53927.0]: DBG:   SHA1 fingerprint: 917E732D330F9A12404F73D8BEA36948B929DFFC
dirmngr[53927.0]: DBG: END Certificate
dirmngr[53927.0]: DBG: BEGIN Certificate 'server[2]':
dirmngr[53927.0]: DBG:      serial: 067F944A2A27CDF3FAC2AE2B01F908EEB9C4C6
dirmngr[53927.0]: DBG:   notBefore: 2015-05-25 12:00:00
dirmngr[53927.0]: DBG:    notAfter: 2037-12-31 01:00:00
dirmngr[53927.0]: DBG:      issuer: CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US
dirmngr[53927.0]: DBG:     subject: CN=Amazon Root CA 1,O=Amazon,C=US
dirmngr[53927.0]: DBG:   hash algo: 1.2.840.113549.1.1.11
dirmngr[53927.0]: DBG:   SHA1 fingerprint: 06B25927C42A721631C1EFD9431E648FA62E1E39
dirmngr[53927.0]: DBG: END Certificate
dirmngr[53927.0]: DBG: BEGIN Certificate 'server[3]':
dirmngr[53927.0]: DBG:      serial: 00A70E4A4C3482B77F
dirmngr[53927.0]: DBG:   notBefore: 2009-09-02 00:00:00
dirmngr[53927.0]: DBG:    notAfter: 2034-06-28 17:39:16
dirmngr[53927.0]: DBG:      issuer: OU=Starfield Class 2 Certification Authority,O=Starfield Technologies\, Inc.,C=US
dirmngr[53927.0]: DBG:     subject: CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US
dirmngr[53927.0]: DBG:   hash algo: 1.2.840.113549.1.1.11
dirmngr[53927.0]: DBG:   SHA1 fingerprint: 9E99A48A9960B14926BB7F3B02E22DA2B0AB7280
dirmngr[53927.0]: DBG: END Certificate
dirmngr[53927.0]: TLS connection authentication failed: General error
dirmngr[53927.0]: error connecting to 'https://ec2-52-208-40-58.eu-west-1.compute.amazonaws.com:443': General error
dirmngr[53927.0]: command 'KS_SEARCH' failed: General error <Unspecified source>
ERR 1 General error <Unspecified source>

More information about the Gnupg-devel mailing list