Gpg4win LetsEncrypt issue

Alex Nadtoka alex.nadtoka at gmail.com
Thu Dec 30 17:26:50 CET 2021 

Actually I just now realized that the things are automated on the server.
Certbot+nginx renews SSL certificates every 3 months. And currently
keyserver uses the latest SSL certificate with automatically set up CA Root
certificates. Even if I remove root certificate from the server it will be
added again on renewal. Well again, I have latest gpg4win with latest gnupg
and cannot connect to ANY keyserver that uses lets encrypt.  BUT I can
without any issues connect to my keyserver via GPG Suite for Mac OS, simple
command line gpg client on my Ubuntu and CentOS servers.
May be the issue is indeed bug in dirmngr ?  From command line on windows
cmd when I try to connect to keyserver the issue is the same.

Pretty weird that I can connect to one keyserver from everywhere except the
windows tool...
Sorry to bother you... It is just that I am trying to understand the way it
may work from the box OR by adding some parameter to GnuPG System menu in
Kleopatra configuration... I understand that previously there was some
issue with lets encrypt certificates and it was fixed in gnupg 2.2.32 but I
was using 2.3.4 version and now tried installing  2.2.32 instead and still
no luck. The error is the same

2021-12-30 18:13:16 gpg[17256] DBG: chan_0x00000274 <- ERR 167772261
Certificate expired <Dirmngr>
2021-12-30 18:13:16 gpg[17256] error searching keyserver: Certificate
expired
2021-12-30 18:13:16 gpg[17256] keyserver search failed: Certificate expired

Oleksandr

чт, 30 груд. 2021 р. о 16:44 Alex Nadtoka <alex.nadtoka at gmail.com> пише:

> Cool thanks. going to test it today
> Yesterday tested also with GPG Suite on MacOS - works fine, so only
> windows issue I think.
>
> чт, 30 груд. 2021 р. о 16:31 Werner Koch via Gnupg-users <
> gnupg-users at gnupg.org> пише:
>
>> On Wed, 29 Dec 2021 21:33, Andrew Gallagher said:
>>
>> > OK, so you definitely need to solve the root certificate issue.
>>
>> This has been fixed with gnupg 2.2.32 - please get an update.  The
>> workaround is to delete the old LE certificate from your Root CA store.
>>
>>
>> Salam-Shalom,
>>
>>    Werner
>>
>> --
>> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211230/d53d8302/attachment-0001.html>

More information about the Gnupg-users mailing list