--search-keys: "gpg: error searching keyserver: No inquire callback in IPC"

Rainer Fiebig jrf at mailbox.org
Thu Jul 29 09:41:54 CEST 2021


Am 28.07.21 um 21:38 schrieb Ingo Klöcker:
> On Mittwoch, 28. Juli 2021 18:38:07 CEST Rainer Fiebig via Gnupg-users wrote:
>> Am 28.07.21 um 17:42 schrieb Andrew Gallagher:
>>> On 28/07/2021 15:19, Rainer Fiebig via Gnupg-users wrote:
>>>> 2021-07-28 16:06:50 dirmngr[4135.6] Fehler beim Verbinden mit
>>>> 'https://keys.openpgp.org:443': Fehlendes Herausgeberzertifikat in der
>>>> Kette
>>>> 2021-07-28 16:06:50 dirmngr[4135.6] command 'KS_SEARCH' failed:
>>>> Fehlendes Herausgeberzertifikat in der Kette
>>>> 2021-07-28 16:06:50 dirmngr[4135.6] Handhabungsroutine für den fd 6
>>>> beendet
>>>
>>> "Fehlendes Herausgeberzertifikat in der Kette" translates as "Missing
>>> publisher certificate in the chain", is that correct?
>>
>> Correct.
>>
>>> keys.openpgp.org uses LetsEncrypt as their TLS CA. Can you connect to
>>> other keyservers that also use LetsEncrypt? For example, pgpkeys.eu uses
>>> the same intermediate certificate (LetsEncrypt R3) as keys.openpgp.org.
>>
>> This works:
>>
>> ~> gpg --keyserver pgpkeys.eu --search-keys
>> E3FF2839C048B25C084DEBE9B26995E310250568
>> gpg: enabled debug flags: memstat
>> gpg: data source: http://pgpkeys.eu:11371
>> (1)	Łukasz Langa (GPG langa.pl) <lukasz at langa.pl>
>> 	Łukasz Langa <lukasz at edgedb.com>
>> 	Łukasz Langa <lukasz at python.org>
>> 	Łukasz Langa (Work e-mail account) <ambv at fb.com>
>> 	  4096 bit RSA key B26995E310250568, erzeugt: 2015-05-11
>> Keys 1-1 of 1 for "E3FF2839C048B25C084DEBE9B26995E310250568".  Eingabe
>> von Nummern, Nächste (N) oder Abbrechen (Q) >
> 
> Doesn't use TLS. Just plain HTTP.
> 
>> Each of these lines in dirmngr.conf also work:
>> keyserver http://keys2.andreas-puls.de/
>> keyserver http://pgpkeys.eu/
> 
> Ditto. Since your problems seem to be related to TLS it's not really 
> surprising that keyservers not using https work.
> 
At least I now know that such keyservers still exist. ;)

> Does 'gpg --keyserver hkps://pgpkeys.eu --search-keys ...' work for you?
> 
No, same output as reported initially.

> What does 'curl -v https://keys.openpgp.org' say?
> 
~> curl --max-filesize 10000 -v https://keys.openpgp.org
*   Trying 37.218.245.50:443...
* Connected to keys.openpgp.org (37.218.245.50) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: none
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=keys.openpgp.org
*  start date: Jul 26 04:32:08 2021 GMT
*  expire date: Oct 24 04:32:06 2021 GMT
*  subjectAltName: host "keys.openpgp.org" matched cert's "keys.openpgp.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: keys.openpgp.org
> User-Agent: curl/7.77.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.14.2
< Date: Thu, 29 Jul 2021 07:20:26 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 1761
< Connection: keep-alive
< Vary: Accept-Encoding
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Referrer-Policy: no-referrer-when-downgrade
< Content-Security-Policy: default-src 'none'; script-src 'self';
img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self';
frame-ancestors 'none'; base-uri 'none'; form-action 'self'; report-uri
https://keysopenpgporg.report-uri.com/r/d/csp/enforce
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Expect-CT: max-age=31536000,
report-uri="https://keysopenpgporg.report-uri.com/r/d/ct/reportOnly"
< alt-svc:
h2="zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion:443";
ma=86400; persist=1
<
<!doctype html>
[..]

Looks OK to me. The Let's Encrypt certificate is recognized and
verified. Or what do you think?

> Regards,
> Ingo
> 
Thanks for your help!



More information about the Gnupg-users mailing list