Gpg4win LetsEncrypt issue

David Kačerek davidkacerek at gmail.com
Mon Feb 14 21:24:29 CET 2022 

------ Original Message ------
From: "Werner Koch via Gnupg-users" <gnupg-users at gnupg.org>
To:
Sent: 11.01.2022 11:52:00
Subject: Gpg4win LetsEncrypt issue

>For details please see https://dev.gnupg.org/T5639 which was fixed with
>GnuPG 2.2.32 and 2.3.4.
Hello,
I'd say the problem is not fixed in neither GnuPG 2.2.32 nor 2.3.4. At 
least not on Windows 10. Along with Alex Nadtoka & Anze Jesterle, I'm 
another person suffering from the same issue.
If I try to search for some keys on some keyserver not using the Let's 
Encrypt certificate, like hkp(s)://keyserver-01.2ndquadrant.com, there's 
no problem.

If I try to search on hkp://keyserver.ubuntu.com, there's no problem as 
well.

But If I try to search on hkps://keyserver.ubuntu.com or 
hkp(s)://keys.openpgp.org, I'm getting:
C:\Users\David>gpg --keyserver hkps://keyserver.ubuntu.com --search-keys 
opensuse
gpg: error searching keyserver: Certificate expired
gpg: keyserver search failed: Certificate expired
Both keyserver.ubuntu.com and keys.openpgp.org key servers use the LE 
certificate. On a side note, I wonder why hkp://keys.openpgp.org doesn't 
work either since hkp:// protokol works on top of HTTP and not HTTPS, 
but that's another issue.

If I remove the invalid intermediate certificate R3, issued by DST Root 
CA X3, expired on 09/29/2021 from certmgr.msc and then reload dirmngr, 
"certificate expired" error no longer shows in any case.

I've checked I have the new valid intermediate certificate R3, issued by 
ISRG Root X1, expiring on 09/15/2025 present in certmgt.msc and yet in 
such a case dirmngr shows in its log that it still tries the old 
verification path when the invalid R3 cert is installed. I would attach 
the whole log but it's partly in Czech and I don't know how to switch 
the output fully to English since it doesn't work despite setting the 
LC_MESSAGES=C variable.

So to me, it seems that both GnuPG 2.2.32 and 2.3.4 (installed via 
GnuPG4Win 4.0) on Win10 still suffer from the issue. So can we re-open 
the bug report https://dev.gnupg.org/T5639 or 
https://dev.gnupg.org/T5744 or should I create another one?

Thanks,
David K.

More information about the Gnupg-users mailing list