GPG Keyserver Error

[sigonzal3]

Hello,

The keyserver sks-keyservers.net has been down multiple days and has impacted all sort of open source projects. The website still shows a TLS certificate that is expired since April 22, 2021.

From INSTALL.md instructions, this is the offending command and current output:

> gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4

gpg: keyserver receive failed: No name

More debugging output:

> curl https://sks-keyservers.net

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

> openssl s_client -servername sks-keyservers.net -connect sks-keyservers.net:443

CONNECTED(00000005)
depth=1 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:0
depth=1 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:0
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:0
---
Certificate chain
 0 s:/CN=sks-keyservers.net
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGzDCCBbSgAwIBAgIRANP3LyD/KDosBcF8qsDcnIgwDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0yMDA0MjEwMDAwMDBaFw0yMTA0MjIyMzU5NTlaMB0xGzAZBgNVBAMTEnNr
cy1rZXlzZXJ2ZXJzLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
ANXT9MUxWTJcAgLVFGyn5RAI5fjAXt85M7/xwrPn8AknHjoOs7uhpM99jRWWVuWc
MYUF+5dO8+MxLY2YiIUMWQx6J2xqTEL5XEfGC2GDCcB2ql2bsybgbyTDOsFA11kq
D3Guip6gQaKOvQlEsVIWogqVSnE9JWg4wDkrDU86k1fNLlnkbNDSk8d7JjDg2Me9
ZP15Wu9EZd7/0FIxY/iFqakRAsKjudPy41FDvGNQwGbAPM++Mj2prw9XUUyjU0/I
VkZFH5e/coVuSxln/F1jY/jiJK51ZSXGZw32frKtrqp3cOmATEYqXocfsZjyETvI
sN4V8HfsOEN2P7qeOoDhpPCBF7yDgwZBpIl9A0+ycBsCQMrSGzpmISQ/1SKSfk29
Xwyi7Parmxvyc929v/6l48R+GAr6UyGC1szC4PBnkrk8nS7qlmArmlSzKYjY8MUc
Qd3Ru21q1jdJvswVFIoVMfH1kOV8rWX8xsDJGhGuN7ia+aHJG6I6BytlWy7L+XgP
3A1Dw2LZEpXJszEv8XBRXeK8wry8zev64PIylFOceqxS+6wJ94zK/XcYdXmF/Ba6
piGfZh7JLa9U5UeOKm9GJImjYS5lbXuRZDm//1dN1GCKLfUdNr57BD6ZrgXB4Do5
lclqPxQjwCcJxC2GNIOBXJTSuhDiNWJDJXdgmecJcwW/AgMBAAGjggKSMIICjjAf
BgNVHSMEGDAWgBSNjF7EVK2K4Xfpm/mbBeG4AY1h4TAdBgNVHQ4EFgQUTyWiwNwg
koLkF3NmmQtqo7zTCG0wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGy
MQECAgcwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYG
Z4EMAQIBMIGEBggrBgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQu
c2VjdGlnby5jb20vU2VjdGlnb1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2
ZXJDQS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMDUG
A1UdEQQuMCyCEnNrcy1rZXlzZXJ2ZXJzLm5ldIIWd3d3LnNrcy1rZXlzZXJ2ZXJz
Lm5ldDCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AH0+8viP/4hVaCTCwMqeUol5
K8UOeAl/LmqXaJl+IvDXAAABcZ1LW2UAAAQDAEcwRQIhANEFg7RVzM8LugE+fCiq
/Q3f0RcN0jm5GXx1cafHTJGCAiBOH0I8bHBt0jjV12VhnYOUWfyyRmvHvNIhl4pK
gJuGxwB2AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+UPWHbTi9YTaLCAAABcZ1LW40A
AAQDAEcwRQIgeMr4qHwwF1+DMyCt4DbxB9LEZ2dXP4FwjFQHLIBkqZYCIQCwl6mf
OUu/Givut41KQ/VQTrxL6EtFiEYIdNoVTXrOyTANBgkqhkiG9w0BAQsFAAOCAQEA
vki2BbEsSgZf1RGELiAlIwBY2H17fbsk4904qJ9czsu8hl4TmrtK38HR0wBaSolr
ZvAIE03WDKJsZmepcUZjC0eLPgMvQ2y1Gdcur67OkBcxJ1F28d3KzxlMFbL+B7WQ
I6H3uh5gXcE2oNLc7OgZTAy5LQY4dRx1ysAg3PKIKPkIkQFgDdNa3m59Jze7df/j
ubdw6u6UBtY9GfVaCtPzV3mfBop9uV19NWmZqmTkDDWv6DmVUwE+uRkivVEQke2C
8tQ9PLXhlBCbWkcFmOk7oKdsDTqoJosl+6Se7Qg5IMJZ4OMVW/KqsrGYRjucUuih
Aib/4XaTcENJefGZKTXMRA==
-----END CERTIFICATE-----
subject=/CN=sks-keyservers.net
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6743 bytes and written 349 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: A5C7A2835BB265C3E9947C00C56992D1A9A71703BCDCE487FE70EB9241774622
    Session-ID-ctx: 
    Master-Key: FF57F53BD323073ED41C0CAE60F46BF4A441FA0265B1B9972825E8C9080B667C056D47A7AFB8CAED95D27F0EEA451AF9
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - d1 59 54 a8 50 7d 10 13-c9 4e 6b f8 3c f7 1c e9   .YT.P}...Nk.<...
    0010 - 53 f3 c8 cb ca c0 bc f6-7a 1e 8c 0d a4 20 37 87   S.......z.... 7.
    0020 - 8c 8e 4d a4 c2 a7 d1 7f-48 09 38 6b b5 c9 1d c7   ..M.....H.8k....
    0030 - 58 3e 1e c4 b4 63 05 2f-8a 4c 81 b9 68 1a fb 1d   X>...c./.L..h...
    0040 - 78 6e b6 02 72 b5 95 b9-4e 6d b8 f8 58 11 3d 43   xn..r...Nm..X.=C
    0050 - 84 8a ee 23 59 22 21 20-85 e9 6a d2 7f d7 2f 55   ...#Y"! ..j.../U
    0060 - 77 92 9e c5 62 15 82 bb-4c fb fa 05 5e e4 af 3b   w...b...L...^..;
    0070 - 92 57 74 13 cd 0a 8d b8-b6 3d 69 d2 4b 67 a1 e1   .Wt......=i.Kg..
    0080 - c2 29 36 71 01 56 4a 29-aa 77 35 9e 20 db 7c 29   .)6q.VJ).w5. .|)
    0090 - 2a 4c 0a bc 7a eb d9 d0-8d 19 87 b0 c9 05 43 75   *L..z.........Cu
    00a0 - bd 86 35 8c ff 29 f4 69-77 4d be c5 bc 04 f4 14   ..5..).iwM......
    00b0 - 5c e7 b0 36 52 7e 6c 00-16 ae 5f 7e dc 88 9e 31   \..6R~l..._~...1

    Start Time: 1624999283
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
---

[tianon]

I'm not sure where you're getting ha.pool.sks-keyservers.net from? https://github.com/tianon/gosu/blob/34383f683cf30052ab16c88ed70181cf1a7dcdcf/INSTALL.md refers to hkps://keys.openpgp.org instead. 😕

(and has done so for at least two years now)

[tianon]

Also, FWIW, SKS is not just down, but completely dead with no plans to return:

Update 2021-06-21: Due to even more GDPR takedown requests, the DNS records for the pool will no longer be provided at all.

[sigonzal3]

Hmm, we have an old install in place. I was able to confirm that this command works:

gpg --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4

Working on updating our processes.

Since using hkps://keys.openpgp.org is the best approach for resolving this, feel free to close this PR.

Thanks for the quick response!