Getting expired certificate when attempting to grab public GPG key

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
tomatojuiceneptune
OpenVpn Newbie
Posts: 2
Joined: Wed Dec 29, 2021 11:19 pm

Getting expired certificate when attempting to grab public GPG key

Post by tomatojuiceneptune » Wed Dec 29, 2021 11:29 pm

From: https://openvpn.net/community-resources/sig/

Code: Select all

 wget -O security-openvpn-net.asc https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
--2021-12-29 15:20:56--  https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
Resolving keys.openpgp.org (keys.openpgp.org)... 37.218.245.50, 2a00:c6c0:0:154:1::1
Connecting to keys.openpgp.org (keys.openpgp.org)|37.218.245.50|:443... connected.
ERROR: cannot verify keys.openpgp.org's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’:
  Issued certificate has expired.
To connect to keys.openpgp.org insecurely, use `--no-check-certificate'.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Getting expired certificate when attempting to grab public GPG key

Post by TinCanTech » Thu Dec 30, 2021 12:45 am

It works for me:

Code: Select all

$ wget -O security-openvpn-net.asc https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
--2021-12-30 00:38:21--  https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
Resolving keys.openpgp.org (keys.openpgp.org)... 37.218.245.50, 2a00:c6c0:0:154:1::1
Connecting to keys.openpgp.org (keys.openpgp.org)|37.218.245.50|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22962 (22K) [application/pgp-keys]
Saving to: ‘security-openvpn-net.asc’

security-openvpn-net.asc              100%[======================================================================>]  22.42K  --.-KB/s    in 0.001s  

2021-12-30 00:38:21 (21.0 MB/s) - ‘security-openvpn-net.asc’ saved [22962/22962]

gpg: key 12F5F7B42F2B01E7: public key "OpenVPN - Security Mailing List <security@openvpn.net>" imported
gpg: Total number processed: 1
gpg:               imported: 1

tomatojuiceneptune
OpenVpn Newbie
Posts: 2
Joined: Wed Dec 29, 2021 11:19 pm

Re: Getting expired certificate when attempting to grab public GPG key

Post by tomatojuiceneptune » Thu Dec 30, 2021 1:05 am

So strange, if I try to pull from another server it works find just not from my local workstation.

I am brand new to openvpn admin wise.

I have no idea what's going on, if anyone does please let me know.

-- from problem workstation
openssl s_client -tls1_2 -connect keys.openpgp.org:443 -servername keys.openpgp.org | openssl x509 -text -noout

Code: Select all

depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:0a:28:49:3f:fd:08:e2:f9:86:f7:a3:88:47:1d:8a:da:44
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Nov 23 04:32:08 2021 GMT
            Not After : Feb 21 04:32:07 2022 GMT
        Subject: CN=keys.openpgp.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c8:ea:11:71:fa:7a:4f:c2:51:bd:ac:83:cd:f5:
                    18:55:b9:71:53:90:21:12:54:42:9a:14:84:a6:d0:
                    2c:53:18:ac:27:b5:13:91:c7:01:fd:37:2b:5b:eb:
                    40:99:6a:ad:8a:64:c0:e5:e5:28:03:8b:cc:d6:47:
                    1a:2e:7d:5f:37:26:c9:38:d9:35:7c:45:3c:75:1b:
                    5b:1d:60:9d:a2:0e:6e:91:70:58:05:44:8e:a6:21:
                    c6:03:e3:82:85:92:5f:01:e6:ed:00:73:73:92:44:
                    fb:01:3d:e8:ef:07:df:73:33:99:79:68:11:45:a8:
                    dd:dc:78:28:57:b5:15:7a:5d:d2:05:3e:86:7d:b9:
                    41:2a:a5:a4:10:15:f9:51:ad:00:9a:b2:ab:a3:5c:
                    8b:2a:7d:3a:c2:a1:8d:91:6f:18:da:7e:cb:c0:82:
                    94:eb:4c:10:62:f1:bf:1b:ee:b9:d1:d4:0e:6a:e2:
                    27:a2:7d:e0:21:81:07:48:69:fd:c5:74:4f:32:4a:
                    69:5a:3c:1b:cd:d3:8c:bf:99:58:4e:b1:a2:1e:40:
                    c9:bd:36:01:a3:02:35:ee:7b:87:70:a4:ee:b0:ee:
                    0a:5d:79:8c:4a:71:67:e0:2b:db:c2:67:ef:8b:f9:
                    85:a8:70:e1:c3:a7:fe:83:a9:79:08:39:d7:40:93:
                    c7:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                D7:4C:64:E5:63:3D:27:4B:91:5A:9A:64:14:09:AE:88:F5:AB:31:72
            X509v3 Authority Key Identifier:
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name:
                DNS:keys.openpgp.org
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:
                                EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
                    Timestamp : Nov 23 05:32:08.093 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:E6:C5:D1:A8:80:85:1A:FD:A0:09:7A:
                                00:C4:BC:BD:EE:0A:C4:E2:CE:72:47:9F:7D:E3:DE:1D:
                                DC:F7:54:09:08:02:21:00:B2:57:EF:C6:B5:00:89:61:
                                B3:9B:54:9F:0B:6A:4E:07:A5:2E:CA:7A:AD:88:E0:C6:
                                02:7C:99:B5:9D:60:CB:82
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
                                11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
                    Timestamp : Nov 23 05:32:08.135 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:97:15:E3:B9:2A:9C:B4:4E:6C:D6:E6:
                                EA:B4:42:78:D1:68:DD:7E:03:E1:73:CD:DE:9E:F7:6B:
                                35:09:7C:14:5F:02:20:09:06:B1:69:24:78:B3:5F:BA:
                                13:81:84:7D:34:96:9C:F0:25:FC:22:13:A1:BE:43:41:
                                61:16:FE:4F:31:04:BD
    Signature Algorithm: sha256WithRSAEncryption
         59:ab:43:aa:55:2f:34:19:50:47:2d:d1:59:0c:41:9c:24:f1:
         ad:38:f0:6a:a6:6c:d1:80:3c:51:2a:03:1b:7d:9f:24:c0:fd:
         f1:4b:90:c0:80:7d:5e:2c:dc:af:9e:6b:48:61:ee:54:9f:18:
         ae:9b:71:30:57:b4:16:a4:ab:b5:8c:45:04:a4:f8:de:0c:3b:
         be:53:ec:e5:c2:70:4f:f4:4f:51:c4:0e:76:af:46:e0:21:1b:
         9c:c4:bd:e3:49:1c:c1:74:03:3b:9a:ef:83:9b:db:88:19:2e:
         87:41:7d:fe:7e:15:20:1b:4c:bb:68:ba:22:c6:e0:98:82:e4:
         73:d6:2f:ca:93:ed:30:06:dd:c0:da:03:48:82:c6:f7:da:aa:
         41:01:cd:a3:ab:d4:f8:00:bc:4b:2a:6a:5d:b3:d5:63:44:d8:
         49:aa:9c:09:7f:e9:88:6f:fe:f4:4f:7b:7e:fe:6d:08:35:f0:
         8e:21:e5:9e:2d:32:c0:74:5d:f0:83:52:4e:aa:92:71:6d:5f:
         ae:6b:78:1c:ba:5f:f4:af:dc:b3:c8:59:f8:4c:e6:65:c5:a7:
         3b:e1:6e:97:bd:f8:b5:17:ac:c2:00:1b:38:f3:7c:d9:5c:44:
         de:fe:ca:fd:1b:e4:d1:47:fe:4f:10:fd:91:ff:bf:ff:29:84:
         8c:6a:22:10
-- from working server

Code: Select all

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = keys.openpgp.org
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:0a:28:49:3f:fd:08:e2:f9:86:f7:a3:88:47:1d:8a:da:44
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Nov 23 04:32:08 2021 GMT
            Not After : Feb 21 04:32:07 2022 GMT
        Subject: CN=keys.openpgp.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c8:ea:11:71:fa:7a:4f:c2:51:bd:ac:83:cd:f5:
                    18:55:b9:71:53:90:21:12:54:42:9a:14:84:a6:d0:
                    2c:53:18:ac:27:b5:13:91:c7:01:fd:37:2b:5b:eb:
                    40:99:6a:ad:8a:64:c0:e5:e5:28:03:8b:cc:d6:47:
                    1a:2e:7d:5f:37:26:c9:38:d9:35:7c:45:3c:75:1b:
                    5b:1d:60:9d:a2:0e:6e:91:70:58:05:44:8e:a6:21:
                    c6:03:e3:82:85:92:5f:01:e6:ed:00:73:73:92:44:
                    fb:01:3d:e8:ef:07:df:73:33:99:79:68:11:45:a8:
                    dd:dc:78:28:57:b5:15:7a:5d:d2:05:3e:86:7d:b9:
                    41:2a:a5:a4:10:15:f9:51:ad:00:9a:b2:ab:a3:5c:
                    8b:2a:7d:3a:c2:a1:8d:91:6f:18:da:7e:cb:c0:82:
                    94:eb:4c:10:62:f1:bf:1b:ee:b9:d1:d4:0e:6a:e2:
                    27:a2:7d:e0:21:81:07:48:69:fd:c5:74:4f:32:4a:
                    69:5a:3c:1b:cd:d3:8c:bf:99:58:4e:b1:a2:1e:40:
                    c9:bd:36:01:a3:02:35:ee:7b:87:70:a4:ee:b0:ee:
                    0a:5d:79:8c:4a:71:67:e0:2b:db:c2:67:ef:8b:f9:
                    85:a8:70:e1:c3:a7:fe:83:a9:79:08:39:d7:40:93:
                    c7:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                D7:4C:64:E5:63:3D:27:4B:91:5A:9A:64:14:09:AE:88:F5:AB:31:72
            X509v3 Authority Key Identifier:
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name:
                DNS:keys.openpgp.org
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:
                                EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
                    Timestamp : Nov 23 05:32:08.093 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:E6:C5:D1:A8:80:85:1A:FD:A0:09:7A:
                                00:C4:BC:BD:EE:0A:C4:E2:CE:72:47:9F:7D:E3:DE:1D:
                                DC:F7:54:09:08:02:21:00:B2:57:EF:C6:B5:00:89:61:
                                B3:9B:54:9F:0B:6A:4E:07:A5:2E:CA:7A:AD:88:E0:C6:
                                02:7C:99:B5:9D:60:CB:82
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
                                11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
                    Timestamp : Nov 23 05:32:08.135 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:97:15:E3:B9:2A:9C:B4:4E:6C:D6:E6:
                                EA:B4:42:78:D1:68:DD:7E:03:E1:73:CD:DE:9E:F7:6B:
                                35:09:7C:14:5F:02:20:09:06:B1:69:24:78:B3:5F:BA:
                                13:81:84:7D:34:96:9C:F0:25:FC:22:13:A1:BE:43:41:
                                61:16:FE:4F:31:04:BD
    Signature Algorithm: sha256WithRSAEncryption
         59:ab:43:aa:55:2f:34:19:50:47:2d:d1:59:0c:41:9c:24:f1:
         ad:38:f0:6a:a6:6c:d1:80:3c:51:2a:03:1b:7d:9f:24:c0:fd:
         f1:4b:90:c0:80:7d:5e:2c:dc:af:9e:6b:48:61:ee:54:9f:18:
         ae:9b:71:30:57:b4:16:a4:ab:b5:8c:45:04:a4:f8:de:0c:3b:
         be:53:ec:e5:c2:70:4f:f4:4f:51:c4:0e:76:af:46:e0:21:1b:
         9c:c4:bd:e3:49:1c:c1:74:03:3b:9a:ef:83:9b:db:88:19:2e:
         87:41:7d:fe:7e:15:20:1b:4c:bb:68:ba:22:c6:e0:98:82:e4:
         73:d6:2f:ca:93:ed:30:06:dd:c0:da:03:48:82:c6:f7:da:aa:
         41:01:cd:a3:ab:d4:f8:00:bc:4b:2a:6a:5d:b3:d5:63:44:d8:
         49:aa:9c:09:7f:e9:88:6f:fe:f4:4f:7b:7e:fe:6d:08:35:f0:
         8e:21:e5:9e:2d:32:c0:74:5d:f0:83:52:4e:aa:92:71:6d:5f:
         ae:6b:78:1c:ba:5f:f4:af:dc:b3:c8:59:f8:4c:e6:65:c5:a7:
         3b:e1:6e:97:bd:f8:b5:17:ac:c2:00:1b:38:f3:7c:d9:5c:44:
         de:fe:ca:fd:1b:e4:d1:47:fe:4f:10:fd:91:ff:bf:ff:29:84:
         8c:6a:22:10

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Getting expired certificate when attempting to grab public GPG key

Post by TinCanTech » Thu Dec 30, 2021 2:25 am

That is not an Openvpn certificate.

becm
OpenVPN User
Posts: 38
Joined: Tue Sep 01, 2020 1:27 pm

Re: Getting expired certificate when attempting to grab public GPG key

Post by becm » Sat Jan 01, 2022 4:44 pm

@tomatojuiceneptune the cert store on your "workstation" system is outdated.

Connection to 'keys.openpgp.org' GPG server is affected by DST Root CA X3 Expiration.

Post Reply