Re: Desperately Seeking Kristian - SKS HKPS certificate renewals

From:

Todd Fleisher

Subject:

Date:

Mon, 3 Aug 2020 16:42:23 -0700

I posted a reply noting it’s not clear from the GitHub issue whether they were trying to contact the HKPS pool or trying to access the non-HKPS pool with SSL. In the linked Endeavour thread, Ben mentions:

It appears to be an error with the SSL certificate of pool.sks-keyservers.net. The server is providing a certificate for pgp.ocf.berkeley.edu.
EDIT: The certificate is also expired.

That will never work, because pool.sks-keyservers.net only supports unencrypted connections when using the CNAME. Going to an individual server in the pool and trying to use HKPS/HTTPS (e.g. hkps://pgp.ocf.berkeley.edu) might work on it’s own assuming it has a publicly trusted SSL certificate configured. And unless the OCF keyserver admins had to intervene an manually update it looks like their Lets Encrypt SSL certificate should have been valid 5 days ago when that thread was created as it was minted over a month prior on June 23, 2020.

-T

On Aug 2, 2020, at 22:33, ygrek <ygrek@autistici.org> wrote:

Hi,

there was a report of expired certificate: https://github.com/SKS-Keyserver/sks-keyserver/issues/81

--

signature.asc
Description: Message signed with OpenPGP

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Desperately Seeking Kristian - SKS HKPS certificate renewals, ygrek, 2020/08/03

Re: Desperately Seeking Kristian - SKS HKPS certificate renewals, Todd Fleisher <=