Lab 4.5 - Install rkt - problem with gpg key download

heiko_s

My system: Ubuntu 18.04 server running in a kvm VM (on Linux Mint 20 / Ubuntu 20.04). This is a clean install just for the exercises.

I followed the instructions in lab 4.5 to download and install rkt but it failed to download the gpg key:

heiko@ubuntu:~$ gpg --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
gpg: keyserver receive failed: General error

Checking the logs gives some more clues:

Aug 28 17:31:51 ubuntu dirmngr[9733]: TLS verification of peer failed: status=0x0042
Aug 28 17:31:51 ubuntu dirmngr[9733]: TLS verification of peer failed: The certificate is NOT trusted. The certificate issuer is unknown.
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: expected hostname: hkps.pool.sks-keyservers.net
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: BEGIN Certificate 'server[0]':
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:      serial: 00A3
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:   notBefore: 2020-06-25 18:29:41
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:    notAfter: 2021-06-25 18:29:41
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:      issuer: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:     subject: 1.2.840.113549.1.9.1=#746F646440666C6565747374726565746F70732E636F6D,CN=sks.pod02.fleetstreetops.com,OU=Ops,O=Fleet Street Operations\, LLC,ST=Virginia,C=US
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:         aka: (8:dns-name28:hkps.pool.sks-keyservers.net)
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:         aka: (8:dns-name25:*.pool.sks-keyservers.net)
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:         aka: (8:dns-name23:pool.sks-keyservers.net)
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:         aka: (8:dns-name28:sks.pod02.fleetstreetops.com)
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:   hash algo: 1.2.840.113549.1.1.11
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:   SHA1 fingerprint: EA8EC89054D02547862D3F497DFC865F5E1EA80A
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: END Certificate
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: BEGIN Certificate 'server[1]':
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:      serial: 00AF73C8B4CF9F808F
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:   notBefore: 2012-10-09 00:33:37
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:    notAfter: 2022-10-07 00:33:37
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:      issuer: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:     subject: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:   hash algo: 1.2.840.113549.1.1.5
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG:   SHA1 fingerprint: 791B27A38E667F8027814D4E68E7C478A45D5A17
Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: END Certificate
Aug 28 17:31:51 ubuntu dirmngr[9733]: TLS connection authentication failed: General error
Aug 28 17:31:51 ubuntu dirmngr[9733]: error connecting to 'https://hkps.pool.sks-keyservers.net:443': General error
Aug 28 17:31:51 ubuntu dirmngr[9733]: command 'KS_GET' failed: General error <Unspecified source>

The problem seems to be with: "TLS verification of peer failed: The certificate is NOT trusted. The certificate issuer is unknown."

When I tried the same exercise on the Linux Mint 20 (Ubuntu 20.04) host, it worked fine and downloaded the gpg key.

Any explanation or way to make it work? Is there something wrong with the ca certificates in Ubuntu 18.04?

chrispokorni

Hi @heiko_s,

This is an interesting behavior.

The lab exercise was tested on an Ubuntu 18.04 LTS on a GCE VM, and the outputs shown in the lab exercise have been captured from that instance.

This makes me wonder whether the cloud Ubuntu image is configured differently than the official image, at least v18.04 LTS.

Regards,
-Chris

heiko_s

Thanks Chris. Today it's late here but tomorrow I'll spin up another clean Ubuntu 18.04 LTS version, or try one of my installed Ubuntu servers. The heck, I got now 11 Ubuntu 18.04 servers. Should be enough to see if it's an inherent problem.

chrispokorni

Hmm, @heiko_s, are you sure that only 11 servers are enough?

heiko_s

The servers are VMs running on two PCs, and sometimes I use a 3rd PC for labs as well.

I tried gpg --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E on another Ubuntu 18.04 server VM but got the same result. Also tried on my Ubuntu 18.04 / Linux Mint 19.3 multimedia server - no luck. Seems that Ubuntu bionic (18.04) doesn't work out of the box. Will try some other distros tomorrow.

chrispokorni

Hi @heiko_s,

I ran the gpg key retrieval step on the same machine used to validate the course lab exercises, and the step produced the error reported above. I am assuming it is related to the archiving phase of the rkt project.
However, I was still able to install rkt by skipping the key retrieval and the signature validation steps.

Regards,
-Chris

toastboy

It may be (I know little about GPG) that what's missing from the key retrieval step is any idea, on a brand new VM, where to find it. Other forums suggest adding "--keyserver pool.sks-keyservers.net":

toastboy70@instance-lfs253-redux ~ $ gpg --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
gpg: keyserver receive failed: General error
toastboy70@instance-lfs253-redux ~ $ gpg --keyserver pool.sks-keyservers.net --recv-key 18AD5014C99EF7E3BA5F6CE950B
DD3E0FC8A365E
gpg: key 50BDD3E0FC8A365E: 10 signatures not checked due to missing keys
gpg: /home/toastboy70/.gnupg/trustdb.gpg: trustdb created
gpg: key 50BDD3E0FC8A365E: public key "CoreOS Application Signing Key security@coreos.com" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1

cristianharbatovschi

I confirm that the previous post resolves the problem:

cristianharba@ubuntu:~$ gpg --keyserver pool.sks-keyservers.net --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
gpg: key 50BDD3E0FC8A365E: 10 signatures not checked due to missing keys
gpg: /home/cristianharba/.gnupg/trustdb.gpg: trustdb created
gpg: key 50BDD3E0FC8A365E: public key "CoreOS Application Signing Key security@coreos.com" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1

guillermotti

Yep, its solved with that. Steps to install rkt which worked for me:

gpg --keyserver pool.sks-keyservers.net --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
wget https://github.com/rkt/rkt/releases/download/v1.30.0/rkt_1.30.0-1_amd64.deb
wget https://github.com/rkt/rkt/releases/download/v1.30.0/rkt_1.30.0-1_amd64.deb.asc
gpg --verify rkt_1.30.0-1_amd64.deb.asc
sudo dpkg -i rkt_1.30.0-1_amd64.deb
rkt version

proliant

It works after adding and changing the keyserver:
$ gpg --keyserver keyserver.ubuntu.com --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
gpg: key 50BDD3E0FC8A365E: 10 signatures not checked due to missing keys
gpg: key 50BDD3E0FC8A365E: public key "CoreOS Application Signing Key security@coreos.com" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1