Welcome to the Linux Foundation Forum!

Lab 4.5 - Install rkt - problem with gpg key download

My system: Ubuntu 18.04 server running in a kvm VM (on Linux Mint 20 / Ubuntu 20.04). This is a clean install just for the exercises.

I followed the instructions in lab 4.5 to download and install rkt but it failed to download the gpg key:

  1. heiko@ubuntu:~$ gpg --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
  2. gpg: keyserver receive failed: General error

Checking the logs gives some more clues:

  1. Aug 28 17:31:51 ubuntu dirmngr[9733]: TLS verification of peer failed: status=0x0042
  2. Aug 28 17:31:51 ubuntu dirmngr[9733]: TLS verification of peer failed: The certificate is NOT trusted. The certificate issuer is unknown.
  3. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: expected hostname: hkps.pool.sks-keyservers.net
  4. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: BEGIN Certificate 'server[0]':
  5. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: serial: 00A3
  6. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: notBefore: 2020-06-25 18:29:41
  7. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: notAfter: 2021-06-25 18:29:41
  8. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: issuer: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
  9. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: subject: 1.2.840.113549.1.9.1=#746F646440666C6565747374726565746F70732E636F6D,CN=sks.pod02.fleetstreetops.com,OU=Ops,O=Fleet Street Operations\, LLC,ST=Virginia,C=US
  10. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: aka: (8:dns-name28:hkps.pool.sks-keyservers.net)
  11. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: aka: (8:dns-name25:*.pool.sks-keyservers.net)
  12. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: aka: (8:dns-name23:pool.sks-keyservers.net)
  13. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: aka: (8:dns-name28:sks.pod02.fleetstreetops.com)
  14. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: hash algo: 1.2.840.113549.1.1.11
  15. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: SHA1 fingerprint: EA8EC89054D02547862D3F497DFC865F5E1EA80A
  16. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: END Certificate
  17. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: BEGIN Certificate 'server[1]':
  18. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: serial: 00AF73C8B4CF9F808F
  19. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: notBefore: 2012-10-09 00:33:37
  20. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: notAfter: 2022-10-07 00:33:37
  21. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: issuer: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
  22. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: subject: CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
  23. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: hash algo: 1.2.840.113549.1.1.5
  24. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: SHA1 fingerprint: 791B27A38E667F8027814D4E68E7C478A45D5A17
  25. Aug 28 17:31:51 ubuntu dirmngr[9733]: DBG: END Certificate
  26. Aug 28 17:31:51 ubuntu dirmngr[9733]: TLS connection authentication failed: General error
  27. Aug 28 17:31:51 ubuntu dirmngr[9733]: error connecting to 'https://hkps.pool.sks-keyservers.net:443': General error
  28. Aug 28 17:31:51 ubuntu dirmngr[9733]: command 'KS_GET' failed: General error <Unspecified source>
  29.  

The problem seems to be with: "TLS verification of peer failed: The certificate is NOT trusted. The certificate issuer is unknown."

When I tried the same exercise on the Linux Mint 20 (Ubuntu 20.04) host, it worked fine and downloaded the gpg key.

Any explanation or way to make it work? Is there something wrong with the ca certificates in Ubuntu 18.04?

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Comments

  • Posts: 2,443

    Hi @heiko_s,

    This is an interesting behavior.

    The lab exercise was tested on an Ubuntu 18.04 LTS on a GCE VM, and the outputs shown in the lab exercise have been captured from that instance.

    This makes me wonder whether the cloud Ubuntu image is configured differently than the official image, at least v18.04 LTS.

    Regards,
    -Chris

  • Posts: 99

    Thanks Chris. Today it's late here but tomorrow I'll spin up another clean Ubuntu 18.04 LTS version, or try one of my installed Ubuntu servers. The heck, I got now 11 Ubuntu 18.04 servers. Should be enough to see if it's an inherent problem.

  • Posts: 2,443

    Hmm, @heiko_s, are you sure that only 11 servers are enough? :D

  • Posts: 99

    The servers are VMs running on two PCs, and sometimes I use a 3rd PC for labs as well.

    I tried gpg --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E on another Ubuntu 18.04 server VM but got the same result. Also tried on my Ubuntu 18.04 / Linux Mint 19.3 multimedia server - no luck. Seems that Ubuntu bionic (18.04) doesn't work out of the box. Will try some other distros tomorrow.

  • Hi @heiko_s,

    I ran the gpg key retrieval step on the same machine used to validate the course lab exercises, and the step produced the error reported above. I am assuming it is related to the archiving phase of the rkt project.
    However, I was still able to install rkt by skipping the key retrieval and the signature validation steps.

    Regards,
    -Chris

  • It may be (I know little about GPG) that what's missing from the key retrieval step is any idea, on a brand new VM, where to find it. Other forums suggest adding "--keyserver pool.sks-keyservers.net":

    toastboy70@instance-lfs253-redux ~ $ gpg --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
    gpg: keyserver receive failed: General error
    toastboy70@instance-lfs253-redux ~ $ gpg --keyserver pool.sks-keyservers.net --recv-key 18AD5014C99EF7E3BA5F6CE950B
    DD3E0FC8A365E
    gpg: key 50BDD3E0FC8A365E: 10 signatures not checked due to missing keys
    gpg: /home/toastboy70/.gnupg/trustdb.gpg: trustdb created
    gpg: key 50BDD3E0FC8A365E: public key "CoreOS Application Signing Key security@coreos.com" imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg: imported: 1

  • I confirm that the previous post resolves the problem:

    cristianharba@ubuntu:~$ gpg --keyserver pool.sks-keyservers.net --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
    gpg: key 50BDD3E0FC8A365E: 10 signatures not checked due to missing keys
    gpg: /home/cristianharba/.gnupg/trustdb.gpg: trustdb created
    gpg: key 50BDD3E0FC8A365E: public key "CoreOS Application Signing Key security@coreos.com" imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg: imported: 1

  • Yep, its solved with that. Steps to install rkt which worked for me:

    gpg --keyserver pool.sks-keyservers.net --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
    wget https://github.com/rkt/rkt/releases/download/v1.30.0/rkt_1.30.0-1_amd64.deb
    wget https://github.com/rkt/rkt/releases/download/v1.30.0/rkt_1.30.0-1_amd64.deb.asc
    gpg --verify rkt_1.30.0-1_amd64.deb.asc
    sudo dpkg -i rkt_1.30.0-1_amd64.deb
    rkt version

  • Posts: 10

    It works after adding and changing the keyserver:
    $ gpg --keyserver keyserver.ubuntu.com --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
    gpg: key 50BDD3E0FC8A365E: 10 signatures not checked due to missing keys
    gpg: key 50BDD3E0FC8A365E: public key "CoreOS Application Signing Key security@coreos.com" imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg: imported: 1

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training