Hi, found the source of the issue. TL;DR run this:
Root cause
add-apt-repository uses gpg for key verification. Running that part manually with gpg debug enabled yielded this:
Code: Select all
aindrea@aindrea-moixa:~$ gpg --debug-level guru --keyserver hkps://keyserver.ubuntu.com:443 --recv-keys 0x82D96E430A1F1C0F0502747E37B90EDD4E3EFAE4
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_3 <- # Home: /home/aindrea/.gnupg
gpg: DBG: chan_3 <- # Config: /home/aindrea/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.2.19 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.2.19
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER --clear hkps://keyserver.ubuntu.com:443
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_GET -- 0x82D96E430A1F1C0F0502747E37B90EDD4E3EFAE4
gpg: DBG: chan_3 <- ERR 1 General error <Unspecified source>
gpg: keyserver receive failed: General error
gpg: DBG: chan_3 -> BYE
gpg: DBG: [not enabled in the source] stop
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg: build=0 update=0 insert=0 delete=0
gpg: reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=0 cached=0 good=0 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/65536 bytes in 0 blocks
Looks like something is upsetting dirmngr. Let's try talking to it directly:
Code: Select all
aindrea@abell-moixa:~$ dirmngr
dirmngr[35554]: No ldapserver file at: '/home/aindrea/.gnupg/dirmngr_ldapservers.conf'
dirmngr[35554.0]: permanently loaded certificates: 130
dirmngr[35554.0]: runtime cached certificates: 0
dirmngr[35554.0]: trusted certificates: 130 (129,0,0,1)
# Home: /home/aindrea/.gnupg
# Config: [none]
OK Dirmngr 2.2.19 at your service
GETINFO version
D 2.2.19
OK
KEYSERVER --clear hkps://keyserver.ubuntu.com:443
OK
KS_GET -- 0x82D96E430A1F1C0F0502747E37B90EDD4E3EFAE4
dirmngr[35554.0]: resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.9'
dirmngr[35554.0]: resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.8'
dirmngr[35554.0]: number of system provided CAs: 129
dirmngr[35554.0]: TLS verification of peer failed: status=0x0402
dirmngr[35554.0]: TLS verification of peer failed: The certificate is NOT trusted. The certificate chain uses expired certificate.
dirmngr[35554.0]: DBG: expected hostname: keyserver.ubuntu.com
dirmngr[35554.0]: DBG: BEGIN Certificate 'server[0]':
dirmngr[35554.0]: DBG: serial: 045A9A2C575C05DA4F1C484839E098D2C524
dirmngr[35554.0]: DBG: notBefore: 2021-10-10 03:20:36
dirmngr[35554.0]: DBG: notAfter: 2022-01-08 03:20:35
dirmngr[35554.0]: DBG: issuer: CN=R3,O=Let's Encrypt,C=US
dirmngr[35554.0]: DBG: subject: CN=hockeypuck.ubuntu.com
dirmngr[35554.0]: DBG: aka: (8:dns-name21:hockeypuck.ubuntu.com)
dirmngr[35554.0]: DBG: aka: (8:dns-name20:keyserver.ubuntu.com)
dirmngr[35554.0]: DBG: hash algo: 1.2.840.113549.1.1.11
dirmngr[35554.0]: DBG: SHA1 fingerprint: C7004BF70F09860B558F2608E4C1862EB361F35E
dirmngr[35554.0]: DBG: END Certificate
dirmngr[35554.0]: DBG: BEGIN Certificate 'server[1]':
dirmngr[35554.0]: DBG: serial: 00912B084ACF0C18A753F6D62E25A75F5A
dirmngr[35554.0]: DBG: notBefore: 2020-09-04 00:00:00
dirmngr[35554.0]: DBG: notAfter: 2025-09-15 16:00:00
dirmngr[35554.0]: DBG: issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
dirmngr[35554.0]: DBG: subject: CN=R3,O=Let's Encrypt,C=US
dirmngr[35554.0]: DBG: hash algo: 1.2.840.113549.1.1.11
dirmngr[35554.0]: DBG: SHA1 fingerprint: A053375BFE84E8B748782C7CEE15827A6AF5A405
dirmngr[35554.0]: DBG: END Certificate
dirmngr[35554.0]: DBG: BEGIN Certificate 'server[2]':
dirmngr[35554.0]: DBG: serial: 4001772137D4E942B8EE76AA3C640AB7
dirmngr[35554.0]: DBG: notBefore: 2021-01-20 19:14:03
dirmngr[35554.0]: DBG: notAfter: 2024-09-30 18:14:03
dirmngr[35554.0]: DBG: issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
dirmngr[35554.0]: DBG: subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
dirmngr[35554.0]: DBG: hash algo: 1.2.840.113549.1.1.11
dirmngr[35554.0]: DBG: SHA1 fingerprint: 933C6DDEE95C9C41A40F9F50493D82BE03AD87BF
dirmngr[35554.0]: DBG: END Certificate
dirmngr[35554.0]: TLS connection authentication failed: General error
dirmngr[35554.0]: error connecting to 'https://162.213.33.9:443': General error
dirmngr[35554.0]: command 'KS_GET' failed: General error <Unspecified source>
ERR 1 General error <Unspecified source>
In particular this line:
Code: Select all
dirmngr[35554.0]: TLS verification of peer failed: The certificate is NOT trusted. The certificate chain uses expired certificate.
Looks like our certificates are out of date. Updating the ca-certificates fixes this (see command at top of my post).