Keyserver Failure

I installed gpg4win version 5.0.2. Also tried an earlier version 4.4.1 after uninstalling 5.0.2

C:\\Program Files (x86)\\GnuPG\\bin>gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
gpg: error retrieving ‘torbrowser@torproject.org’ via WKD: Server indicated a failure
gpg: error reading key: Server indicated a failure

I set the keyserver to keys.openpgp.org in dirmngr.conf

I also tried other key servers. Same failure.

If I go to https://keys.openpgp.org and search ‘torbrowser@torproject.org’ - that works. It only fails on the commandline, and subsequently kleopatra ofc.

Is there a magic port number or something I am missing? Is there a Windows service gpg relies on?

I did notice the 3 GnuPG daemons are 32 bit. Same for the net access daemon. But that shouldn’t matter, right?

Windows 10

Hi @YouYouSeeP and welcome to the forum!

If you use the option --auto-key-locate nodefault,wkd you explicitly tell GnuPG not to contact any keyserver but only use WKD to fetch a key. If you want to include keyservers you have to add it to the parameters like this --auto-key-locate nodefault,wkd,keyserver.

Hi @cklassen and thank you.

Adding ‘keyserver’ to MECHANISMS still produces the same errors, +1

\>gpg --auto-key-locate nodefault,wkd,keyserver --locate-keys torbrowser@torproject.org
gpg: error retrieving ‘torbrowser@torproject.org’ via WKD: Server indicated a failure
gpg: error retrieving ‘torbrowser@torproject.org’ via keyserver: Server indicated a failure
gpg: error reading key: Server indicated a failure

Here’s my keyserver entry in dirmngr.conf..

keyserver hkps://keys.openpgp.org

That command works here with Gpg4win 5.0.2. without configuring any keyserver, via WKD. And the variant with keyserver works, too. As a lot of projects have problems due to crawlers, I suspect your IP might be blocked by both servers, the WKD server from the TOR project and the keyserver keys.openpgp.org. Please inquire there if you have repeatedly no success contacting the servers.

hi eebb,

I will inquire, but wouldn’t my request through the browser with the same IP be blocked as well?

Here is the response I get through the browser:

We found an entry for torbrowser@torproject.org.

h**ps://keys.openpgp.org/vks/v1/by-fingerprint/EF6E286DDA85EA2A4BA7DE684E2C6E8793298290

When you add a -v you get more information about what happens when you run that command:

gpg -v --dry-run --auto-key-locate nodefault,wkd,keyserver --locate-keys torbrowser@torproject.org

Do you see anything suspicious?

I had already tried that. Initial run looks for the dirmngr daemon. After that, just the errors.

% gpg -v --dry-run --auto-key-locate nodefault,wkd,keyserver --locate-keys torbrowser@torproject.org
gpg: enabled compatibility flags:
gpg: using pgp trust model
gpg: no running dirmngr - starting ‘C:\\Program Files (x86)\\GnuPG\\bin\\dirmngr.exe’
gpg: waiting for the dirmngr to come up … (8s)
gpg: connection to the dirmngr established
gpg: error retrieving ‘torbrowser@torproject.org’ via WKD: Server indicated a failure
gpg: error retrieving ‘torbrowser@torproject.org’ via keyserver: Server indicated a failure
gpg: error reading key: Server indicated a failure

UPDATE:

I had help from a gentleman in Europe. He was able to look at the logs at pgpkeys.eu and saw my http request, but not the commandline request.

I fired up an old Mac and installed GnuPG. The lookup there works fine from the shell.

This is definately a problem on the Win10 machine and only from the commandline.

Strange. I am investigating further, and still open to suggestions.

Did you try it with the “normal” terminal or the PowerShell? Maybe you could try it with the other one and check if there is a difference.

Yes, I tried normal cmd, cmd run as admin, and the PowerShell. Same result.

I uninstalled the older version and re-installed 5.0.2

% gpg --auto-key-locate nodefault,wkd,keyserver --locate-keys torbrowser@torproject.org
gpg: error retrieving ‘torbrowser@torproject.org’ via WKD: Server indicated a failure
gpg: error retrieving ‘torbrowser@torproject.org’ via keyserver: Server indicated a failure
gpg: error reading key: Server indicated a failure

I set the keyserver to pgpkeys.eu (I also tried keys.openpgp.org)

I suspect the requests are not leaving the machine if the logs are showing no contact. There’s nothing in my firewall blocking outbound requests. It does not seem to be a permissions problem.

Still looking..

Next thing you can try is to get the log of the dirmngr. The long version of this instruction is located at TroubleShooting/DebugWithDirmngr - GnuPG wiki.

First, check if there is a file called dirmngr.conf in C:/Users/your_user_name/AppData/Roaming/gnupg/. If not create one. Then write the following content into it:

verbose
debug dns,network,lookup
log-file C:/Users/your_user_name/Desktop/dirmngr.log

(Of couse you can choose a different path for log-file.)

Then stop the dirmngr with dirmngr --shutdown and start it with dirmngr --daemon. Then run the command to fetch the key again and look into the log file. Can you find something that might help to understand the problem?

BTW: It helps if you format the console output different with code formatting: Posting code or preformatted text - Using Discourse - Discourse Meta

dirmngr.conf:  keyserver hkps://pgpkeys.eu

% gpg --auto-key-locate nodefault,wkd,keyserver --locate-keys torbrowser@torproject.org
gpg: error retrieving 'torbrowser@torproject.org' via WKD: Server indicated a failure
gpg: error retrieving 'torbrowser@torproject.org' via keyserver: Server indicated a failure
gpg: error reading key: Server indicated a failure

logfile:
-----
2026-04-22 07:12:47 dirmngr[2396] listening on socket 'C:\\Users\user\\AppData\\Local\\gnupg\\S.dirmngr'
2026-04-22 07:12:47 dirmngr[2396] error loading certificate 'ROOT': Certificate expired
... above line repeated 14 more times...
2026-04-22 07:12:47 dirmngr[2396] error loading certificate 'CA': Certificate expired
... above line repeated 2 more times...
2026-04-22 07:12:47 dirmngr[2396] permanently loaded certificates: 63
2026-04-22 07:12:47 dirmngr[2396]     runtime cached certificates: 0
2026-04-22 07:12:47 dirmngr[2396]            trusted certificates: 63 (63,0,0,0)
2026-04-22 07:13:00 dirmngr[2396] handler for fd 680 started
2026-04-22 07:13:00 dirmngr[2396] DBG: dns: libdns initialized (tor mode)
2026-04-22 07:13:20 dirmngr[2396] DBG: dns: resolve_dns_name(openpgpkey.torproject.org): Server indicated a failure
2026-04-22 07:13:20 dirmngr[2396] DBG: dns: libdns initialized (tor mode)
2026-04-22 07:13:30 dirmngr[2396] DBG: dns: getsrv(_openpgpkey._tcp.torproject.org): Server indicated a failure
2026-04-22 07:13:30 dirmngr[2396] DBG: Using TLS library: NTBTLS 0.3.2
2026-04-22 07:13:30 dirmngr[2396] DBG: check_inet_support:  family: 23
2026-04-22 07:13:30 dirmngr[2396] DBG: check_inet_support:     addr: ::1
2026-04-22 07:13:30 dirmngr[2396] DBG: check_inet_support:  family: 2
2026-04-22 07:13:30 dirmngr[2396] DBG: check_inet_support:     addr: [ MY LOCAL IP ]
2026-04-22 07:13:30 dirmngr[2396] detected interfaces: IPv4
2026-04-22 07:13:30 dirmngr[2396] DBG: http.c:connect_server: trying name='torproject.org' port=443
2026-04-22 07:13:50 dirmngr[2396] DBG: dns: resolve_dns_name(torproject.org): Server indicated a failure
2026-04-22 07:13:50 dirmngr[2396] resolving 'torproject.org' failed: Server indicated a failure
2026-04-22 07:13:50 dirmngr[2396] can't connect to 'torproject.org': host not found
2026-04-22 07:13:50 dirmngr[2396] error connecting to 'https://torproject.org/.well-known/openpgpkey/hu/kounek7zrdx745qydx6p59t9mqjpuhdf?l=torbrowser': Server indicated a failure
2026-04-22 07:13:50 dirmngr[2396] command 'WKD_GET' failed: Server indicated a failure
2026-04-22 07:14:02 dirmngr[2396] DBG: dns: getsrv(_pgpkey-https._tcp.pgpkeys.eu): Server indicated a failure
2026-04-22 07:14:02 dirmngr[2396] command 'KS_GET' failed: Server indicated a failure <Unspecified source>
2026-04-22 07:14:02 dirmngr[2396] handler for fd 680 terminated
-----

% nslookup openpgpkey.torproject.org
Non-authoritative answer:
Name:    static.torproject.org
Addresses:  2620:7:6002:0:466:39ff:fe32:e3dd
          2620:7:6002:0:466:39ff:fe7f:1826
          2a01:4f8:fff0:4f:266:37ff:fe2c:5d19
          2a01:4f8:fff0:4f:266:37ff:feae:3bbc
          2a01:4f9:c010:19eb::1
          95.216.163.36
          116.202.120.165
          116.202.120.166
          204.8.99.144
          204.8.99.146
Aliases:  openpgpkey.torproject.org

% nslookup torproject.org
Non-authoritative answer:
Name:    torproject.org
Addresses:  2620:7:6002:0:466:39ff:fe32:e3dd
          2620:7:6002:0:466:39ff:fe7f:1826
          2a01:4f8:fff0:4f:266:37ff:fe2c:5d19
          2a01:4f8:fff0:4f:266:37ff:feae:3bbc
          2a01:4f9:c010:19eb::1
          95.216.163.36
          116.202.120.165
          116.202.120.166
          204.8.99.144
          204.8.99.146

primary dns is cloudflare: 1.1.1.1

The only things that stand out to my untrained eyes, are the failure to resolve torproject.org, and the Unspecified source for the keyserver. But I don’t know what might cause those.

For the record, I’ve not seen a successful log file to compare to.

This is how it looks like on my site:

2026-04-22 16:33:34 dirmngr[20040.0] error loading certificate '/etc/ssl/certs/ca-certificates.crt': Certificate expired
2026-04-22 16:33:34 dirmngr[20040.0] error loading certificate '/etc/ssl/certs/ca-certificates.crt': Certificate expired
2026-04-22 16:33:34 dirmngr[20040.0] permanently loaded certificates: 144
2026-04-22 16:33:34 dirmngr[20040.0]     runtime cached certificates: 0
2026-04-22 16:33:34 dirmngr[20040.0]            trusted certificates: 144 (144,0,0,0)
2026-04-22 16:33:37 dirmngr[20040.6] handler for fd 6 started
2026-04-22 16:33:37 dirmngr[20040.6] connection from process 20043 (1000:1000)
2026-04-22 16:33:37 dirmngr[20040.6] DBG: dns: libdns initialized (tor mode)
2026-04-22 16:33:38 dirmngr[20040.6] DBG: dns: resolve_dns_name(openpgpkey.torproject.org): Success
2026-04-22 16:33:38 dirmngr[20040.6] number of system provided CAs: 146
2026-04-22 16:33:38 dirmngr[20040.6] DBG: Using TLS library: GNUTLS 3.8.3
2026-04-22 16:33:38 dirmngr[20040.6] detected interfaces: IPv4 IPv6
2026-04-22 16:33:38 dirmngr[20040.6] DBG: http.c:connect_server: trying name='openpgpkey.torproject.org' port=443
2026-04-22 16:33:38 dirmngr[20040.6] DBG: dns: libdns initialized (tor mode)
2026-04-22 16:33:39 dirmngr[20040.6] DBG: dns: resolve_dns_name(openpgpkey.torproject.org): Success
2026-04-22 16:33:39 dirmngr[20040.6] DBG: http.c:2899:socket_new: object 0x00007a50803b5890 for fd 7 created
2026-04-22 16:33:39 dirmngr[20040.6] DBG: http.c:request:
2026-04-22 16:33:39 dirmngr[20040.6] DBG: >> GET /.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf?l=torbrowser HTTP/1.0\r\n
2026-04-22 16:33:39 dirmngr[20040.6] DBG: >> Host: openpgpkey.torproject.org\r\n
2026-04-22 16:33:39 dirmngr[20040.6] DBG: http.c:request-header:start_data:
2026-04-22 16:33:39 dirmngr[20040.6] DBG: http.c:response:
2026-04-22 16:33:39 dirmngr[20040.6] DBG: >> HTTP/1.1 200 OK\r\n
2026-04-22 16:33:39 dirmngr[20040.6] http.c:RESP: 'Date: Wed, 22 Apr 2026 14:33:39 GMT'
2026-04-22 16:33:39 dirmngr[20040.6] http.c:RESP: 'Server: Apache'
2026-04-22 16:33:39 dirmngr[20040.6] http.c:RESP: 'X-Content-Type-Options: nosniff'
2026-04-22 16:33:39 dirmngr[20040.6] http.c:RESP: 'X-Frame-Options: sameorigin'
2026-04-22 16:33:39 dirmngr[20040.6] http.c:RESP: 'X-Xss-Protection: 1'
2026-04-22 16:33:39 dirmngr[20040.6] http.c:RESP: 'Referrer-Policy: no-referrer'
2026-04-22 16:33:39 dirmngr[20040.6] http.c:RESP: 'Strict-Transport-Security: max-age=15768000; preload'
2026-04-22 16:33:39 dirmngr[20040.6] http.c:RESP: 'Onion-Location: http://2yldcptk56shc7lwieozoglw3t5ghty7m6mf2faysvfnzccqavbu2mad.onion/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf'
2026-04-22 16:33:39 dirmngr[20040.6] http.c:RESP: 'Last-Modified: Tue, 31 Mar 2026 17:03:29 GMT'
2026-04-22 16:33:39 dirmngr[20040.6] http.c:RESP: 'ETag: "1a25-64e54f252d67b"'
2026-04-22 16:33:39 dirmngr[20040.6] http.c:RESP: 'Accept-Ranges: bytes'
2026-04-22 16:33:39 dirmngr[20040.6] http.c:RESP: 'Content-Length: 6693'
2026-04-22 16:33:39 dirmngr[20040.6] http.c:RESP: 'Connection: close'
2026-04-22 16:33:39 dirmngr[20040.6] http.c:RESP: ''
2026-04-22 16:33:40 dirmngr[20040.6] DBG: dns: getsrv(_pgpkey-https._tcp.pgpkeys.eu) -> 0 records
2026-04-22 16:33:41 dirmngr[20040.6] DBG: dns: resolve_dns_name(pgpkeys.eu): Success
2026-04-22 16:33:41 dirmngr[20040.6] resolve_dns_addr for 'pgpkeys.eu': 'pgpkeys.eu' [already known]
2026-04-22 16:33:41 dirmngr[20040.6] resolve_dns_addr for 'pgpkeys.eu': 'pgpkeys.eu' [already known]
2026-04-22 16:33:41 dirmngr[20040.6] DBG: Using TLS library: GNUTLS 3.8.3
2026-04-22 16:33:41 dirmngr[20040.6] DBG: http.c:connect_server: trying name='pgpkeys.eu' port=443
2026-04-22 16:33:42 dirmngr[20040.6] DBG: dns: resolve_dns_name(pgpkeys.eu): Success
2026-04-22 16:33:43 dirmngr[20040.6] DBG: http.c:2899:socket_new: object 0x00007a50800977b0 for fd 7 created
2026-04-22 16:33:43 dirmngr[20040.6] DBG: http.c:request:
2026-04-22 16:33:43 dirmngr[20040.6] DBG: >> GET /pks/lookup?op=get&options=mr&search=torbrowser@torproject.org&exact=on HTTP/1.0\r\n
2026-04-22 16:33:43 dirmngr[20040.6] DBG: >> Host: pgpkeys.eu\r\n
2026-04-22 16:33:43 dirmngr[20040.6] DBG: http.c:request-header:start_data:
2026-04-22 16:33:43 dirmngr[20040.6] DBG: http.c:response:
2026-04-22 16:33:43 dirmngr[20040.6] DBG: >> HTTP/1.1 200 OK\r\n
2026-04-22 16:33:43 dirmngr[20040.6] http.c:RESP: 'Date: Wed, 22 Apr 2026 14:33:43 GMT'
2026-04-22 16:33:43 dirmngr[20040.6] http.c:RESP: 'Server: Hockeypuck/2.3.2'
2026-04-22 16:33:43 dirmngr[20040.6] http.c:RESP: 'access-control-allow-origin: *'
2026-04-22 16:33:43 dirmngr[20040.6] http.c:RESP: 'content-type: application/pgp-keys'
2026-04-22 16:33:43 dirmngr[20040.6] http.c:RESP: 'via: 1.1 pgpkeys.eu (Hockey stick)'
2026-04-22 16:33:43 dirmngr[20040.6] http.c:RESP: 'Connection: close'
2026-04-22 16:33:43 dirmngr[20040.6] http.c:RESP: ''
2026-04-22 16:33:44 dirmngr[20040.6] handler for fd 6 terminated

Here is where they diverge, mine on top, yours below.

2026-04-22 07:13:00 dirmngr[2396] handler for fd 680 started
2026-04-22 07:13:00 dirmngr[2396] DBG: dns: libdns initialized (tor mode)
2026-04-22 07:13:20 dirmngr[2396] DBG: dns: resolve_dns_name(openpgpkey.torproject.org): Server indicated a failure

2026-04-22 16:33:37 dirmngr[20040.6] handler for fd 6 started
2026-04-22 16:33:37 dirmngr[20040.6] connection from process 20043 (1000:1000)
2026-04-22 16:33:37 dirmngr[20040.6] DBG: dns: libdns initialized (tor mode)
2026-04-22 16:33:38 dirmngr[20040.6] DBG: dns: resolve_dns_name(openpgpkey.torproject.org): Success

However, the first few lines of your log seem to indicate you’re on a Unix or Linux box. I am on Windows. Isn’t the code different for the two?

2026-04-22 16:33:34 dirmngr[20040.0] error loading certificate '/etc/ssl/certs/ca-certificates.crt': Certificate expired
2026-04-22 16:33:34 dirmngr[20040.0] error loading certificate '/etc/ssl/certs/ca-certificates.crt': Certificate expired

Yes, I’m on Linux and yes the code is different but the steps should be the same so I’d expect that the logs were not too different.

Another one is
2026-04-22 07:13:30 dirmngr[2396] DBG: Using TLS library: NTBTLS 0.3.2
vs
2026-04-22 16:33:38 dirmngr[20040.6] DBG: Using TLS library: GNUTLS 3.8.3.
But since eeeb cannot reproduce this on their machine I don’t think it’s the fault of the TLS library.

Are you in a network that uses a proxy?

No, no proxy here. The IP on my router matches the IP WhatsMyIP.org tells me.

But I did find this: I removed Cloudflare as my DNS provider (1.1.1.1) and went with the default from my ISP. Rebooted and ‘lo and behold’ the query works. “It’s always DNS.”

I am off to ask Matthew Prince why, but before I go, thank you to Herr Klassen and eebb for your invaluable assistance.

2026-04-23 09:41:44 dirmngr[6056] DBG: dns: dnsserver[0] 'x.x.x.x'
2026-04-23 09:41:44 dirmngr[6056] DBG: dns: libdns initialized
2026-04-23 09:41:44 dirmngr[6056] DBG: dns: resolve_dns_name(openpgpkey.torproject.org): Success
2026-04-23 09:41:44 dirmngr[6056] DBG: Using TLS library: NTBTLS 0.3.2
2026-04-23 09:41:44 dirmngr[6056] DBG: check_inet_support:  family: 23
2026-04-23 09:41:44 dirmngr[6056] DBG: check_inet_support:     addr: ::1
2026-04-23 09:41:44 dirmngr[6056] DBG: check_inet_support:  family: 2
2026-04-23 09:41:44 dirmngr[6056] DBG: check_inet_support:     addr: [ MY LOCAL IP ]
2026-04-23 09:41:44 dirmngr[6056] detected interfaces: IPv4
2026-04-23 09:41:44 dirmngr[6056] DBG: http.c:connect_server: trying name='openpgpkey.torproject.org' port=443
2026-04-23 09:41:46 dirmngr[6056] DBG: dns: resolve_dns_name(openpgpkey.torproject.org): Success
2026-04-23 09:41:46 dirmngr[6056] DBG: http.c:2893:socket_new: object 0x00000000030ffb10 for fd 964 created
2026-04-23 09:41:46 dirmngr[6056] certificate cached
2026-04-23 09:41:46 dirmngr[6056] Note: non-critical certificate policy not allowed
2026-04-23 09:41:46 dirmngr[6056] DBG: find_cert_bysubject: certificate found in the cache by subject DN
2026-04-23 09:41:46 dirmngr[6056] certificate is good
2026-04-23 09:41:46 dirmngr[6056] Note: non-critical certificate policy not allowed
2026-04-23 09:41:46 dirmngr[6056] DBG: find_cert_bysubject: certificate found in the cache by subject DN
2026-04-23 09:41:46 dirmngr[6056] certificate is good
2026-04-23 09:41:46 dirmngr[6056] root certificate is good and trusted
2026-04-23 09:41:46 dirmngr[6056] certificate chain is good
2026-04-23 09:41:46 dirmngr[6056]   certificate #008210CFB0D240E3594463E0BB63828B00/CN=ISRG Root X1,O=Internet Security Research Group,C=US
2026-04-23 09:41:46 dirmngr[6056]   certificate #00C212324B70A9B49171DC40F7E285263C/CN=ISRG Root X1,O=Internet Security Research Group,C=US
2026-04-23 09:41:46 dirmngr[6056]   certificate #0699BEB6585F7F8A34C5A015B2E1E5F563FD/CN=R12,O=Let's Encrypt,C=US
2026-04-23 09:41:46 dirmngr[6056] target certificate is valid
....