gpg: problem with the agent: Bad CA certificate

I forgot to say... "wrong passphrase" is the message deja-dup shows in the gui

all works well if I directly use duplicity and encrypt the backup too

Sorry for late response! Which version of deja-dup did you use? Version 16.1.1 may have a fix for this. I fixed something similar-sounding with how deja-dup handles encryption, and it might fix whatever this is.

Someone else hit this same error message: http://forums.gentoo.org/viewtopic-t-855809.html?sid=0d09a7fc068081bbe7ff8d306bf95e30

They said, "gnome-keyring-daemon seems to be the culprit. Killing that process (or configuring gnome not to start it in the first place) prevents the error."

Can you try that?

I'm already using 16.1.1 and I can confirm that killing gnome-keyring-daemon do the trick... the backup finish correctly

ps: I need to kill gnome-keyring-daemon just after the backup starts because dejadup needs to read the stored passphrase from my keyring

Hmmm... The forum poster said he was using just duplicity. But that did work for you, while Deja Dup didn't. I'm not sure where the bug might be... Deja Dup does interact with the keyring, but as you note, is done with it after the backup starts.

I'm subscribing Ken -- does this look familiar?

No, but a Google search for 'duplicity gpg: problem with the agent: Bad CA certificate' yields the answer above. The error is not in duplicity or Deja Dup, per se, but in the keyring process.

I encountered this problem with deja-dup-18.0. I could deal with it by disabling in gnome-session the GPG service of the gnome-keyring-daemon, but without completely killing the gnome-keyring-daemon. In my case that service is started by a command like: gnome-keyring-daemon --start --components=gpg. It seems that duplicity is not compatible with the gpg-agent from gnome-keyring-daemon but I couldn't find any confirmation on this.

mhhh is seems to me that "gnome-keyring-daemon --start --components=gpg" command should starts only the gpg components instead of excluding it. To start all g-k-d components except the gpg one you should use "gnome-keyring-daemon --start --components=pkcs11,secrets,ssh", shouldn't it?

Which file is the daemon started from? I'm running into this exact same error.

OK, I think I fixed this. Basically, Deja Dup never needs to use a gpg agent, and using an agent isn't even enabled in gpg by default normally. But it is enable as a global default on (at least) Ubuntu.

I'm not sure why sometimes the agent likes to complain about a bad CA certificate, but regardless. I've now made Deja Dup pass the --no-use-agent flag to gpg. That will avoid this point of failure in the future.

$ gpg --version
gpg (GnuPG) 2.0.17

$ gpg --no-use-agent
gpg: WARNING: "--no-use-agent" is an obsolete option - it has no effect

Laurento, thanks for the notice! I'm still on gpg 1.x, which accepts the argument. There doesn't seem to be a way to ask gpg2 to not attempt an agent connection.

This isn't a bug in deja-dup or duplicity as far as I can tell at this point... I've done what I can for gpg1 users.

Hmmm.... reinstalled, and this works fine in Natty... but encrypted backups are still broken in Oneiric.

I'm re-opening this. More people have reported this, and I'd like to have a solution in place for those distros that switch to gpg2. I've discovered that passing --rfc1991 or an --s2k-count greater than 0 to gpg2 will work around this. So I can always set that option. But I'd like to discover the real issue too.

The problem is that gnome-keyring's gpg-agent returns a bogus error code when it gets a GETINFO request it doesn't understand. I've filed a bug upstream and will patch Ubuntu's version.

This bug was fixed in the package gnome-keyring - 3.1.91-0ubuntu4

---------------
gnome-keyring (3.1.91-0ubuntu4) oneiric; urgency=low

  * debian/patches/05_correct_gpg_agent_error_code.patch:
    - Return correct error code for unimplemented GETINFO requests to
      the agent (LP: #681002)
 -- Michael Terry <email address hidden> Wed, 14 Sep 2011 14:36:02 -0400

Confirmed, this is working now. Thank you so much!

I'm still having this issue in 11.10. It keeps asking for a password while backing up.

Planets, are you sure that you are specifically getting the error "Bad CA certificate"? There are several reasons/bugs why you might keep being prompted.

Like Planets, I too am having this problem in 11.10. I can't say whether or not I'm getting the error "Bad CA certificate;" if you could instruct me on what to look for (and what information you need to diagnose the problem), I'm sure I could find more information for you.

Further information concerning my system that might be of immediate use:
gnome-keyring version: 3.2.2
gpg version: 1.4.11

Dylan, Planets: Please file a new bug and follow the instructions in the bug form to give me the logs and info I need. Thanks!

https://bugs.launchpad.net/deja-dup/+filebug

confirmed in gentoo. when I want to encrypt my backup and enter any password it keeps asking for password regardless of gnome-keyring running or not

my versions

gnome-base/gnome-keyring 3.2.2
app-backup/deja-dup 21.2-r1
app-backup/duplicity 0.6.17
app-crypt/gnupg 2.0.17
3.1.6-gentoo

I thought I added my experiences with this bug. This might especially help people who were redirected here by duplicates of this bug.

One day, when I was trying to backup files on a USB HDD, deja-dup would keep asking for a password and not do anything. The day before, it still worked (on Arch Linux with deja-dup 22.1 and gnupg 2.0.19). The debug output was similar, yet different to the one in the bug description. Essentially, the GPG output was:

gpg decrypt_message failed: unknown system error

It turned out that the backup files created the day before were corrupted, i.e. 0 bytes. This was most likely due to turning off the USB disk before its cache was flushed. Deleting the 0-byte files made deja-dup continue to work again as expected.

This is still an issue in Ubuntu 12.04 for me. It gets to my .gnupg directory and then asks for the password again (I don't know if that's a coincidence or not.)

DUPLICITY: INFO 4 'home/robin/.gnupg/pubring.gpg'
DUPLICITY: . A home/robin/.gnupg/pubring.gpg

DUPLICITY: DEBUG 1
DUPLICITY: . Removing still remembered temporary file /tmp/duplicity-_XHa0A-tempdir/mkstemp-DS0LuL-1

DUPLICITY: DEBUG 1
DUPLICITY: . Removing still remembered temporary file /tmp/duplicity-_XHa0A-tempdir/mktemp-w2gx_c-2

DUPLICITY: INFO 1
DUPLICITY: . GPG error detail: Traceback (most recent call last):
DUPLICITY: . File "/usr/bin/duplicity", line 1403, in <module>
DUPLICITY: . with_tempdir(main)
DUPLICITY: . File "/usr/bin/duplicity", line 1396, in with_tempdir
DUPLICITY: . fn()
DUPLICITY: . File "/usr/bin/duplicity", line 1366, in main
DUPLICITY: . full_backup(col_stats)
DUPLICITY: . File "/usr/bin/duplicity", line 500, in full_backup
DUPLICITY: . globals.backend)
DUPLICITY: . File "/usr/bin/duplicity", line 378, in write_multivol
DUPLICITY: . globals.gpg_profile, globals.volsize)
DUPLICITY: . File "/usr/lib/python2.7/dist-packages/duplicity/gpg.py", line 332, in GPGWriteFile
DUPLICITY: . file.close()
DUPLICITY: . File "/usr/lib/python2.7/dist-packages/duplicity/gpg.py", line 221, in close
DUPLICITY: . self.gpg_failed()
DUPLICITY: . File "/usr/lib/python2.7/dist-packages/duplicity/gpg.py", line 206, in gpg_failed
DUPLICITY: . raise GPGError, msg
DUPLICITY: . GPGError: GPG Failed, see log below:
DUPLICITY: . ===== Begin GnuPG log =====
DUPLICITY: . gpg: can't handle text lines longer than 19995 characters
DUPLICITY: . ===== End GnuPG log =====
DUPLICITY: .
DUPLICITY: .

DUPLICITY: ERROR 31 GPGError
DUPLICITY: . GPGError: GPG Failed, see log below:
DUPLICITY: . ===== Begin GnuPG log =====
DUPLICITY: . gpg: can't handle text lines longer than 19995 characters
DUPLICITY: . ===== End GnuPG log =====

Having the same problem in Ubuntu 12.04 with duplicity 0.6.18.
It presents a GPG error, but if I try to decrypt the file manually with with the following command, it works ok:

gpg --output manifest --decrypt duplicity-full.20120326T100344Z.manifest.gpg

Here is the log of running duplicity in the command line with the the follwoing arguments:
/usr/bin/duplicity --verbosity info list-current-files --gio smb://xpto@foo/backups/

Main action: list-current
================================================================================
duplicity 0.6.18 (February 29, 2012)
Args: /usr/bin/duplicity --verbosity info list-current-files --gio smb://psalgueiro@licoroso/backups/
Linux pds-laptop 3.2.0-26-generic #41-Ubuntu SMP Thu Jun 14 17:49:24 UTC 2012 x86_64 x86_64
/usr/bin/python 2.7.3 (default, Apr 20 2012, 22:39:59)
[GCC 4.6.3]
================================================================================
Synchronizing remote metadata to local cache...
PASSPHRASE variable not set, asking user.
GnuPG passphrase:
Copying duplicity-full-signatures.20120703T083354Z.sigtar.gpg to local cache.
Using temporary directory /tmp/duplicity-XXDtVy-tempdir
Writing /tmp/duplicity-XXDtVy-tempdir/mktemp-0Ewuy_-1
GPG error detail: Traceback (most recent call last):
  File "/usr/bin/duplicity", line 1403, in <module>
    with_tempdir(main)
  File "/usr/bin/duplicity", line 1396, in with_tempdir
    fn()
  File "/usr/bin/duplicity", line 1272, in main
    sync_archive(decrypt)
  File "/usr/bin/duplicity", line 1072, in sync_archive
    copy_to_local(fn)
  File "/usr/bin/duplicity", line 1019, in copy_to_local
    gpg.GzipWriteFile(src_iter, tdp.name, size=sys.maxint)
  File "/usr/lib/python2.7/dist-packages/duplicity/gpg.py", line 372, in GzipWriteFile
    new_block = block_iter.next(min(128*1024, bytes_to_go))
  File "/usr/bin/duplicity", line 1002, in next
    self.fileobj.close()
  File "/usr/lib/python2.7/dist-packages/duplicity/dup_temp.py", line 222, in close
    assert not self.fileobj.close()
  File "/usr/lib/python2.7/dist-packages/duplicity/gpg.py", line 239, in close
    self.gpg_failed()
  File "/usr/lib/python2.7/dist-packages/duplicity/gpg.py", line 206, in gpg_failed
    raise GPGError, msg
GPGError: GPG Failed, see log below:
===== Begin GnuPG log =====
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: block_filter 0x1817cc0: read error (size=10507,a->size=10507)
gpg: [don't know]: invalid packet (ctb=1d)
gpg: onepass_sig with unknown version 116
gpg: mdc_packet with invalid encoding
gpg: decryption failed: invalid packet
gpg: [don't know]: invalid packet (ctb=25)
gpg: block_filter: pending bytes!
===== End GnuPG log =====

I appear to be getting the same problems with Ubuntu 12.10. It used to work fine. The issue suddenly appeared after cancelling a backup due to network problems.

Attempting to do incremental encrypted backup. DD prompts for password. Goes scanning. Reaches end of scanning. Prompts for password again. Repeat ad infinitum.

1) OSversion
Ubuntu 12.10 (32 bit)

2) DDversions
deja-dup 24.0-0ubuntu1
duplicity 0.6.19-0ubuntu2.2

3) DD gsettings
deja-dup.gsettings
org.gnome.DejaDup backend 'file'
org.gnome.DejaDup delete-after 84
org.gnome.DejaDup exclude-list ['/home/ross/.local/share/Trash']
org.gnome.DejaDup full-backup-period 90
org.gnome.DejaDup include-list ['$HOME']
org.gnome.DejaDup last-backup '2013-01-26T00:20:59.680505Z'
org.gnome.DejaDup last-restore ''
org.gnome.DejaDup last-run '2013-01-26T00:20:59.680505Z'
org.gnome.DejaDup nag-check '2012-12-06T01:55:55.372162Z'
org.gnome.DejaDup periodic false
org.gnome.DejaDup periodic-period 1
org.gnome.DejaDup prompt-check '2011-10-14T10:07:43.024981Z'
org.gnome.DejaDup root-prompt true
org.gnome.DejaDup welcomed false
org.gnome.DejaDup.File icon ''
org.gnome.DejaDup.File name ''
org.gnome.DejaDup.File path 'smb://rufus/backup/annie'
org.gnome.DejaDup.File relpath @ay []
org.gnome.DejaDup.File short-name ''
org.gnome.DejaDup.File type 'normal'
org.gnome.DejaDup.File uuid ''
org.gnome.DejaDup.Rackspace container 'TravelMate-2480'
org.gnome.DejaDup.Rackspace username ''
org.gnome.DejaDup.S3 bucket ''
org.gnome.DejaDup.S3 folder 'TravelMate-2480'
org.gnome.DejaDup.S3 id ''
org.gnome.DejaDup.U1 folder '/deja-dup/TravelMate-2480'

4) run DD to get debug log
The most relevant part appears to be

DUPLICITY: INFO 1
DUPLICITY: . GPG error detail: Traceback (most recent call last):
DUPLICITY: . File "/usr/bin/duplicity", line 1412, in <module>
DUPLICITY: . with_tempdir(main)
DUPLICITY: . File "/usr/bin/duplicity", line 1405, in with_tempdir
DUPLICITY: . fn()
DUPLICITY: . File "/usr/bin/duplicity", line 1281, in main
DUPLICITY: . sync_archive(decrypt)
DUPLICITY: . File "/usr/bin/duplicity", line 1081, in sync_archive
DUPLICITY: . copy_to_local(fn)
DUPLICITY: . File "/usr/bin/duplicity", line 1028, in copy_to_local
DUPLICITY: . gpg.GzipWriteFile(src_iter, tdp.name, size=sys.maxint)
DUPLICITY: . File "/usr/lib/python2.7/dist-packages/duplicity/gpg.py", line 371, in GzipWriteFile
DUPLICITY: . new_block = block_iter.next()
DUPLICITY: . File "/usr/bin/duplicity", line 1008, in next
DUPLICITY: . self.fileobj.close()
DUPLICITY: . File "/usr/lib/python2.7/dist-packages/duplicity/dup_temp.py", line 225, in close
DUPLICITY: . assert not self.fileobj.close()
DUPLICITY: . File "/usr/lib/python2.7/dist-packages/duplicity/gpg.py", line 239, in close
DUPLICITY: . self.gpg_failed()
DUPLICITY: . File "/usr/lib/python2.7/dist-packages/duplicity/gpg.py", line 206, in gpg_failed
DUPLICITY: . raise GPGError, msg
DUPLICITY: . GPGError: GPG Failed, see log below:
DUPLICITY: . ===== Begin GnuPG log =====
DUPLICITY: . gpg: CAST5 encrypted data
DUPLICITY: . gpg: encrypted with 1 passphrase
DUPLICITY: . gpg: decryption failed: bad key
DUPLICITY: . ===== End GnuPG log =====
DU...

I can reproduce Ross Gayler's problems:

DUPLICITY: INFO 1
DUPLICITY: . GPG error detail: Traceback (most recent call last):
DUPLICITY: . File "/usr/bin/duplicity", line 1412, in <module>
DUPLICITY: . with_tempdir(main)
DUPLICITY: . File "/usr/bin/duplicity", line 1405, in with_tempdir
DUPLICITY: . fn()
DUPLICITY: . File "/usr/bin/duplicity", line 1281, in main
DUPLICITY: . sync_archive(decrypt)
DUPLICITY: . File "/usr/bin/duplicity", line 1081, in sync_archive
DUPLICITY: . copy_to_local(fn)
DUPLICITY: . File "/usr/bin/duplicity", line 1028, in copy_to_local
DUPLICITY: . gpg.GzipWriteFile(src_iter, tdp.name, size=sys.maxint)
DUPLICITY: . File "/usr/lib/python2.7/dist-packages/duplicity/gpg.py", line 371, in GzipWriteFile
DUPLICITY: . new_block = block_iter.next()
DUPLICITY: . File "/usr/bin/duplicity", line 1008, in next
DUPLICITY: . self.fileobj.close()
DUPLICITY: . File "/usr/lib/python2.7/dist-packages/duplicity/dup_temp.py", line 225, in close
DUPLICITY: . assert not self.fileobj.close()
DUPLICITY: . File "/usr/lib/python2.7/dist-packages/duplicity/gpg.py", line 239, in close
DUPLICITY: . self.gpg_failed()
DUPLICITY: . File "/usr/lib/python2.7/dist-packages/duplicity/gpg.py", line 206, in gpg_failed
DUPLICITY: . raise GPGError, msg
DUPLICITY: . GPGError: GPG Failed, see log below:
DUPLICITY: . ===== Begin GnuPG log =====
DUPLICITY: . gpg: CAST5 encrypted data
DUPLICITY: . gpg: encrypted with 1 passphrase
DUPLICITY: . gpg: decryption failed: bad key
DUPLICITY: . ===== End GnuPG log =====
DUPLICITY: .
DUPLICITY: .

DUPLICITY: ERROR 31 GPGError
DUPLICITY: . GPGError: GPG Failed, see log below:
DUPLICITY: . ===== Begin GnuPG log =====
DUPLICITY: . gpg: CAST5 encrypted data
DUPLICITY: . gpg: encrypted with 1 passphrase
DUPLICITY: . gpg: decryption failed: bad key
DUPLICITY: . ===== End GnuPG log =====
DUPLICITY: .

I must have canceled a backup during one of its runs. Now it doesn't accept my password, even though they have been saved previously and used for over a month. Has this issue ever been solved?

Hi,
I switched from 12.04 to 13.04 and now i can't restore any backups made on 12.04. How can i manually bring my files back?

I had deja-dup running on ubuntu 12.04 when moving to 13.04, i could not restore since deja-dup keeps asking for a pasword, I never set

deja-dup 26.0-0ubuntu1
duplicity 0.6.21-0ubuntu1

What to do?