ERROR: Unable to fetch GPG key from keyserver

Question

I tried to launch lxc container. But when I give

sudo lxc-create -t download ubuntu -n web1

it shows this error

ERROR: Unable to fetch GPG key from keyserver

How to solve the issue?

score 7 · Answer 1 · answered Aug 31 '21 at 12:27

Without knowing what version of Ubuntu you're using and without knowing what version of lxc-create you have, I'm just going to assume it's 20.04 and 4.0.6, respectively.

You can see here that by default it's going to look at the $DOWNLOAD_KEYSERVER environment variable and, if that's not set, by default it will use hkp://pool.sks-keyservers.net.

If you run dig pool.sks-keyservers.net you can see it's returning an NXDOMAIN status:

$ dig pool.sks-keyservers.net
; <<>> DiG 9.16.1-Ubuntu <<>> pool.sks-keyservers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39707
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;pool.sks-keyservers.net.   IN  A
;; Query time: 47 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Aug 31 20:22:44 PST 2021
;; MSG SIZE  rcvd: 52

If you go to https://sks-keyservers.net you will see a message indicating that due to repeated GDPR requests they have stopped serving the pool's DNS records. Later versions of LXC are hardcoding hkp://keyserver.ubuntu.com for this value instead.

To use that, you can do:

$ DOWNLOAD_KEYSERVER="hkp://keyserver.ubuntu.com" lxc-create -t download -n my-container

Or just export the variable before running the command, e.g. export DOWNLOAD_KEYSERVER="hkp://keyserver.ubuntu.com".

score 1 · Answer 2 · answered Apr 24 '22 at 21:36

Even though I tried with all methods above, none of them worked and I kept getting

Setting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver
lxc-create: priv-cont: lxccontainer.c: create_run_template: 1616 Failed to create container from template
lxc-create: priv-cont: tools/lxc_create.c: main: 319 Failed to create container priv-cont

So, here I found the flag --no-validate option, which, be aware, is unsafe, but works for my learning process. The execution is as follows: DOWNLOAD_KEYSERVER="keyserver.ubuntu.com" sudo lxc-create --template download --name priv-cont -- --no-validate

score 0 · Answer 3 · answered Aug 16 '22 at 13:31

Like @starbeamrainbowlabs said, use the flag --keyserver hkps://keyserver.ubuntu.com. Note the "s" at the end of the protocol string. It is not working anymore without it...

Full working example:

lxc-create -n mycontainer -t download -- -d debian -r bullseye -a amd64 --keyserver hkps://keyserver.ubuntu.com

ERROR: Unable to fetch GPG key from keyserver

3 Answers3