keybase
Certificate signed by unknown authority
I have a custom CA cert installed on my system (which is mandatory to access internet mainly HTTPS sites). When I try to login keybase via commandline, I get the following error:
> keybase login
Your keybase username or email address: [email protected]
▶ ERROR API network error: Get https://api.keybase.io/_/api/1.0/getsalt.json?email_or_username=xxxx%40xxxx.com: x509: certificate signed by unknown authority (error 1601)
Note: The CA certificate is present in /etc/ssl/certs/
Not sure if it's relevant, but api.keybase.io isn't serving a valid cert. keybase.io (which does serve the api via /_/api) does.
We vendor the CA for api.keybase.io with the clients so you don't have to trust the root CAs in addition to our code. For the browser we can't do that, so you wind up trusting the root CAs at keybase.io. They both are handled by the same software on the backend.
On Saturday, July 16, 2016, Alex Ibrado [email protected] wrote:
Not sure if it's relevant, but api.keybase.io isn't serving a valid cert. keybase.io (which does serve the api via /_/api) does.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/2371#issuecomment-233136702, or mute the thread https://github.com/notifications/unsubscribe-auth/AA05_4l3VhCi1uj2lq9sHhio4yqZ9SaSks5qWP4mgaJpZM4JMC8W .
The endpoint has changed from api.keybase.io to api-0.core.keybaseapi.com but the bugs are still the same (and one of the certs was expiring in 7014 according to my system, longest lived webservice EVAR, see also #14307 and the other issues linked to it.
Installing the latest version from keybase.io fixes this.
On Tue, Jan 2, 2024, 17:47 Felix Klement @.***> wrote:
Currently getting this error on all of my devices.
Me as well.
— Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/2371#issuecomment-1873802930, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZIUUJNX7UCDX7VOMYI5A3YMPJSNAVCNFSM4CJQF4LKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBXGM4DAMRZGMYA . You are receiving this because you commented.Message ID: @.***>
I recently updated my Apple ID e-mail address and even more recently used the iOS app to provision the rest of my devices. I had to reinstall to update the app so it looks like I'm going for the paper key. Thanks for the heads up.
Didn't need the paper key! Everything (.dmg, apt, yum, yay) works for me except the FreeBSD pkg.
# pkg install keybase
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
% keybase pgp list
▶ ERROR API network error: Get "https://api-0.core.keybaseapi.com/_/api/1.0/merkle/root.json?c=1&last=25286640&skip_last=1": tls: failed to verify certificate: x509: certificate signed by unknown authority (code 1601)
The error message needs to be updated to say that the client key has expired. "signed by unknown authority" is rather vague.
The error message needs to be updated to say that the client key has expired. "signed by unknown authority" is rather vague.
To be fair, they have a banner in the GUI app that explains the issue:
I didn't get that message on my GUI. Maybe due to using Mac? How I found out is that a coworker told me. Not sure why they didn't include that error message on the CLI. It exactly explains the problem and how to fix it.