API servers SSL certificate invalid issuer

[ei-grad]

Keybase CLI commands results in:

▶ ERROR API network error: Get "https://api-0.core.keybaseapi.com/_/api/1.0/merkle/root.json?c=1&last=25286625&skip_last=1": tls: failed to verify certificate: x509: certificate signed by unknown authority (code 1601)

Possibly related #26109 #26108 #24282

[jodavaho]

I bet this is the problem: keybase/keybase-issues#4219

[ei-grad]

This issue was about old certificate which did expire. This old certificate seems to be replaced with a new one, which is signed by some internal keybase CA, which is not trusted by keybase clients and is not included in systems trusted CA lists.

[ei-grad]

Current certificate information:

    Data:
        Version: 3 (0x2)
        Serial Number:
            ce:00:67:c8:95:c6:7d:91
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=NY, L=New York, O=Keybase LLC, OU=Cert Authority, CN=keybase.io/[email protected]
        Validity
            Not Before: Dec 31 20:08:16 2023 GMT
            Not After : Dec 30 20:08:16 2025 GMT
        Subject: CN=api-0.core.keybaseapi.com, O=Keybase, OU=Keybase LLC, L=NYC, ST=NY, C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cf:e6:e0:e8:d8:96:b2:b5:37:9a:0b:06:20:05:
                    a3:1b:1b:86:00:bb:11:6c:0b:d3:0b:b8:86:c8:69:
                    51:ec:91:99:67:65:4b:88:4e:96:06:72:49:fe:3e:
                    c1:cd:2f:27:ec:aa:82:d5:9f:58:83:19:c6:fe:50:
                    af:5f:13:9c:de:ff:0a:4d:28:1d:f0:02:d8:fa:8d:
                    78:48:68:4e:b0:c9:fc:c6:00:dc:0a:76:80:03:03:
                    65:75:6f:66:08:39:91:c0:f6:5b:0d:da:4f:26:d1:
                    c4:08:e7:00:ee:a3:fa:0b:ac:7a:81:49:8e:be:a2:
                    a1:42:2a:5a:84:48:4c:fd:3d:e0:14:81:cb:18:64:
                    d2:5b:35:25:38:75:c0:19:8b:04:da:e3:a7:37:ab:
                    82:24:21:2e:fd:32:49:51:ae:72:fb:4b:4b:6f:81:
                    1f:5c:7b:1c:01:e6:53:64:67:ca:45:47:29:9c:d6:
                    54:75:21:62:6f:1d:b0:cf:46:50:9a:41:70:98:35:
                    4c:05:86:e5:eb:ee:1f:b7:a6:d5:7a:54:34:bd:c5:
                    f0:00:4d:80:09:04:93:dc:6b:1f:8e:3d:cd:80:c3:
                    f5:19:11:68:14:95:37:fc:fa:ed:14:ee:dd:c6:b9:
                    cb:dd:9f:86:ed:6d:f9:ba:20:85:b6:4c:80:8a:16:
                    7a:cf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            X509v3 Subject Key Identifier: 
                C4:C2:93:3E:5A:19:CB:E0:6E:56:BC:63:57:12:99:4C:2E:B7:CD:E6
            X509v3 Authority Key Identifier: 
                keyid:46:AA:40:4C:EC:35:81:55:6B:CE:5A:AA:14:A6:E4:7D:A2:97:BF:0A
                DirName:/C=US/ST=NY/L=New York/O=Keybase LLC/OU=Cert Authority/CN=keybase.io\/[email protected]
                serial:FC:E1:A5:C2:01:68:E7:8D
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:api-0.core.keybaseapi.com, DNS:api-1.core.keybaseapi.com, DNS:*.prod.kb-aws.net, DNS:api.keybase.io

[ei-grad]

openssl s_client output:

→ openssl s_client -connect api-0.core.keybaseapi.com:443
Connecting to 54.145.238.238
CONNECTED(00000003)
depth=0 CN=api-0.core.keybaseapi.com, O=Keybase, OU=Keybase LLC, L=NYC, ST=NY, C=US
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=api-0.core.keybaseapi.com, O=Keybase, OU=Keybase LLC, L=NYC, ST=NY, C=US
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=api-0.core.keybaseapi.com, O=Keybase, OU=Keybase LLC, L=NYC, ST=NY, C=US
verify return:1
---
Certificate chain
 0 s:CN=api-0.core.keybaseapi.com, O=Keybase, OU=Keybase LLC, L=NYC, ST=NY, C=US
   i:C=US, ST=NY, L=New York, O=Keybase LLC, OU=Cert Authority, CN=keybase.io/[email protected]
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 31 20:08:16 2023 GMT; NotAfter: Dec 30 20:08:16 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGFDCCA/ygAwIBAgIJAM4AZ8iVxn2RMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCE5ldyBZb3JrMRQwEgYDVQQK
EwtLZXliYXNlIExMQzEXMBUGA1UECxMOQ2VydCBBdXRob3JpdHkxLjAsBgNVBAMM
JWtleWJhc2UuaW8vZW1haWxBZGRyZXNzPWNhQGtleWJhc2UuaW8wHhcNMjMxMjMx
MjAwODE2WhcNMjUxMjMwMjAwODE2WjB0MSIwIAYDVQQDDBlhcGktMC5jb3JlLmtl
eWJhc2VhcGkuY29tMRAwDgYDVQQKDAdLZXliYXNlMRQwEgYDVQQLDAtLZXliYXNl
IExMQzEMMAoGA1UEBwwDTllDMQswCQYDVQQIDAJOWTELMAkGA1UEBhMCVVMwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP5uDo2JaytTeaCwYgBaMbG4YA
uxFsC9MLuIbIaVHskZlnZUuITpYGckn+PsHNLyfsqoLVn1iDGcb+UK9fE5ze/wpN
KB3wAtj6jXhIaE6wyfzGANwKdoADA2V1b2YIOZHA9lsN2k8m0cQI5wDuo/oLrHqB
SY6+oqFCKlqESEz9PeAUgcsYZNJbNSU4dcAZiwTa46c3q4IkIS79MklRrnL7S0tv
gR9cexwB5lNkZ8pFRymc1lR1IWJvHbDPRlCaQXCYNUwFhuXr7h+3ptV6VDS9xfAA
TYAJBJPcax+OPc2Aw/UZEWgUlTf8+u0U7t3Gucvdn4btbfm6IIW2TICKFnrPAgMB
AAGjggGOMIIBijAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAdBgNVHQ4E
FgQUxMKTPloZy+BuVrxjVxKZTC63zeYwgcEGA1UdIwSBuTCBtoAURqpATOw1gVVr
zlqqFKbkfaKXvwqhgZKkgY8wgYwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTER
MA8GA1UEBxMITmV3IFlvcmsxFDASBgNVBAoTC0tleWJhc2UgTExDMRcwFQYDVQQL
Ew5DZXJ0IEF1dGhvcml0eTEuMCwGA1UEAwwla2V5YmFzZS5pby9lbWFpbEFkZHJl
c3M9Y2FAa2V5YmFzZS5pb4IJAPzhpcIBaOeNMA4GA1UdDwEB/wQEAwIFoDATBgNV
HSUEDDAKBggrBgEFBQcDATBiBgNVHREEWzBZghlhcGktMC5jb3JlLmtleWJhc2Vh
cGkuY29tghlhcGktMS5jb3JlLmtleWJhc2VhcGkuY29tghEqLnByb2Qua2ItYXdz
Lm5ldIIOYXBpLmtleWJhc2UuaW8wDQYJKoZIhvcNAQELBQADggIBAGVacz1nBIua
/mXeQN4xD6/VB97/y/QKiZ177ehDL4S/iqCIIcvLetdr4dG+L/35RvP0jTMmHZgy
jjVFJMOmBV9zmFyDYXRQQT1M9E3G4QBP1dAs3Sr6RsEFLJPH5jk0M1Ko+qy8JmHJ
Y6NtuwPivmVMfMJzEATUH2nS9N4AbEjHB0ZE2MOOft3n7Ok/kEtyiHtrc9poZeMF
ILeKVF7ARmcDxlzVmWGjFt5gc1vTweVkhwA/Ix66sJ11HPcjVIeh7wzKnGpS7Tdy
vvWVxUFRpryd1U03B9v5O0nLPviyBH3z6V//9ECUwbFTyXLF+ZI38SN7eRGe+Uqq
3VSmiUahvqMcc/+o9idPRz3KtzCE/UTX9vdZtDiJr52L+RQXC1gA18aumIRAeNak
DTHH8WZszIGw1qw2QdXDWjTv90f53dNmFusy83cOePmz9N0mugYOHIgieN7vENP5
p18t1yx90coq1qaNAImgQIc6bgBV2vuuE/9ZBIbiVqinFexJrf/IqNQrVKd1ge8l
rlL1+luhmHPkFUMxXs9UPpeLULmvmDw5MIK5ks5p+eESDbY4rKTnMhtBIpMpeJ/7
ID71iZBTT9e714HW4dQXz+n1w9+tTbNcD0AKJ4s8zeGmP0SZhbhaSV8FR1Tf6RVe
p6OTJILYsE8lqZBxuQ1yaL7s+DGCnqAJ
-----END CERTIFICATE-----
subject=CN=api-0.core.keybaseapi.com, O=Keybase, OU=Keybase LLC, L=NYC, ST=NY, C=US
issuer=C=US, ST=NY, L=New York, O=Keybase LLC, OU=Cert Authority, CN=keybase.io/[email protected]
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2120 bytes and written 413 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---

[ei-grad]

Oh. Client must be updated to the latest version :-/.

keybase/keybase-issues#4219 (comment):

You'll need to wait until v6.2.4 is available for download. Versions prior to this will never work again.

Need to wait for https://gitlab.archlinux.org/archlinux/packaging/packages/keybase/-/issues/1 :-(.