Certificate error on ios clients

[kastork]

As of 1/2/2024 It looks like the certificate for the app's api has expired, or is otherwise invalid. Chats fail to send, and other app pages fail to load.

[dilyevsky]

We're getting this error too. The cert served by api.keybase.io appears to be self-signed:

openssl s_client -connect api.keybase.io:443 | openssl x509 -noout -text
Warning: Reading certificate from stdin since no -in or -new option is given
depth=1 C=US, ST=NY, L=New York, O=Keybase LLC, OU=Cert Authority, CN=keybase.io/[email protected]
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 C=US, ST=NY, L=New York, O=Keybase LLC, OU=Cert Authority, CN=keybase.io/[email protected]
verify return:1
depth=0 C=US, ST=NY, L=New York, O=Keybase LLC, CN=api.keybase.io
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4118 (0x1016)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=NY, L=New York, O=Keybase LLC, OU=Cert Authority, CN=keybase.io/[email protected]
        Validity
            Not Before: Jan  3 16:03:28 2024 GMT
            Not After : Jan  2 16:03:28 2028 GMT
        Subject: C=US, ST=NY, L=New York, O=Keybase LLC, CN=api.keybase.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b9:96:5a:05:24:72:d1:39:4b:44:ea:6d:d6:02:
                    44:35:28:e6:f4:66:20:d9:f2:40:87:42:14:5b:62:
                    6b:25:ad:67:c4:19:88:6c:25:f2:63:17:3d:1f:92:
                    15:00:64:e5:92:95:7c:32:6f:5a:e0:73:20:49:ae:
                    3f:cb:d3:97:bc:38:71:fc:d4:b0:7d:f3:4f:25:f7:
                    b6:9c:1e:75:d6:d6:89:f8:cd:24:a2:50:a6:60:d8:
                    a1:04:18:96:be:cf:17:5b:ef:db:ae:7e:12:f4:5a:
                    d6:6c:6b:b7:45:16:b1:30:a4:0c:a7:6d:84:39:97:
                    b0:2a:c0:2b:f2:36:68:99:9f:6d:95:c8:9e:ce:62:
                    24:f7:52:5c:9b:ec:fb:b5:7b:90:57:91:be:ca:47:
                    9c:bb:02:e3:93:96:07:88:20:a9:c4:28:45:17:ba:
                    73:20:12:00:f6:aa:d6:a2:d7:4d:3d:12:09:79:c9:
                    c3:0a:94:f4:fa:51:9d:ac:c5:d0:b0:91:04:cc:35:
                    77:aa:fa:7d:a5:dc:d0:b4:9c:bb:6e:ba:b9:d9:cf:
                    2a:b9:42:99:03:fe:b7:03:e2:8a:66:02:d1:bd:d3:
                    53:10:80:98:25:50:79:18:33:80:9e:ec:3e:fd:f9:
                    ce:df:95:09:b9:af:3d:fe:26:a5:62:b6:dc:36:97:
                    d9:79
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            X509v3 Subject Key Identifier:
                75:1B:01:5B:6B:76:32:EE:8A:6D:6A:9C:C2:DE:C9:77:12:2F:B3:19
            X509v3 Authority Key Identifier:
                keyid:46:AA:40:4C:EC:35:81:55:6B:CE:5A:AA:14:A6:E4:7D:A2:97:BF:0A
                DirName:/C=US/ST=NY/L=New York/O=Keybase LLC/OU=Cert Authority/CN=keybase.io\/[email protected]
                serial:FC:E1:A5:C2:01:68:E7:8D
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:api-0.core.keybaseapi.com, DNS:api-1.core.keybaseapi.com, DNS:*.prod.kb-aws.net, DNS:api.keybase.io
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        58:0c:9e:c0:17:8a:81:75:9f:87:9f:12:a9:33:bc:d5:b7:17:
        f9:f9:25:e7:bb:83:cd:20:04:4b:25:91:ac:73:92:5b:19:81:
        2a:3c:9c:cb:a7:60:ea:83:fa:31:1b:6e:31:a0:be:13:d5:be:
        6a:a1:ac:87:8d:fa:f4:6e:58:b1:13:6a:60:5f:fe:63:ec:f0:
        b0:ff:5d:24:bc:84:c8:b5:00:87:d7:04:db:03:63:b5:14:fe:
        31:e7:ed:b7:d8:50:c4:4a:a1:9b:f3:04:ed:2f:3a:bf:a0:af:
        48:9e:4a:c1:dd:ff:8f:8a:69:d3:4d:ae:6d:d9:06:3d:6d:d3:
        00:5c:88:62:e6:c2:a1:a7:64:98:33:5e:22:90:e2:4d:f8:c0:
        83:fa:1b:75:a9:38:36:52:4b:bd:39:d5:61:ed:f2:70:1e:3b:
        80:8d:64:f2:5a:0a:1f:58:4c:31:dc:44:4d:c1:6e:dc:1d:f7:
        32:69:53:a8:5c:0c:09:0c:fb:e7:eb:ce:b0:f4:fc:3e:1e:7a:
        41:8b:25:2d:38:9f:40:d6:3b:c5:77:87:2e:c3:96:dc:af:7a:
        e9:9e:3c:b4:45:8d:3f:90:ac:07:68:78:04:b4:41:23:44:79:
        8d:50:7c:a8:db:02:eb:76:ad:1b:ea:12:4e:24:4d:b0:f4:a6:
        97:a6:06:93:13:85:79:e2:a6:c3:49:6c:fd:00:dc:cc:bd:b7:
        af:40:44:97:0a:a2:83:90:68:91:c1:26:92:e5:e5:90:d9:8c:
        e8:02:1e:57:fc:14:90:0b:00:fb:b4:8f:25:21:35:6f:50:9f:
        de:1a:d4:6c:52:89:ae:b5:a7:9a:19:aa:5c:ad:f4:cb:9e:cb:
        40:7b:ee:9f:b1:a4:20:67:53:25:f1:5e:94:2d:a0:60:e9:f3:
        6b:aa:43:78:c2:4f:d8:64:49:e9:e0:a4:0d:bd:00:cc:64:f0:
        0c:01:7f:56:2d:75:77:7e:7b:41:37:69:ec:03:08:75:38:42:
        01:74:fc:02:ee:c1:67:3d:2b:b5:47:27:cf:91:26:91:36:38:
        25:cb:69:79:bc:df:64:d8:62:3f:0f:3c:47:68:a6:0e:3b:df:
        77:f6:6b:75:0a:f5:41:02:de:e0:f3:c7:31:e8:43:92:d0:94:
        24:c9:7c:bb:e6:2a:ef:32:cf:29:b6:b7:57:76:22:f1:ba:1e:
        13:1c:19:ea:32:71:19:18:ca:7b:15:f2:96:d4:08:0d:e4:c0:
        61:a7:f9:46:3f:1f:47:16:0b:f4:05:d8:e8:be:17:c1:b3:f1:
        d0:97:14:1a:60:28:fe:1d:24:7e:7c:df:98:83:f2:39:63:ee:
        cf:79:7e:69:c5:2f:aa:00

[dilyevsky]

Actually it might be by design and they are not using public CA infra. So needs a client upgrade %)

[buuggyy]

Yes, and attempts to send a bug report from the CLI throws this error: ERROR API network error: Post "https://api-0.core.keybaseapi.com/_/api/1.0/logdump/send.json": x509: certificate signed by unknown authority

[buuggyy]

Deleting the app and reinstalling from here did work, but that's not exactly how updates are supposed to work.
https://keybase.io/docs/the_app/install_macos