x509: certificate signed by unknown authority

[silence48]

Keybase GUI Version: 6.2.8-20240305123615+5381dd5b22

[kg4zow]

The actual certificate for api-0.core.keybaseapi.com is issued by a Keybase CA. Normal clients (browsers, curl, wget, etc.) won't "trust" the certificate, but the Keybase client itself will trust it, because it has the CA certificate built in.

If you're seeing this message, the most likely reason is that something is trying to "inspect" the contents of your network traffic The Keybase client can tell that this is happening (because the certificate it receives isn't issued by Keybase), and is refusing to use the connection.

You can check this by trying to manually connect to the server, and inspecting the certificate it answers with.

$ echo Q | openssl s_client -showcerts -connect api-0.core.keybaseapi.com:443 | openssl x509 -noout -serial -subject -issuer -dates
Warning: Reading certificate from stdin since no -in or -new option is given
Connecting to 54.145.165.108
...
DONE
serial=CE0067C895C67D91
subject=CN=api-0.core.keybaseapi.com, O=Keybase, OU=Keybase LLC, L=NYC, ST=NY, C=US
issuer=C=US, ST=NY, L=New York, O=Keybase LLC, OU=Cert Authority, CN=keybase.io/emailAddress=ca@keybase.io
notBefore=Dec 31 20:08:16 2023 GMT
notAfter=Dec 30 20:08:16 2025 GMT

You should see the same values below the DONE line. If not, then your computer is receiving a different certificate than the one my computers all receive. In particular, if the issuer= line isn't on the list built into the Keybase client, it will refuse to talk to whatever it connected to (i.e. the corporate firewall).

If this happens, your only choices are to see if you can get the corporate networking guys to not perform "SSL inspection" on the keybaseapi.com domain ... or just don't use Keybase while you're connected to their network.