"your web proof just broke" is too vague

[kornelski]

I've got alert that my "proof just broke", but keybase isn't telling me what exactly is broken about it.

It'd be good if you could specify exactly where the proof failed for you.

• Do you have trouble validating the certificate? Do you not support my server's cyphersuites or TLS version? Do you not support SNI? (I've recently changed SHA-1 cert to SHA-256 cert.)
• Are you getting 404?
• Maybe my server has firewalled your host?
• Maybe you can download it, but the content is wrong?

It looks fine to me: https://pornel.net/.well-known/keybase.txt so information that it's "just broke" is not enough for me to fix the issue.

[zQueal]

λ curl -i https://pornel.net/.well-known/keybase.txt
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

λ wget https://pornel.net/.well-known/keybase.txt
--20:55:29--  https://pornel.net/.well-known/keybase.txt
           => `keybase.txt'
Resolving pornel.net... done.
Connecting to pornel.net[5.35.241.234]:443... connected.

Unable to establish SSL connection.

I can't exactly say for sure what the issue is, but I'd wager it might have something to do with your SSL certificate or server settings pertaining to request handling.

EDIT: Maybe bundle your intermediate certificate in your certchain.

Valid: No (The issuer certificate of a locally looked up certificate could not be found. This normally means the web server did not return the intermediate certificates.)

[kornelski]

Thanks @zQueal that was due to the cert indeed. I still wish keybase.io reported that explicitly, so I'm going to leave this issue open.

[zQueal]

Glad that worked out for you.

I agree, though. The majority of the Keybase error codes and returns are pretty vague. But the devs are actively working on them. So that's good.

[danielsmith-eu]

I have what might be the same issue - I changed my certificate and it broke. It previously worked fine - is it possible to check what I need to do to fix it? Using 'curl -i' it looks like the certs are being served correctly, but I'm not sure.

Address in question is: https://danielsmith.eu/.well-known/keybase.txt

[chekalsky]

Same issue here — https://chekalskiy.ru/keybase.txt

[dsthode]

I've changed yesterday the certificate on my website and I had the email this morning too, telling that my web proof just broke, but it's really fine there: https://dsthode.info/keybase.txt

To add some more info, I changed certs from StartCom to Let's Encrypt and also I bundled the cert and the chain in the same file, serving it with the SSLCertificateFile directive in Apache (with StartCom I served the certificate with this directive and the chain with the SSLCertificateChainFile directive)

[mlsteele]

@danielsmith-eu your site looks completely down to me.

@chekalskiy looks fine now :)

@dsthode Looks like your server is not serving a full certificate chain. It looks ok with browsers because they have CAs bundled. SSL labs is a good test for this: https://www.ssllabs.com/ssltest/analyze.html?d=dsthode.info&hideResults=on&latest Try to get rid of Chain issues: Incomplete there.

[dsthode]

@mlsteele Ok, set SSLCertificateChainFile and SSLCertificateFile directives in Apache configuration, the SSL Labs warning disappeared and Keybase recognized my web proof. Thanks!