Open kornelski opened 9 years ago
λ curl -i https://pornel.net/.well-known/keybase.txt
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
λ wget https://pornel.net/.well-known/keybase.txt
--20:55:29-- https://pornel.net/.well-known/keybase.txt
=> `keybase.txt'
Resolving pornel.net... done.
Connecting to pornel.net[5.35.241.234]:443... connected.
Unable to establish SSL connection.
I can't exactly say for sure what the issue is, but I'd wager it might have something to do with your SSL certificate or server settings pertaining to request handling.
EDIT: Maybe bundle your intermediate certificate in your certchain.
Valid: No (The issuer certificate of a locally looked up certificate could not be found. This normally means the web server did not return the intermediate certificates.)
Thanks @zQueal that was due to the cert indeed. I still wish keybase.io reported that explicitly, so I'm going to leave this issue open.
Glad that worked out for you.
I agree, though. The majority of the Keybase error codes and returns are pretty vague. But the devs are actively working on them. So that's good.
I have what might be the same issue - I changed my certificate and it broke. It previously worked fine - is it possible to check what I need to do to fix it? Using 'curl -i' it looks like the certs are being served correctly, but I'm not sure.
Address in question is: https://danielsmith.eu/.well-known/keybase.txt
Same issue here — https://chekalskiy.ru/keybase.txt
I've changed yesterday the certificate on my website and I had the email this morning too, telling that my web proof just broke, but it's really fine there: https://dsthode.info/keybase.txt
To add some more info, I changed certs from StartCom to Let's Encrypt and also I bundled the cert and the chain in the same file, serving it with the SSLCertificateFile directive in Apache (with StartCom I served the certificate with this directive and the chain with the SSLCertificateChainFile directive)
@danielsmith-eu your site looks completely down to me.
@chekalskiy looks fine now :)
@dsthode Looks like your server is not serving a full certificate chain. It looks ok with browsers because they have CAs bundled. SSL labs is a good test for this: https://www.ssllabs.com/ssltest/analyze.html?d=dsthode.info&hideResults=on&latest Try to get rid of Chain issues: Incomplete
there.
@mlsteele Ok, set SSLCertificateChainFile and SSLCertificateFile directives in Apache configuration, the SSL Labs warning disappeared and Keybase recognized my web proof. Thanks!
I've got alert that my "proof just broke", but keybase isn't telling me what exactly is broken about it.
It'd be good if you could specify exactly where the proof failed for you.
It looks fine to me: https://pornel.net/.well-known/keybase.txt so information that it's "just broke" is not enough for me to fix the issue.