starred/s3fs-fuse
1
0
Fork 0
mirror of https://github.com/s3fs-fuse/s3fs-fuse.git synced 2026-04-25 13:26:00 +03:00
Code Issues 305 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #2357] S3FS with Client Certificate on RHEL8 #1162

New issue
Closed
opened 2026-03-04 01:51:50 +03:00 by kerem · 8 comments
kerem commented 2026-03-04 01:51:50 +03:00
Owner
Copy link

Originally created by @wil2business on GitHub (Oct 25, 2023).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/2357

************************ START OF #2425 DATA ******************************

Additional Information

Version of s3fs being used (s3fs --version)

V1.93 (commit:b97fd47) with OpenSSL

Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse or dpkg -s fuse)

2.9.7

Kernel information (uname -r)

4.18.0-513.18.1.el8_9.x86_64

GNU/Linux Distribution, if applicable (cat /etc/os-release)

Red Hat Enterprise Linux release 8.9 (Ootpa)

How to run s3fs, if applicable

[] command line

s3fs mybucket /path/to/mountpoint -o passwd_file=${HOME}/.passwd-s3fs -o url=<$URL> -o use_path_request_style

Details about issue

I am having a problem passing client certificate to the server. my setup has NGINX server with "ssl_verify_client on" requiring S3FS to read and submit client certificate.
It would equivalent to "curl --cert --cacert <cert_path> --key --cacert <key_path>--cacert <cert_path> ... or setting up .curlrc configuration file.

How do I achieve this functionality on RHEL8 machine?

************************ END OF #2425 DATA ******************************
I am trying to run s3fs version 1.93 included inside RHEL8 packages. This version was compiled with openssl.
I am having trouble connecting to a S3 bucket that requires client certificate. I get an error message that client certificate was not sent.

I am either using wrong configuration for my system or s3fs version v1.93 can not find my client certificate.
Can you please help me with a proper way to configure s3fs to use openssl/pkcs11?

Note: connection without requiring client certificate works well on an SSL enabled site.

Thank you

Originally created by @wil2business on GitHub (Oct 25, 2023). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/2357 ************************ START OF #2425 DATA ****************************** <!-- -------------------------------------------------------------------------- The following information is very important in order to help us to help you. Omission of the following details may delay your support request or receive no attention at all. Keep in mind that the commands we provide to retrieve information are oriented to GNU/Linux Distributions, so you could need to use others if you use s3fs on macOS or BSD. --------------------------------------------------------------------------- --> ### Additional Information #### Version of s3fs being used (`s3fs --version`) ```V1.93 (commit:b97fd47) with OpenSSL``` #### Version of fuse being used (`pkg-config --modversion fuse`, `rpm -qi fuse` or `dpkg -s fuse`) ```2.9.7``` #### Kernel information (`uname -r`) ```4.18.0-513.18.1.el8_9.x86_64``` #### GNU/Linux Distribution, if applicable (`cat /etc/os-release`) ```Red Hat Enterprise Linux release 8.9 (Ootpa)``` #### How to run s3fs, if applicable <!-- Describe the s3fs "command line" or "/etc/fstab" entry used. --> [] command line ``` s3fs mybucket /path/to/mountpoint -o passwd_file=${HOME}/.passwd-s3fs -o url=<$URL> -o use_path_request_style ``` ### Details about issue I am having a problem passing client certificate to the server. my setup has NGINX server with "ssl_verify_client on" requiring S3FS to read and submit client certificate. It would equivalent to "curl --cert --cacert <cert_path> --key --cacert <key_path>--cacert <cert_path> ... or setting up .curlrc configuration file. How do I achieve this functionality on RHEL8 machine? ************************ END OF #2425 DATA ****************************** I am trying to run s3fs version 1.93 included inside RHEL8 packages. This version was compiled with openssl. I am having trouble connecting to a S3 bucket that requires client certificate. I get an error message that client certificate was not sent. I am either using wrong configuration for my system or s3fs version v1.93 can not find my client certificate. Can you please help me with a proper way to configure s3fs to use openssl/pkcs11? Note: connection without requiring client certificate works well on an SSL enabled site. Thank you
kerem closed this issue 2026-03-04 01:51:50 +03:00
kerem commented 2026-03-04 01:51:51 +03:00
Author
Owner
Copy link

@wil2business commented on GitHub (Mar 4, 2024):

no action

<!-- gh-comment-id:1976584073 --> @wil2business commented on GitHub (Mar 4, 2024): no action
kerem commented 2026-03-04 01:51:51 +03:00
Author
Owner
Copy link

@ggtakec commented on GitHub (Mar 6, 2024):

@wil2business
Please tell us the version of s3fs you are using.
(s3fs --version will display the results.)

And did you build your s3fs yourself?
If you are trying to build on RHEL, try using the --with-nss option when running configure command.

<!-- gh-comment-id:1980986647 --> @ggtakec commented on GitHub (Mar 6, 2024): @wil2business Please tell us the version of s3fs you are using. _(`s3fs --version` will display the results.)_ And did you build your s3fs yourself? If you are trying to build on RHEL, try using the `--with-nss` option when running `configure` command.
kerem commented 2026-03-04 01:51:51 +03:00
Author
Owner
Copy link

@ggtakec commented on GitHub (Mar 6, 2024):

@wil2business
Is this issue the same as #2425?
If they are the same, please close #2425 and consolidate them into this issue.
Thanks in advance for your assistance.

<!-- gh-comment-id:1981237283 --> @ggtakec commented on GitHub (Mar 6, 2024): @wil2business Is this issue the same as #2425? If they are the same, please close #2425 and consolidate them into this issue. Thanks in advance for your assistance.
kerem commented 2026-03-04 01:51:51 +03:00
Author
Owner
Copy link

@wil2business commented on GitHub (Mar 11, 2024):

@ggtakec
I consolidated this and #2425 issue because it is a same problem as this one.
I tried compiling with --with-nss but it did not work.

I created a $HOME/.curlrc file assuming that s3fs curl code would use it to read my cert paths but it didn't.

Is there a way to include certificate path location in a s3fs command?

<!-- gh-comment-id:1988300369 --> @wil2business commented on GitHub (Mar 11, 2024): @ggtakec I consolidated this and #2425 issue because it is a same problem as this one. I tried compiling with `--with-nss` but it did not work. I created a `$HOME/.curlrc` file assuming that `s3fs curl code` would use it to read my cert paths but it didn't. Is there a way to include certificate path location in a s3fs command?
kerem commented 2026-03-04 01:51:51 +03:00
Author
Owner
Copy link

@ggtakec commented on GitHub (Mar 13, 2024):

@wil2business
(I'm concerned about not being able to build with --with-nss, but since the content is the same for OpenSSL, I'll omit it here. If that's what you need, you can separate the issue.)

Is it correct that what you want to do is that s3fs needs to access the server using client certification(ex, PEM)?
Currently, s3fs does not implement loading a client certificate and using it to connect to the server.
(s3fs is not using libcurl CURLOPT_SSLCERT options)
Until now, this request like you did not exist, so it has not been implemented.

But I think it is possible to consider implementation.
Is the reason you need this feature to verify the peer using the certificate when accessed on the server side?
(It would be helpful if you could explain how useful this feature is to you.)

Thanks for your help.

<!-- gh-comment-id:1994380918 --> @ggtakec commented on GitHub (Mar 13, 2024): @wil2business _(I'm concerned about not being able to build with --with-nss, but since the content is the same for OpenSSL, I'll omit it here. If that's what you need, you can separate the issue.)_ Is it correct that what you want to do is that s3fs needs to access the server using client certification(ex, PEM)? Currently, s3fs does not implement loading a client certificate and using it to connect to the server. (s3fs is not using libcurl CURLOPT_SSLCERT options) Until now, this request like you did not exist, so it has not been implemented. But I think it is possible to consider implementation. Is the reason you need this feature to verify the peer using the certificate when accessed on the server side? (It would be helpful if you could explain how useful this feature is to you.) Thanks for your help.
kerem commented 2026-03-04 01:51:51 +03:00
Author
Owner
Copy link

@ggtakec commented on GitHub (Mar 24, 2024):

@wil2business
I've posted PR code( #2436 ) that adds an option to specify the client certificate.
If you can use that code, I would appreciate it if you could test it.

<!-- gh-comment-id:2016752553 --> @ggtakec commented on GitHub (Mar 24, 2024): @wil2business I've posted PR code( #2436 ) that adds an option to specify the client certificate. If you can use that code, I would appreciate it if you could test it.
kerem commented 2026-03-04 01:51:52 +03:00
Author
Owner
Copy link

@wil2business commented on GitHub (Apr 3, 2024):

@ggtakec
I tested PR code( #2436 ) and fount the solution to work only in foreground mode.
It did not mount a directory without using a foreground option. Also, it did not generate any error message.
Thank you for working on this.

<!-- gh-comment-id:2034286830 --> @wil2business commented on GitHub (Apr 3, 2024): @ggtakec I tested PR code( #2436 ) and fount the solution to work only in foreground mode. It did not mount a directory without using a foreground option. Also, it did not generate any error message. Thank you for working on this.
kerem commented 2026-03-04 01:51:52 +03:00
Author
Owner
Copy link

@ggtakec commented on GitHub (Apr 14, 2024):

@wil2business Thank you for checking.
I close this issue once PR #2436 has been merged.
If you still find the problem please reopen or post a new issue.

<!-- gh-comment-id:2053963222 --> @ggtakec commented on GitHub (Apr 14, 2024): @wil2business Thank you for checking. I close this issue once PR #2436 has been merged. If you still find the problem please reopen or post a new issue.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.97
v1.96
v1.95
v1.94
v1.93
v1.92
v1.91
v1.90
v1.89
v1.88
v1.87
v1.86
v1.85
v1.84
v1.83
v1.82
v1.81
v1.80
v1.79
v1.78
Pre-v1.78
v1.77
v1.76
v1.75
v1.74
Labels
Clear labels   
bug

   
bug

   
dataloss

   
duplicate

   
enhancement

   
feature request

   
help wanted

   
invalid

   
need info

   
performance

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
testing
No labels
bug
bug
dataloss
duplicate
enhancement
feature request
help wanted
invalid
need info
performance
pull-request
question
question
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/s3fs-fuse#1162
No description provided.