[GH-ISSUE #626] no_check_certificate seems to have no effect #360

New issue

Closed

opened 2026-03-04 01:44:44 +03:00 by kerem · 3 comments

kerem commented 2026-03-04 01:44:44 +03:00

Owner

Copy link

Originally created by @djdevin on GitHub (Jul 28, 2017).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/626

We have a domain bucket in us-east-1.

Amazon's S3 wildcard only covers *.s3.amazonaws.com

Setting no_check_certificate seems to have no effect, the SSL is still rejected.

We can't use s3.amazonaws.com as the endpoint because it tells us "The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint."

# s3fs -o passwd_file=awskey,no_check_certificate,url=https://some.bucket.domain.s3.amazonaws.com,curldbg some.bucket.domain:/some/path s3mnt -f -d -d 
[CRT] s3fs.cpp:set_s3fs_log_level(257): change debug level from [CRT] to [INF] 
[INF]     s3fs.cpp:set_mountpoint_attribute(4182): PROC(uid=1000, gid=1000) - MountPoint(uid=1000, gid=1000, mode=40775)
FUSE library version: 2.9.0
nullpath_ok: 0
nopath: 0
utime_omit_ok: 0
unique: 1, opcode: INIT (26), nodeid: 0, insize: 56, pid: 0
INIT: 7.26
flags=0x001ffffb
max_readahead=0x00020000
[CRT] s3fs.cpp:s3fs_init(3367): init v1.82(commit:b1fe419) with OpenSSL
[INF] s3fs.cpp:s3fs_check_service(3743): check services.
[INF]       curl.cpp:CheckBucket(2914): check a bucket.
[INF]       curl.cpp:prepare_url(4205): URL is https://some.bucket.domain.s3.amazonaws.com/some.bucket.domain/some/path/
[INF]       curl.cpp:prepare_url(4237): URL changed is https://some.bucket.domain.some.bucket.domain.s3.amazonaws.com/some.bucket.domain/some/path/.s3.amazonaws.com/some.bucket.domain/some/path/
[INF]       curl.cpp:insertV4Headers(2267): computing signature [GET] [/some/path/] [] []
[INF]       curl.cpp:url_to_host(100): url is https://some.bucket.domain.s3.amazonaws.com
* About to connect() to some.bucket.domain.some.bucket.domain.s3.amazonaws.com port 443 (#0)
*   Trying 54.231.40.35...
* connected
* Connected to some.bucket.domain.some.bucket.domain.s3.amazonaws.com (54.231.40.35) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*        subject: C=US; ST=Washington; L=Seattle; O=Amazon.com Inc.; CN=*.s3.amazonaws.com
*        start date: 2016-07-29 00:00:00 GMT
*        expire date: 2017-11-29 12:00:00 GMT
*        subjectAltName does not match some.bucket.domain.some.bucket.domain.s3.amazonaws.com
* Closing connection #0
* SSL peer certificate or SSH remote key was not OK
[ERR] curl.cpp:RequestPerform(2078): ###curlCode: 51  msg: SSL peer certificate or SSH remote key was not OK
[ERR] curl.cpp:CheckBucket(2953): Check bucket failed, S3 response: 
[CRT] s3fs.cpp:s3fs_check_service(3809): unable to connect(host=https://some.bucket.domain.s3.amazonaws.com) - result of checking service.
[ERR] s3fs.cpp:s3fs_exit_fuseloop(3357): Exiting FUSE event loop due to errors

   INIT: 7.18
   flags=0x00000011
   max_readahead=0x00020000
   max_write=0x00020000
   max_background=0
   congestion_threshold=0
   unique: 1, success, outsize: 40
[INF] s3fs.cpp:s3fs_destroy(3430): destroy
[WAN] s3fs.cpp:s3fs_destroy(3434): Could not release curl library.

Originally created by @djdevin on GitHub (Jul 28, 2017). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/626 We have a domain bucket in us-east-1. Amazon's S3 wildcard only covers *.s3.amazonaws.com Setting no_check_certificate seems to have no effect, the SSL is still rejected. We can't use s3.amazonaws.com as the endpoint because it tells us "The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint." ``` # s3fs -o passwd_file=awskey,no_check_certificate,url=https://some.bucket.domain.s3.amazonaws.com,curldbg some.bucket.domain:/some/path s3mnt -f -d -d [CRT] s3fs.cpp:set_s3fs_log_level(257): change debug level from [CRT] to [INF] [INF] s3fs.cpp:set_mountpoint_attribute(4182): PROC(uid=1000, gid=1000) - MountPoint(uid=1000, gid=1000, mode=40775) FUSE library version: 2.9.0 nullpath_ok: 0 nopath: 0 utime_omit_ok: 0 unique: 1, opcode: INIT (26), nodeid: 0, insize: 56, pid: 0 INIT: 7.26 flags=0x001ffffb max_readahead=0x00020000 [CRT] s3fs.cpp:s3fs_init(3367): init v1.82(commit:b1fe419) with OpenSSL [INF] s3fs.cpp:s3fs_check_service(3743): check services. [INF] curl.cpp:CheckBucket(2914): check a bucket. [INF] curl.cpp:prepare_url(4205): URL is https://some.bucket.domain.s3.amazonaws.com/some.bucket.domain/some/path/ [INF] curl.cpp:prepare_url(4237): URL changed is https://some.bucket.domain.some.bucket.domain.s3.amazonaws.com/some.bucket.domain/some/path/.s3.amazonaws.com/some.bucket.domain/some/path/ [INF] curl.cpp:insertV4Headers(2267): computing signature [GET] [/some/path/] [] [] [INF] curl.cpp:url_to_host(100): url is https://some.bucket.domain.s3.amazonaws.com * About to connect() to some.bucket.domain.some.bucket.domain.s3.amazonaws.com port 443 (#0) * Trying 54.231.40.35... * connected * Connected to some.bucket.domain.some.bucket.domain.s3.amazonaws.com (54.231.40.35) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSL connection using ECDHE-RSA-AES128-GCM-SHA256 * Server certificate: * subject: C=US; ST=Washington; L=Seattle; O=Amazon.com Inc.; CN=*.s3.amazonaws.com * start date: 2016-07-29 00:00:00 GMT * expire date: 2017-11-29 12:00:00 GMT * subjectAltName does not match some.bucket.domain.some.bucket.domain.s3.amazonaws.com * Closing connection #0 * SSL peer certificate or SSH remote key was not OK [ERR] curl.cpp:RequestPerform(2078): ###curlCode: 51 msg: SSL peer certificate or SSH remote key was not OK [ERR] curl.cpp:CheckBucket(2953): Check bucket failed, S3 response: [CRT] s3fs.cpp:s3fs_check_service(3809): unable to connect(host=https://some.bucket.domain.s3.amazonaws.com) - result of checking service. [ERR] s3fs.cpp:s3fs_exit_fuseloop(3357): Exiting FUSE event loop due to errors INIT: 7.18 flags=0x00000011 max_readahead=0x00020000 max_write=0x00020000 max_background=0 congestion_threshold=0 unique: 1, success, outsize: 40 [INF] s3fs.cpp:s3fs_destroy(3430): destroy [WAN] s3fs.cpp:s3fs_destroy(3434): Could not release curl library. ```

kerem closed this issue 2026-03-04 01:44:44 +03:00

kerem commented 2026-03-04 01:44:45 +03:00

Author

Owner

Copy link

@ggtakec commented on GitHub (Sep 17, 2017):

@djdevin Does your bucket name include "."?
If so, you must specify the use_path_request_style option.
Please let me know if it is wrong.
Thanks in advance for your assistance.

<!-- gh-comment-id:330037633 --> @ggtakec commented on GitHub (Sep 17, 2017): @djdevin Does your bucket name include "."? If so, you must specify the use_path_request_style option. Please let me know if it is wrong. Thanks in advance for your assistance.

kerem commented 2026-03-04 01:44:45 +03:00

Author

Owner

Copy link

@djdevin commented on GitHub (Nov 6, 2017):

It does, but it still does not appear to work. It seems impossible to mount a bucket with periods in the name. Same as #653

s3fs -o use_path_request_style backup.bucket.example.com s3mnt  -f -d -d
[CRT] s3fs.cpp:set_s3fs_log_level(258): change debug level from [CRT] to [INF] 
[INF]     s3fs.cpp:set_mountpoint_attribute(4173): PROC(uid=0, gid=0) - MountPoint(uid=0, gid=0, mode=40755)
FUSE library version: 2.9.0
nullpath_ok: 0
nopath: 0
utime_omit_ok: 0
unique: 1, opcode: INIT (26), nodeid: 0, insize: 56, pid: 0
INIT: 7.26
flags=0x001ffffb
max_readahead=0x00020000
[INF] s3fs.cpp:s3fs_init(3358): init v1.82(commit:259f028) with OpenSSL
[INF] s3fs.cpp:s3fs_check_service(3734): check services.
[INF]       curl.cpp:CheckBucket(2943): check a bucket.
[INF]       curl.cpp:prepare_url(4128): URL is https://s3.amazonaws.com/backup.bucket.example.com/
[INF]       curl.cpp:prepare_url(4160): URL changed is https://s3.amazonaws.com/backup.bucket.example.com/
[INF]       curl.cpp:insertV4Headers(2326): computing signature [GET] [/] [] []
[INF]       curl.cpp:url_to_host(100): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(1969): HTTP response code 301
   INIT: 7.18
   flags=0x00000019
   max_readahead=0x00020000
   max_write=0x00020000
   max_background=0
   congestion_threshold=0
   unique: 1, success, outsize: 40
unique: 2, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 8510
getattr /
[INF] s3fs.cpp:s3fs_getattr(828): [path=/]
   unique: 2, success, outsize: 120
unique: 3, opcode: GETXATTR (22), nodeid: 1, insize: 65, pid: 8510
   unique: 3, error: -38 (Function not implemented), outsize: 16
unique: 4, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 8382
getattr /
[INF] s3fs.cpp:s3fs_getattr(828): [path=/]
   unique: 4, success, outsize: 120
unique: 5, opcode: ACCESS (34), nodeid: 1, insize: 48, pid: 8382
access / 01
[INF] s3fs.cpp:s3fs_access(3441): [path=/][mask=X_OK ]
   unique: 5, success, outsize: 16
unique: 6, opcode: OPENDIR (27), nodeid: 1, insize: 48, pid: 8511
opendir flags: 0x18800 /
[INF] s3fs.cpp:s3fs_opendir(2268): [path=/][flags=100352]
   opendir[0] flags: 0x18800 /
   unique: 6, success, outsize: 32
unique: 7, opcode: READDIR (28), nodeid: 1, insize: 80, pid: 8511
readdir[0] from 0
[INF] s3fs.cpp:s3fs_readdir(2419): [path=/]
[INF]   s3fs.cpp:list_bucket(2464): [path=/]
[INF]       curl.cpp:ListBucketRequest(2978): [tpath=/]
[INF]       curl.cpp:prepare_url(4128): URL is https://s3.amazonaws.com/backup.bucket.example.com?delimiter=/&max-keys=1000&prefix=
[INF]       curl.cpp:prepare_url(4160): URL changed is https://s3.amazonaws.com/backup.bucket.example.com/?delimiter=/&max-keys=1000&prefix=
[INF]       curl.cpp:insertV4Headers(2326): computing signature [GET] [/] [delimiter=/&max-keys=1000&prefix=] []
[INF]       curl.cpp:url_to_host(100): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(1969): HTTP response code 301
[ERR] s3fs.cpp:get_base_exp(2732): marker_xp->nodesetval is empty.
[WAN] s3fs.cpp:append_objects_from_xml_ex(2562): contents_xp->nodesetval is empty.
[WAN] s3fs.cpp:append_objects_from_xml_ex(2562): contents_xp->nodesetval is empty.
[ERR] s3fs.cpp:get_base_exp(2732): marker_xp->nodesetval is empty.
   unique: 7, success, outsize: 80
unique: 8, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 8511
getattr /
[INF] s3fs.cpp:s3fs_getattr(828): [path=/]
   unique: 8, success, outsize: 120
unique: 9, opcode: READDIR (28), nodeid: 1, insize: 80, pid: 8511
   unique: 9, success, outsize: 16
unique: 10, opcode: RELEASEDIR (29), nodeid: 1, insize: 64, pid: 0
   unique: 10, success, outsize: 16

The 301's are returning this: "The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint."

The endpoint should be "endpoint=backup.bucket.example.com.s3.amazonaws.com"

But if you change to that endpoint, you get:

[ERR] curl.cpp:RequestPerform(2107): ###curlCode: 51  msg: SSL peer certificate or SSH remote key was not OK

Even if "no_check_certificate" is set.

<!-- gh-comment-id:342216973 --> @djdevin commented on GitHub (Nov 6, 2017): It does, but it still does not appear to work. It seems impossible to mount a bucket with periods in the name. Same as #653 ``` s3fs -o use_path_request_style backup.bucket.example.com s3mnt -f -d -d [CRT] s3fs.cpp:set_s3fs_log_level(258): change debug level from [CRT] to [INF] [INF] s3fs.cpp:set_mountpoint_attribute(4173): PROC(uid=0, gid=0) - MountPoint(uid=0, gid=0, mode=40755) FUSE library version: 2.9.0 nullpath_ok: 0 nopath: 0 utime_omit_ok: 0 unique: 1, opcode: INIT (26), nodeid: 0, insize: 56, pid: 0 INIT: 7.26 flags=0x001ffffb max_readahead=0x00020000 [INF] s3fs.cpp:s3fs_init(3358): init v1.82(commit:259f028) with OpenSSL [INF] s3fs.cpp:s3fs_check_service(3734): check services. [INF] curl.cpp:CheckBucket(2943): check a bucket. [INF] curl.cpp:prepare_url(4128): URL is https://s3.amazonaws.com/backup.bucket.example.com/ [INF] curl.cpp:prepare_url(4160): URL changed is https://s3.amazonaws.com/backup.bucket.example.com/ [INF] curl.cpp:insertV4Headers(2326): computing signature [GET] [/] [] [] [INF] curl.cpp:url_to_host(100): url is https://s3.amazonaws.com [INF] curl.cpp:RequestPerform(1969): HTTP response code 301 INIT: 7.18 flags=0x00000019 max_readahead=0x00020000 max_write=0x00020000 max_background=0 congestion_threshold=0 unique: 1, success, outsize: 40 unique: 2, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 8510 getattr / [INF] s3fs.cpp:s3fs_getattr(828): [path=/] unique: 2, success, outsize: 120 unique: 3, opcode: GETXATTR (22), nodeid: 1, insize: 65, pid: 8510 unique: 3, error: -38 (Function not implemented), outsize: 16 unique: 4, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 8382 getattr / [INF] s3fs.cpp:s3fs_getattr(828): [path=/] unique: 4, success, outsize: 120 unique: 5, opcode: ACCESS (34), nodeid: 1, insize: 48, pid: 8382 access / 01 [INF] s3fs.cpp:s3fs_access(3441): [path=/][mask=X_OK ] unique: 5, success, outsize: 16 unique: 6, opcode: OPENDIR (27), nodeid: 1, insize: 48, pid: 8511 opendir flags: 0x18800 / [INF] s3fs.cpp:s3fs_opendir(2268): [path=/][flags=100352] opendir[0] flags: 0x18800 / unique: 6, success, outsize: 32 unique: 7, opcode: READDIR (28), nodeid: 1, insize: 80, pid: 8511 readdir[0] from 0 [INF] s3fs.cpp:s3fs_readdir(2419): [path=/] [INF] s3fs.cpp:list_bucket(2464): [path=/] [INF] curl.cpp:ListBucketRequest(2978): [tpath=/] [INF] curl.cpp:prepare_url(4128): URL is https://s3.amazonaws.com/backup.bucket.example.com?delimiter=/&max-keys=1000&prefix= [INF] curl.cpp:prepare_url(4160): URL changed is https://s3.amazonaws.com/backup.bucket.example.com/?delimiter=/&max-keys=1000&prefix= [INF] curl.cpp:insertV4Headers(2326): computing signature [GET] [/] [delimiter=/&max-keys=1000&prefix=] [] [INF] curl.cpp:url_to_host(100): url is https://s3.amazonaws.com [INF] curl.cpp:RequestPerform(1969): HTTP response code 301 [ERR] s3fs.cpp:get_base_exp(2732): marker_xp->nodesetval is empty. [WAN] s3fs.cpp:append_objects_from_xml_ex(2562): contents_xp->nodesetval is empty. [WAN] s3fs.cpp:append_objects_from_xml_ex(2562): contents_xp->nodesetval is empty. [ERR] s3fs.cpp:get_base_exp(2732): marker_xp->nodesetval is empty. unique: 7, success, outsize: 80 unique: 8, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 8511 getattr / [INF] s3fs.cpp:s3fs_getattr(828): [path=/] unique: 8, success, outsize: 120 unique: 9, opcode: READDIR (28), nodeid: 1, insize: 80, pid: 8511 unique: 9, success, outsize: 16 unique: 10, opcode: RELEASEDIR (29), nodeid: 1, insize: 64, pid: 0 unique: 10, success, outsize: 16 ``` The 301's are returning this: "The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint." The endpoint should be "endpoint=backup.bucket.example.com.s3.amazonaws.com" But if you change to that endpoint, you get: ``` [ERR] curl.cpp:RequestPerform(2107): ###curlCode: 51 msg: SSL peer certificate or SSH remote key was not OK ``` Even if "no_check_certificate" is set.

kerem commented 2026-03-04 01:44:45 +03:00

Author

Owner

Copy link

@ggtakec commented on GitHub (Mar 29, 2019):

We kept this issue open for a long time.
Please try again with the latest version and you can see https://github.com/s3fs-fuse/s3fs-fuse/wiki/FAQ#q-https-connecting-failed-if-bucket-name-includes-dot- .

I will close this, but if the problem persists, please reopen or post a new issue.

<!-- gh-comment-id:477831274 --> @ggtakec commented on GitHub (Mar 29, 2019): We kept this issue open for a long time. Please try again with the latest version and you can see https://github.com/s3fs-fuse/s3fs-fuse/wiki/FAQ#q-https-connecting-failed-if-bucket-name-includes-dot- . I will close this, but if the problem persists, please reopen or post a new issue.

kerem referenced this issue 2026-03-04 01:54:11 +03:00

[PR #360] [MERGED] Fix clock_gettime autotools detection on Linux #1482

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v1.97

v1.96

v1.95

v1.94

v1.93

v1.92

v1.91

v1.90

v1.89

v1.88

v1.87

v1.86

v1.85

v1.84

v1.83

v1.82

v1.81

v1.80

v1.79

v1.78

Pre-v1.78

v1.77

v1.76

v1.75

v1.74

Labels

Clear labels   

bug

  

bug

  

dataloss

  

duplicate

  

enhancement

  

feature request

  

help wanted

  

invalid

  

need info

  

performance

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

testing

No labels

bug

bug

dataloss

duplicate

enhancement

feature request

help wanted

invalid

need info

performance

pull-request

question

question

testing

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/s3fs-fuse#360

No description provided.