starred/s3fs-fuse
1
0
Fork 0
mirror of https://github.com/s3fs-fuse/s3fs-fuse.git synced 2026-04-25 05:16:00 +03:00
Code Issues 305 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #674] SSL_ERROR_BAD_CERT_DOMAIN #383

New issue
Closed
opened 2026-03-04 01:45:01 +03:00 by kerem · 7 comments
kerem commented 2026-03-04 01:45:01 +03:00
Owner
Copy link

Originally created by @krab-skunk on GitHub (Nov 16, 2017).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/674

Additional Information

The following information is very important in order to help us to help you. Omission of the following details may delay your support request or receive no attention at all.

  • Version of s3fs being used (s3fs --version)

  • _example: V1.82(commit:259f028) with OpenSSL

  • Version of fuse being used (pkg-config --modversion fuse)

  • _example: 2.9.4

  • System information (uname -a)

  • _command result: Linux 4.9.58-18.55.amzn1.x86_64 #1 SMP Thu Nov 2 04:38:47 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

  • Distro (cat /etc/issue)

  • _command result: Amazon Linux AMI release 2017.09

  • s3fs command line used (if applicable)

s3fs my_bucket /mnt/s3_bucket -o iam_role=my_iam_role -d -d -f -o f2 -o curldbg
  • s3fs syslog messages (grep s3fs /var/log/syslog, or s3fs outputs)
    if you execute s3fs with dbglevel, curldbg option, you can get detail debug messages
[DBG] curl.cpp:ReturnHandler(306): Return handler to pool: 31
[INF]       curl.cpp:CheckBucket(2943): check a bucket.
[DBG] curl.cpp:GetHandler(283): Get handler from pool: 31
[INF]       curl.cpp:prepare_url(4128): URL is https://s3.amazonaws.com/my_bucket/
[INF]       curl.cpp:prepare_url(4160): URL changed is https://my_bucket.s3.amazonaws.com/
[INF]       curl.cpp:insertV4Headers(2326): computing signature [GET] [/] [] []
[INF]       curl.cpp:url_to_host(100): url is https://s3.amazonaws.com
[DBG] curl.cpp:RequestPerform(1952): connecting to URL https://my_bucket.s3.amazonaws.com/
*   Trying 52....
* TCP_NODELAY set
* Connected to my_bucket.s3.amazonaws.com (52.) port 443 (#1)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* 	subject: CN=*.s3.amazonaws.com,O=Amazon.com Inc.,L=Seattle,ST=Washington,C=US
* 	start date: Sep 22 00:00:00 2017 GMT
* 	expire date: Jan 03 12:00:00 2019 GMT
* 	common name: *.s3.amazonaws.com
* 	issuer: CN=DigiCert Baltimore CA-2 G2,OU=www.digicert.com,O=DigiCert Inc,C=US
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* stopped the pause stream!
* Closing connection 1
[ERR] curl.cpp:RequestPerform(2107): ###curlCode: 51  msg: SSL peer certificate or SSH remote key was not OK
[ERR] curl.cpp:CheckBucket(2971): Check bucket failed, S3 response:
[CRT] s3fs.cpp:s3fs_check_service(3800): unable to connect(host=https://s3.amazonaws.com) - result of checking service.
[DBG] curl.cpp:ReturnHandler(306): Return handler to pool: 31
[ERR] s3fs.cpp:s3fs_exit_fuseloop(3348): Exiting FUSE event loop due to errors

   INIT: 7.19
   flags=0x00000011
   max_readahead=0x00020000
   max_write=0x00020000
   max_background=0
   congestion_threshold=0
   unique: 1, success, outsize: 40
[INF] s3fs.cpp:s3fs_destroy(3421): destroy
[WAN] s3fs.cpp:s3fs_destroy(3425): Could not release curl library.

Details about issue

Basically, my ec2 instance get an iam role that let connect to s3

aws s3 ls mybucket
list me the folders correctly

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/my_iam_role
returns me 200 along with the temporary access keys

All i can see from those logs is this ssl cert error, but its latest AMI from amazon and i believe their ca-bundle.crt much be much up to date to go along with s3 ssl certs

Any help would be very much appreciated ;)

Thanks

Originally created by @krab-skunk on GitHub (Nov 16, 2017). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/674 #### Additional Information _The following information is very important in order to help us to help you. Omission of the following details may delay your support request or receive no attention at all._ - Version of s3fs being used (s3fs --version) - _example: **V1.82(commit:259f028) with OpenSSL** - Version of fuse being used (pkg-config --modversion fuse) - _example: **2.9.4** - System information (uname -a) - _command result: **Linux 4.9.58-18.55.amzn1.x86_64 #1 SMP Thu Nov 2 04:38:47 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux** - Distro (cat /etc/issue) - _command result: **Amazon Linux AMI release 2017.09** - s3fs command line used (if applicable) ``` s3fs my_bucket /mnt/s3_bucket -o iam_role=my_iam_role -d -d -f -o f2 -o curldbg ``` - s3fs syslog messages (grep s3fs /var/log/syslog, or s3fs outputs) _if you execute s3fs with dbglevel, curldbg option, you can get detail debug messages_ ``` [DBG] curl.cpp:ReturnHandler(306): Return handler to pool: 31 [INF] curl.cpp:CheckBucket(2943): check a bucket. [DBG] curl.cpp:GetHandler(283): Get handler from pool: 31 [INF] curl.cpp:prepare_url(4128): URL is https://s3.amazonaws.com/my_bucket/ [INF] curl.cpp:prepare_url(4160): URL changed is https://my_bucket.s3.amazonaws.com/ [INF] curl.cpp:insertV4Headers(2326): computing signature [GET] [/] [] [] [INF] curl.cpp:url_to_host(100): url is https://s3.amazonaws.com [DBG] curl.cpp:RequestPerform(1952): connecting to URL https://my_bucket.s3.amazonaws.com/ * Trying 52.... * TCP_NODELAY set * Connected to my_bucket.s3.amazonaws.com (52.) port 443 (#1) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=*.s3.amazonaws.com,O=Amazon.com Inc.,L=Seattle,ST=Washington,C=US * start date: Sep 22 00:00:00 2017 GMT * expire date: Jan 03 12:00:00 2019 GMT * common name: *.s3.amazonaws.com * issuer: CN=DigiCert Baltimore CA-2 G2,OU=www.digicert.com,O=DigiCert Inc,C=US * NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN) * Unable to communicate securely with peer: requested domain name does not match the server's certificate. * stopped the pause stream! * Closing connection 1 [ERR] curl.cpp:RequestPerform(2107): ###curlCode: 51 msg: SSL peer certificate or SSH remote key was not OK [ERR] curl.cpp:CheckBucket(2971): Check bucket failed, S3 response: [CRT] s3fs.cpp:s3fs_check_service(3800): unable to connect(host=https://s3.amazonaws.com) - result of checking service. [DBG] curl.cpp:ReturnHandler(306): Return handler to pool: 31 [ERR] s3fs.cpp:s3fs_exit_fuseloop(3348): Exiting FUSE event loop due to errors INIT: 7.19 flags=0x00000011 max_readahead=0x00020000 max_write=0x00020000 max_background=0 congestion_threshold=0 unique: 1, success, outsize: 40 [INF] s3fs.cpp:s3fs_destroy(3421): destroy [WAN] s3fs.cpp:s3fs_destroy(3425): Could not release curl library. ``` #### Details about issue Basically, my ec2 instance get an iam role that let connect to s3 ``` aws s3 ls mybucket ``` list me the folders correctly ```curl http://169.254.169.254/latest/meta-data/iam/security-credentials/my_iam_role``` returns me 200 along with the temporary access keys All i can see from those logs is this ssl cert error, but its latest AMI from amazon and i believe their ca-bundle.crt much be much up to date to go along with s3 ssl certs Any help would be very much appreciated ;) Thanks
kerem closed this issue 2026-03-04 01:45:01 +03:00
kerem commented 2026-03-04 01:45:02 +03:00
Author
Owner
Copy link

@sqlbot commented on GitHub (Nov 16, 2017):

@steve-heslouin you aren't showing it in your logs, because you've changed the bucket name, but it appears that your bucket name has a dot . in it, which prevents the wildcard cert on S3 from matching it... so it's not a case of an untrusted cert, but rather a certificate mismatch, as would be expected. Confirm that you have a dot in the bucket name?

<!-- gh-comment-id:345013986 --> @sqlbot commented on GitHub (Nov 16, 2017): @steve-heslouin you aren't showing it in your logs, because you've changed the bucket name, but it appears that your bucket name has a dot `.` in it, which prevents the wildcard cert on S3 from matching it... so it's not a case of an untrusted cert, but rather a certificate mismatch, as would be expected. Confirm that you have a dot in the bucket name?
kerem commented 2026-03-04 01:45:02 +03:00
Author
Owner
Copy link

@krab-skunk commented on GitHub (Nov 16, 2017):

Hi @sqlbot Indeed, my bucket name was of structure com.mycompany.prod.stuff. Nice catch! :) Just tried without dot inside and it worked fine! Thanks a ton for your precious help ;)

<!-- gh-comment-id:345037745 --> @krab-skunk commented on GitHub (Nov 16, 2017): Hi @sqlbot Indeed, my bucket name was of structure com.mycompany.prod.stuff. Nice catch! :) Just tried without dot inside and it worked fine! Thanks a ton for your precious help ;)
kerem commented 2026-03-04 01:45:02 +03:00
Author
Owner
Copy link

@vishal2232 commented on GitHub (Apr 22, 2018):

what if, I have a bucket name with dot. How do I mount my bucket?

<!-- gh-comment-id:383403997 --> @vishal2232 commented on GitHub (Apr 22, 2018): what if, I have a bucket name with dot. How do I mount my bucket?
kerem commented 2026-03-04 01:45:02 +03:00
Author
Owner
Copy link

@sqlbot commented on GitHub (Apr 22, 2018):

@vishal2232 -o use_path_request_style should enable you to access a bucket with dots in the bucket name without resorting to the insecure option -o no_check_certificate, which ignores the validation error and is not recommended.

<!-- gh-comment-id:383414261 --> @sqlbot commented on GitHub (Apr 22, 2018): @vishal2232 `-o use_path_request_style` should enable you to access a bucket with dots in the bucket name without resorting to the insecure option `-o no_check_certificate`, which ignores the validation error and is not recommended.
kerem commented 2026-03-04 01:45:02 +03:00
Author
Owner
Copy link

@knightXun commented on GitHub (Jul 16, 2019):

@vishal2232 -o use_path_request_style should enable you to access a bucket with dots in the bucket name without resorting to the insecure option -o no_check_certificate, which ignores the validation error and is not recommended.

very nice

<!-- gh-comment-id:511726816 --> @knightXun commented on GitHub (Jul 16, 2019): > @vishal2232 `-o use_path_request_style` should enable you to access a bucket with dots in the bucket name without resorting to the insecure option `-o no_check_certificate`, which ignores the validation error and is not recommended. very nice
kerem commented 2026-03-04 01:45:02 +03:00
Author
Owner
Copy link

@gaul commented on GitHub (Nov 26, 2020):

s3fs now warns with:

s3fs: BUCKET gaul.with.dots -- cannot mount bucket with . while using HTTPS without use_path_request_style
<!-- gh-comment-id:734247888 --> @gaul commented on GitHub (Nov 26, 2020): s3fs now warns with: ``` s3fs: BUCKET gaul.with.dots -- cannot mount bucket with . while using HTTPS without use_path_request_style ```
kerem commented 2026-03-04 01:45:02 +03:00
Author
Owner
Copy link

@darzanebor commented on GitHub (Nov 7, 2021):

-o no_check_certificate not working =(((

<!-- gh-comment-id:962676597 --> @darzanebor commented on GitHub (Nov 7, 2021): -o no_check_certificate not working =(((
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.97
v1.96
v1.95
v1.94
v1.93
v1.92
v1.91
v1.90
v1.89
v1.88
v1.87
v1.86
v1.85
v1.84
v1.83
v1.82
v1.81
v1.80
v1.79
v1.78
Pre-v1.78
v1.77
v1.76
v1.75
v1.74
Labels
Clear labels   
bug

   
bug

   
dataloss

   
duplicate

   
enhancement

   
feature request

   
help wanted

   
invalid

   
need info

   
performance

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
testing
No labels
bug
bug
dataloss
duplicate
enhancement
feature request
help wanted
invalid
need info
performance
pull-request
question
question
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/s3fs-fuse#383
No description provided.