[GH-ISSUE #1064] SSL Error when using Dell ECS #584

New issue

Closed

opened 2026-03-04 01:46:57 +03:00 by kerem · 4 comments

kerem commented 2026-03-04 01:46:57 +03:00

Owner

Copy link

Originally created by @jheiselman on GitHub (Jul 2, 2019).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1064

Version of s3fs being used (s3fs --version)

Amazon Simple Storage Service File System V1.82(commit:unknown) with GnuTLS(gcrypt)

Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse, dpkg -s fuse)

2.9.7-1ubuntu1

Kernel information (uname -r)

4.15.0-54-generic

GNU/Linux Distribution, if applicable (cat /etc/os-release)

NAME="Ubuntu"
VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

s3fs command line used, if applicable

s3fs -d rhwebteam-win_sw /mnt/s3/rhwebteam-win_sw -o passwd_file=/home/RAINHAIL/heiselmanjx/.passwd-s3fs,url=https://rhecs.rainhail.com:9021/,no_check_certificate,use_path_request_style -f -o curldbg

/etc/fstab entry, if applicable

NA

s3fs syslog messages (grep s3fs /var/log/syslog, journalctl | grep s3fs, or s3fs outputs)

if you execute s3fs with dbglevel, curldbg option, you can get detail debug messages

[CRT] s3fs.cpp:set_s3fs_log_level(257): change debug level from [CRT] to [INF] 
[INF]     s3fs.cpp:set_mountpoint_attribute(4193): PROC(uid=0, gid=0) - MountPoint(uid=0, gid=0, mode=40755)
[CRT] s3fs.cpp:s3fs_init(3378): init v1.82(commit:unknown) with GnuTLS(gcrypt)
[INF] s3fs.cpp:s3fs_check_service(3754): check services.
[INF]       curl.cpp:CheckBucket(2914): check a bucket.
[INF]       curl.cpp:prepare_url(4205): URL is https://rhecs.rainhail.com:9021/rhwebteam-win_sw/
[INF]       curl.cpp:prepare_url(4237): URL changed is https://rhecs.rainhail.com:9021/rhwebteam-win_sw/
[INF]       curl.cpp:insertV4Headers(2267): computing signature [GET] [/] [] []
[INF]       curl.cpp:url_to_host(100): url is https://rhecs.rainhail.com:9021
*   Trying 172.24.8.122...
* TCP_NODELAY set
* Connected to rhecs.rainhail.com (172.24.8.122) port 9021 (#0)
* found 139 certificates in /etc/ssl/certs/ca-certificates.crt
* found 420 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / RSA_AES_256_GCM_SHA384
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
* SSL: certificate subject name (DataService) does not match target host name 'rhecs.rainhail.com'
* stopped the pause stream!
* Closing connection 0
[ERR] curl.cpp:RequestPerform(2078): ###curlCode: 51  msg: SSL peer certificate or SSH remote key was not OK
[ERR] curl.cpp:CheckBucket(2953): Check bucket failed, S3 response: 
[CRT] s3fs.cpp:s3fs_check_service(3820): unable to connect(host=https://rhecs.rainhail.com:9021) - result of checking service.
[ERR] s3fs.cpp:s3fs_exit_fuseloop(3368): Exiting FUSE event loop due to errors

[INF] s3fs.cpp:s3fs_destroy(3441): destroy
[WAN] s3fs.cpp:s3fs_destroy(3445): Could not release curl library.

Details about issue

We have a Dell EMC ECS Appliance. Accessing the appliance from other tools works fine, however, use s3fs fails when it compares the SSL Certificate Name against the host name, despite using the no_check_certificate option.

Originally created by @jheiselman on GitHub (Jul 2, 2019). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1064 #### Version of s3fs being used (s3fs --version) Amazon Simple Storage Service File System V1.82(commit:unknown) with GnuTLS(gcrypt) #### Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse, dpkg -s fuse) 2.9.7-1ubuntu1 #### Kernel information (uname -r) 4.15.0-54-generic #### GNU/Linux Distribution, if applicable (cat /etc/os-release) NAME="Ubuntu" VERSION="18.04.2 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.2 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic #### s3fs command line used, if applicable ``` s3fs -d rhwebteam-win_sw /mnt/s3/rhwebteam-win_sw -o passwd_file=/home/RAINHAIL/heiselmanjx/.passwd-s3fs,url=https://rhecs.rainhail.com:9021/,no_check_certificate,use_path_request_style -f -o curldbg ``` #### /etc/fstab entry, if applicable NA #### s3fs syslog messages (grep s3fs /var/log/syslog, journalctl | grep s3fs, or s3fs outputs) _if you execute s3fs with dbglevel, curldbg option, you can get detail debug messages_ ``` [CRT] s3fs.cpp:set_s3fs_log_level(257): change debug level from [CRT] to [INF] [INF] s3fs.cpp:set_mountpoint_attribute(4193): PROC(uid=0, gid=0) - MountPoint(uid=0, gid=0, mode=40755) [CRT] s3fs.cpp:s3fs_init(3378): init v1.82(commit:unknown) with GnuTLS(gcrypt) [INF] s3fs.cpp:s3fs_check_service(3754): check services. [INF] curl.cpp:CheckBucket(2914): check a bucket. [INF] curl.cpp:prepare_url(4205): URL is https://rhecs.rainhail.com:9021/rhwebteam-win_sw/ [INF] curl.cpp:prepare_url(4237): URL changed is https://rhecs.rainhail.com:9021/rhwebteam-win_sw/ [INF] curl.cpp:insertV4Headers(2267): computing signature [GET] [/] [] [] [INF] curl.cpp:url_to_host(100): url is https://rhecs.rainhail.com:9021 * Trying 172.24.8.122... * TCP_NODELAY set * Connected to rhecs.rainhail.com (172.24.8.122) port 9021 (#0) * found 139 certificates in /etc/ssl/certs/ca-certificates.crt * found 420 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / RSA_AES_256_GCM_SHA384 * server certificate verification SKIPPED * server certificate status verification SKIPPED * SSL: certificate subject name (DataService) does not match target host name 'rhecs.rainhail.com' * stopped the pause stream! * Closing connection 0 [ERR] curl.cpp:RequestPerform(2078): ###curlCode: 51 msg: SSL peer certificate or SSH remote key was not OK [ERR] curl.cpp:CheckBucket(2953): Check bucket failed, S3 response: [CRT] s3fs.cpp:s3fs_check_service(3820): unable to connect(host=https://rhecs.rainhail.com:9021) - result of checking service. [ERR] s3fs.cpp:s3fs_exit_fuseloop(3368): Exiting FUSE event loop due to errors [INF] s3fs.cpp:s3fs_destroy(3441): destroy [WAN] s3fs.cpp:s3fs_destroy(3445): Could not release curl library. ``` ### Details about issue We have a Dell EMC ECS Appliance. Accessing the appliance from other tools works fine, however, use s3fs fails when it compares the SSL Certificate Name against the host name, despite using the no_check_certificate option.

kerem closed this issue 2026-03-04 01:46:57 +03:00

kerem commented 2026-03-04 01:46:58 +03:00

Author

Owner

Copy link

@jheiselman commented on GitHub (Jul 2, 2019):

Just compiled from tag 1.85 and retested:

Version of s3fs being used (s3fs --version)

Amazon Simple Storage Service File System V1.85(commit:unknown) with OpenSSL

Version of fuse being used (dpkg -s fuse)

2.9.7-1ubuntu1

Kernel information (uname -r)

4.15.0-54-generic

s3fs command being used

s3fs -d rhwebteam-win_sw /mnt/s3/rhwebteam-win_sw -o passwd_file=/home/RAINHAIL/heiselmanjx/.passwd-s3fs,url=https://rhecs.rainhail.com:9021/,no_check_certificate,use_path_request_style -f -o curldbg

Output from above command

[CRT] s3fs.cpp:set_s3fs_log_level(296): change debug level from [CRT] to [INF] 
[INF]     s3fs.cpp:set_mountpoint_attribute(4333): PROC(uid=50000, gid=50004) - MountPoint(uid=50000, gid=50004, mode=40755)
[INF] s3fs.cpp:s3fs_init(3450): init v1.85(commit:unknown) with OpenSSL
[INF] s3fs.cpp:s3fs_check_service(3794): check services.
[INF]       curl.cpp:CheckBucket(3250): check a bucket.
[INF]       curl.cpp:prepare_url(4504): URL is https://rhecs.rainhail.com:9021/rhwebteam-linux_sw/
[INF]       curl.cpp:prepare_url(4536): URL changed is https://rhecs.rainhail.com:9021/rhwebteam-linux_sw/
[INF]       curl.cpp:insertV4Headers(2587): computing signature [GET] [/] [] []
[INF]       curl.cpp:url_to_host(102): url is https://rhecs.rainhail.com:9021
*   Trying 172.24.8.120...
* TCP_NODELAY set
* Connected to rhecs.rainhail.com (172.24.8.120) port 9021 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=DataService
*  start date: Apr  3 18:49:49 2019 GMT
*  expire date: Mar 31 18:49:49 2029 GMT
*  subjectAltName does not match rhecs.rainhail.com
* SSL: no alternative certificate subject name matches target host name 'rhecs.rainhail.com'
* stopped the pause stream!
* Closing connection 0
[ERR] curl.cpp:RequestPerform(2376): ###curlCode: 51  msg: SSL peer certificate or SSH remote key was not OK
[ERR] curl.cpp:CheckBucket(3278): Check bucket failed, S3 response: 
[CRT] s3fs.cpp:s3fs_check_service(3874): unable to connect(host=https://rhecs.rainhail.com:9021) - result of checking service.
[INF] curl.cpp:ReturnHandler(316): Pool full: destroy the oldest handler
[ERR] s3fs.cpp:s3fs_exit_fuseloop(3440): Exiting FUSE event loop due to errors

<!-- gh-comment-id:507702888 --> @jheiselman commented on GitHub (Jul 2, 2019): Just compiled from tag 1.85 and retested: #### Version of s3fs being used (s3fs --version) Amazon Simple Storage Service File System V1.85(commit:unknown) with OpenSSL #### Version of fuse being used (dpkg -s fuse) 2.9.7-1ubuntu1 #### Kernel information (uname -r) 4.15.0-54-generic #### s3fs command being used ``` s3fs -d rhwebteam-win_sw /mnt/s3/rhwebteam-win_sw -o passwd_file=/home/RAINHAIL/heiselmanjx/.passwd-s3fs,url=https://rhecs.rainhail.com:9021/,no_check_certificate,use_path_request_style -f -o curldbg ``` #### Output from above command ``` [CRT] s3fs.cpp:set_s3fs_log_level(296): change debug level from [CRT] to [INF] [INF] s3fs.cpp:set_mountpoint_attribute(4333): PROC(uid=50000, gid=50004) - MountPoint(uid=50000, gid=50004, mode=40755) [INF] s3fs.cpp:s3fs_init(3450): init v1.85(commit:unknown) with OpenSSL [INF] s3fs.cpp:s3fs_check_service(3794): check services. [INF] curl.cpp:CheckBucket(3250): check a bucket. [INF] curl.cpp:prepare_url(4504): URL is https://rhecs.rainhail.com:9021/rhwebteam-linux_sw/ [INF] curl.cpp:prepare_url(4536): URL changed is https://rhecs.rainhail.com:9021/rhwebteam-linux_sw/ [INF] curl.cpp:insertV4Headers(2587): computing signature [GET] [/] [] [] [INF] curl.cpp:url_to_host(102): url is https://rhecs.rainhail.com:9021 * Trying 172.24.8.120... * TCP_NODELAY set * Connected to rhecs.rainhail.com (172.24.8.120) port 9021 (#0) * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * SSL connection using TLSv1.2 / AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=DataService * start date: Apr 3 18:49:49 2019 GMT * expire date: Mar 31 18:49:49 2029 GMT * subjectAltName does not match rhecs.rainhail.com * SSL: no alternative certificate subject name matches target host name 'rhecs.rainhail.com' * stopped the pause stream! * Closing connection 0 [ERR] curl.cpp:RequestPerform(2376): ###curlCode: 51 msg: SSL peer certificate or SSH remote key was not OK [ERR] curl.cpp:CheckBucket(3278): Check bucket failed, S3 response: [CRT] s3fs.cpp:s3fs_check_service(3874): unable to connect(host=https://rhecs.rainhail.com:9021) - result of checking service. [INF] curl.cpp:ReturnHandler(316): Pool full: destroy the oldest handler [ERR] s3fs.cpp:s3fs_exit_fuseloop(3440): Exiting FUSE event loop due to errors ```

kerem commented 2026-03-04 01:46:58 +03:00

Author

Owner

Copy link

@gaul commented on GitHub (Jul 2, 2019):

Could you try setting -o ssl_verify_hostname=0? Unfortunately this is not documented and I will submit a pull request to address it.

<!-- gh-comment-id:507771255 --> @gaul commented on GitHub (Jul 2, 2019): Could you try setting `-o ssl_verify_hostname=0`? Unfortunately this is not documented and I will submit a pull request to address it.

kerem commented 2026-03-04 01:46:58 +03:00

Author

Owner

Copy link

@jheiselman commented on GitHub (Jul 2, 2019):

That did indeed work for me. Thank you @gaul !

<!-- gh-comment-id:507779429 --> @jheiselman commented on GitHub (Jul 2, 2019): That did indeed work for me. Thank you @gaul !

kerem commented 2026-03-04 01:46:58 +03:00

Author

Owner

Copy link

@JossWhittle commented on GitHub (May 9, 2022):

This also solved my issue when connecting to a Ceph s3 cluster. Not sure if Ceph s3 causes this in general, but there's a keyword in case someone else tries to search of this.

Can this information be added to the FAQ? https://github.com/s3fs-fuse/s3fs-fuse/wiki/FAQ

It took quite a bit of searching in the issues tab with different parts of the log output until I found this thread.

<!-- gh-comment-id:1121670962 --> @JossWhittle commented on GitHub (May 9, 2022): This also solved my issue when connecting to a Ceph s3 cluster. Not sure if Ceph s3 causes this in general, but there's a keyword in case someone else tries to search of this. Can this information be added to the FAQ? https://github.com/s3fs-fuse/s3fs-fuse/wiki/FAQ It took quite a bit of searching in the issues tab with different parts of the log output until I found this thread.

kerem referenced this issue 2026-03-04 02:01:03 +03:00

[PR #585] [MERGED] Fixed failure to upload/copy with SSE_C and SSE_KMS #1558

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v1.97

v1.96

v1.95

v1.94

v1.93

v1.92

v1.91

v1.90

v1.89

v1.88

v1.87

v1.86

v1.85

v1.84

v1.83

v1.82

v1.81

v1.80

v1.79

v1.78

Pre-v1.78

v1.77

v1.76

v1.75

v1.74

Labels

Clear labels   

bug

  

bug

  

dataloss

  

duplicate

  

enhancement

  

feature request

  

help wanted

  

invalid

  

need info

  

performance

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

testing

No labels

bug

bug

dataloss

duplicate

enhancement

feature request

help wanted

invalid

need info

performance

pull-request

question

question

testing

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/s3fs-fuse#584

No description provided.