[GH-ISSUE #1486] -o no_check_certificate reports certificate errors and then fails

kerem commented

2026-03-04 01:48:45 +03:00

Owner

Originally created by @NixTheMan on GitHub (Dec 2, 2020).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1486

Additional Information

The following information is very important in order to help us to help you. Omission of the following details may delay your support request or receive no attention at all.
Keep in mind that the commands we provide to retrieve information are oriented to GNU/Linux Distributions, so you could need to use others if you use s3fs on macOS or BSD

Version of s3fs being used (s3fs --version)

example: 1.00

Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse, dpkg -s fuse)

example: 2.9.4

Kernel information (uname -r)

command result: uname -r

GNU/Linux Distribution, if applicable (cat /etc/os-release)

command result: cat /etc/os-release

s3fs command line used, if applicable

/etc/fstab entry, if applicable

s3fs syslog messages (grep s3fs /var/log/syslog, journalctl | grep s3fs, or s3fs outputs)

if you execute s3fs with dbglevel, curldbg option, you can get detail debug messages

Details about issue

s3fs --version
Amazon Simple Storage Service File System V1.82

dpkg -s fuse
Version: 2.9.7-1ubuntu1

cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

passing -o no_check_certificate still reports and then fails on certificate errors:

s3fs <mount_point> -o passwd_file=${HOME}/.passwd-s3fs -o url=https://<minio_server> -o no_check_certificate -o use_path_request_style -o dbglevel=info -o curldbg

[CRT] s3fs.cpp:set_s3fs_log_level(257): change debug level from [CRT] to [INF]
[INF] s3fs.cpp:set_mountpoint_attribute(4193): PROC(uid=1000, gid=1000) - MountPoint(uid=1000, gid=1000, mode=40775)
[CRT] s3fs.cpp:s3fs_init(3378): init v1.82(commit:unknown) with GnuTLS(gcrypt)
[INF] s3fs.cpp:s3fs_check_service(3754): check services.
[INF] curl.cpp:CheckBucket(2914): check a bucket.
[INF] curl.cpp:prepare_url(4205): URL is https://<minio_server>/
[INF] curl.cpp:prepare_url(4237): URL changed is https://<minio_server>/
[INF] curl.cpp:insertV4Headers(2267): computing signature [GET] [/] [] []
[INF] curl.cpp:url_to_host(100): url is https://<minio_server>

Trying XXX.XXX.XXX.XXX...
TCP_NODELAY set
Connected to <minio_server> (XXX.XXX.XXX.XXX) port 443 (#0)
found 138 certificates in /etc/ssl/certs/ca-certificates.crt
found 417 certificates in /etc/ssl/certs
ALPN, offering http/1.1
SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256

   server certificate verification SKIPPED

   server certificate status verification SKIPPED

SSL: certificate subject name (Kubernetes Ingress Controller Fake Certificate) does not match target host name '<minio_server>'
stopped the pause stream!
Closing connection 0

[ERR] curl.cpp:RequestPerform(2078): ###curlCode: 51 msg: SSL peer certificate or SSH remote key was not OK
[ERR] curl.cpp:CheckBucket(2953): Check bucket failed, S3 response:
[CRT] s3fs.cpp:s3fs_check_service(3820): unable to connect(host=https://<minio_server>) - result of checking service.
[ERR] s3fs.cpp:s3fs_exit_fuseloop(3368): Exiting FUSE event loop due to errors

[INF] s3fs.cpp:s3fs_destroy(3441): destroy
[WAN] s3fs.cpp:s3fs_destroy(3445): Could not release curl library.

Originally created by @NixTheMan on GitHub (Dec 2, 2020). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1486 ### Additional Information _The following information is very important in order to help us to help you. Omission of the following details may delay your support request or receive no attention at all._ _Keep in mind that the commands we provide to retrieve information are oriented to GNU/Linux Distributions, so you could need to use others if you use s3fs on macOS or BSD_ #### Version of s3fs being used (s3fs --version) _example: 1.00_ #### Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse, dpkg -s fuse) _example: 2.9.4_ #### Kernel information (uname -r) _command result: uname -r_ #### GNU/Linux Distribution, if applicable (cat /etc/os-release) _command result: cat /etc/os-release_ #### s3fs command line used, if applicable ``` ``` #### /etc/fstab entry, if applicable ``` ``` #### s3fs syslog messages (grep s3fs /var/log/syslog, journalctl | grep s3fs, or s3fs outputs) _if you execute s3fs with dbglevel, curldbg option, you can get detail debug messages_ ``` ``` ### Details about issue **s3fs --version** Amazon Simple Storage Service File System V1.82 **dpkg -s fuse** Version: 2.9.7-1ubuntu1 **cat /etc/os-release** NAME="Ubuntu" VERSION="18.04.5 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.5 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic --- passing -o no_check_certificate still reports and then fails on certificate errors: s3fs <bucket> <mount_point> -o passwd_file=${HOME}/.passwd-s3fs -o url=https://<minio_server> -o no_check_certificate -o use_path_request_style -o dbglevel=info -o curldbg [CRT] s3fs.cpp:set_s3fs_log_level(257): change debug level from [CRT] to [INF] [INF] s3fs.cpp:set_mountpoint_attribute(4193): PROC(uid=1000, gid=1000) - MountPoint(uid=1000, gid=1000, mode=40775) [CRT] s3fs.cpp:s3fs_init(3378): init v1.82(commit:unknown) with GnuTLS(gcrypt) [INF] s3fs.cpp:s3fs_check_service(3754): check services. [INF] curl.cpp:CheckBucket(2914): check a bucket. [INF] curl.cpp:prepare_url(4205): URL is https://<minio_server>/<bucket> [INF] curl.cpp:prepare_url(4237): URL changed is https://<minio_server>/<bucket> [INF] curl.cpp:insertV4Headers(2267): computing signature [GET] [/] [] [] [INF] curl.cpp:url_to_host(100): url is https://<minio_server> * Trying XXX.XXX.XXX.XXX... * TCP_NODELAY set * Connected to <minio_server> (XXX.XXX.XXX.XXX) port 443 (#0) * found 138 certificates in /etc/ssl/certs/ca-certificates.crt * found 417 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 * server certificate verification SKIPPED * server certificate status verification SKIPPED * SSL: certificate subject name (Kubernetes Ingress Controller Fake Certificate) does not match target host name '<minio_server>' * stopped the pause stream! * Closing connection 0 [ERR] curl.cpp:RequestPerform(2078): ###curlCode: 51 msg: SSL peer certificate or SSH remote key was not OK [ERR] curl.cpp:CheckBucket(2953): Check bucket failed, S3 response: [CRT] s3fs.cpp:s3fs_check_service(3820): unable to connect(host=https://<minio_server>) - result of checking service. [ERR] s3fs.cpp:s3fs_exit_fuseloop(3368): Exiting FUSE event loop due to errors [INF] s3fs.cpp:s3fs_destroy(3441): destroy [WAN] s3fs.cpp:s3fs_destroy(3445): Could not release curl library.

kerem

2026-03-04 01:48:45 +03:00

closed this issue
added the
need info
label

kerem commented

2026-03-04 01:48:46 +03:00

Author

Owner

@gaul commented on GitHub (Dec 4, 2020):

s3fs 1.82 is three years old -- can you test with the latest version?

@gaul commented on GitHub (Dec 4, 2020): s3fs 1.82 is three years old -- can you test with the latest version?

kerem commented

2026-03-04 01:48:46 +03:00

Author

Owner

@NixTheMan commented on GitHub (Dec 4, 2020):

Okay that's strange however I ran sudo apt install s3fs -- and it reported the latest version being that:

s3fs is already the newest version (1.82-1)...

@NixTheMan commented on GitHub (Dec 4, 2020): Okay that's strange however I ran sudo apt install s3fs -- and it reported the latest version being that: s3fs is already the newest version (1.82-1)...

kerem commented

2026-03-04 01:48:47 +03:00

Author

Owner

@NixTheMan commented on GitHub (Dec 4, 2020):

is the latest version not available via apt install, on Ubuntu as per your documentation??

@NixTheMan commented on GitHub (Dec 4, 2020): is the latest version not available via apt install, on Ubuntu as per your documentation??

kerem commented

2026-03-04 01:48:47 +03:00

Author

Owner

@gaul commented on GitHub (Dec 5, 2020):

Unfortunately Ubuntu LTS does not upgrade its s3fs packages the way Red Hat EPEL does. I asked them before but perhaps you can ask again?

@gaul commented on GitHub (Dec 5, 2020): Unfortunately Ubuntu LTS does not upgrade its s3fs packages the way Red Hat EPEL does. I asked them before but perhaps you can ask again?

kerem commented

2026-03-04 01:48:47 +03:00

Author

Owner

@gaul commented on GitHub (Feb 8, 2021):

Please reopen if you can reproduce the symptoms with the latest version 1.88.

@gaul commented on GitHub (Feb 8, 2021): Please reopen if you can reproduce the symptoms with the latest version 1.88.

kerem commented

2026-03-04 01:48:47 +03:00

Author

Owner

@stackprotector commented on GitHub (Feb 1, 2023):

This error still seems to exist in version 1.90.

curldbg:

[CURL DBG] * SSL connection using TLS1.3 / ECDHE_RSA_AES_256_GCM_SHA384
[CURL DBG] *   server certificate verification SKIPPED
[CURL DBG] *   server certificate status verification SKIPPED
[CURL DBG] * SSL: certificate subject name (XXX) does not match target host name 'XXX.YYY'

It looks like curl gets instructed to skip certain certificate checks, but not all certificate checks. It is still checking subject and target host name.

@stackprotector commented on GitHub (Feb 1, 2023): This error still seems to exist in version 1.90. curldbg: ``` [CURL DBG] * SSL connection using TLS1.3 / ECDHE_RSA_AES_256_GCM_SHA384 [CURL DBG] * server certificate verification SKIPPED [CURL DBG] * server certificate status verification SKIPPED [CURL DBG] * SSL: certificate subject name (XXX) does not match target host name 'XXX.YYY' ``` It looks like `curl` gets instructed to skip certain certificate checks, but not all certificate checks. It is still checking subject and target host name.

kerem commented

2026-03-04 01:48:47 +03:00

Author

Owner

@ggtakec commented on GitHub (Feb 10, 2023):

Please try with -o ssl_verify_hostname=0 option.

@ggtakec commented on GitHub (Feb 10, 2023): Please try with `-o ssl_verify_hostname=0` option.

kerem commented

2026-03-04 01:48:47 +03:00

Author

Owner

@ghost commented on GitHub (Jan 3, 2025):

Please try with -o ssl_verify_hostname=0 option.

Adding this option to the no_check_certificate, helped skipping all the SSL related checks!

Thank you @ggtakec !

@ghost commented on GitHub (Jan 3, 2025): > Please try with `-o ssl_verify_hostname=0` option. Adding this option to the no_check_certificate, helped skipping all the SSL related checks! Thank you @ggtakec !

kerem referenced this issue

2026-03-04 02:01:26 +03:00

[PR #783] [CLOSED] Issues with listing collections that contains over 10 000 objects #1640

kerem referenced this issue

2026-03-04 02:01:28 +03:00

[PR #793] [MERGED] Added list_object_max_keys option based on #783 PR #1643

Rows
Columns

[GH-ISSUE #1486] -o no_check_certificate reports certificate errors and then fails #783

Additional Information

Version of s3fs being used (s3fs --version)

Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse, dpkg -s fuse)

Kernel information (uname -r)

GNU/Linux Distribution, if applicable (cat /etc/os-release)

s3fs command line used, if applicable

/etc/fstab entry, if applicable

s3fs syslog messages (grep s3fs /var/log/syslog, journalctl | grep s3fs, or s3fs outputs)

Details about issue