Certificate Error when connecting to other-than-Virginia S3 endpoint

Asked by Eric Christensen on 2018-10-08

I'm trying to use a S3 bucket I created in the Ohio region for my off-site backup storage. When connecting to the server, however, I get the following error:

CertificateError: hostname 's3-us-east-2.amazonaws.com.s3.amazonaws.com' doesn't match either of '*.s3.amazonaws.com', 's3.amazonaws.com'

(That is the address to the Ohio S3 endpoint[0], by the way.)

My first thought was that Amazon was somehow using a bad wildcard certificate at the endpoint which was causing the problem. Upon further investigation, it appears that the certificate used is proper[1]. Does Duplicity use a stored certificate for verifying the connection? Why would this error being happening?

[0] https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
[1] https://www.ssllabs.com/ssltest/analyze.html?d=s3.us-east-2.amazonaws.com

Question information

Language:
English Edit question
Status:
Answered
For:
Duplicity Edit question
Assignee:
No assignee Edit question
Last query:
2018-10-08
Last reply:
2018-10-08
edso (ed.so) said : #1

On 08.10.2018 14:37, Eric Christensen wrote:
> New question #674847 on Duplicity:
> https://answers.launchpad.net/duplicity/+question/674847
>
> I'm trying to use a S3 bucket I created in the Ohio region for my off-site backup storage. When connecting to the server, however, I get the following error:
>
> CertificateError: hostname 's3-us-east-2.amazonaws.com.s3.amazonaws.com' doesn't match either of '*.s3.amazonaws.com', 's3.amazonaws.com'
>
> (That is the address to the Ohio S3 endpoint[0], by the way.)
>
> My first thought was that Amazon was somehow using a bad wildcard certificate at the endpoint which was causing the problem. Upon further investigation, it appears that the certificate used is proper[1]. Does Duplicity use a stored certificate for verifying the connection? Why would this error being happening?
>
> [0] https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
> [1] https://www.ssllabs.com/ssltest/analyze.html?d=s3.us-east-2.amazonaws.com
>

hey Eric,

afaik and according to
  https://en.wikipedia.org/wiki/Wildcard_certificate
"
Limitations
Only a single level of subdomain matching is supported in accordance with RFC 2818.[7]
"
so the error is valid. where does 's3-us-east-2.amazonaws.com.s3.amazonaws.com' come from?
see
  https://www.ssllabs.com/ssltest/analyze.html?d=s3-us-east-2.amazonaws.com.s3.amazonaws.com

also note from your info above
  s3-us-east-2.amazonaws.com.s3.amazonaws.com
is not the same as
  s3.us-east-2.amazonaws.com

the aws docs above seem to say
  s3.us-east-2.amazonaws.com
  s3-us-east-2.amazonaws.com
(prefixed 's3.' or 's3-') are valid [0] .

what is you command line (especially the target url)?

..ede/duply.net

Can you help with this problem?

Provide an answer of your own, or ask Eric Christensen for more information if necessary.

To post a message you must log in.