S3 Bucket Name Credentials Problem on CentOS 7

Asked by Robert Inder on 2019-12-18

I'm trying to set up Duplicity (0.7.19) to back up to S3 from a CentOS7 machine running Python 2.7.5.

In our setup, ported from Centos 6, duplicity is failing with
    ssl.CertificateError: hostname 'duplicity.interactive.co.uk.s3.amazonaws.com.s3.amazonaws.com' doesn't match either of '*.s3.amazonaws.com', 's3.amazonaws.com'

This seems to be caused by an upgrade to Boto, the python interface to S3 (https://github.com/boto/boto/issues/2836), which now gets confused by bucket names that contain a ".". Trick is, this is Amazon's suggested/preferred naming convention.

The recommended solution is to add a line to /etc/boto.conf. So I created the file with the necessary line, and now when I call boto from a trivial test script, it responds to the config file, and all is well. But it does NOT cure the problem running duplicity, where boto still dies with the ssl.CertificateError.

Can anyone shed any light?
Why is boto ignoring its configuration file when it is invoked from within duplicity?
How CAN I get Duplicity to interact with an S3 bucket that uses Amazon's recommended naming scheme?

Question information

Language:
English Edit question
Status:
Answered
For:
Duplicity Edit question
Assignee:
No assignee Edit question
Last query:
2019-12-18
Last reply:
2019-12-20
edso (ed.so) said : #1

On 18.12.2019 12:52, Robert Inder wrote:
> New question #687232 on Duplicity:
> https://answers.launchpad.net/duplicity/+question/687232
>
> I'm trying to set up Duplicity (0.7.19) to back up to S3 from a CentOS7 machine running Python 2.7.5.

there is a brand new spanky boto3 support in duplicity 0.8.08 (use boto3+s3:// as schema). that is the current duplicity version. should still run with python2.7 although python3 is suggested .

> In our setup, ported from Centos 6, duplicity is failing with
> ssl.CertificateError: hostname 'duplicity.interactive.co.uk.s3.amazonaws.com.s3.amazonaws.com' doesn't match either of '*.s3.amazonaws.com', 's3.amazonaws.com'
>
> This seems to be caused by an upgrade to Boto, the python interface to S3 (https://github.com/boto/boto/issues/2836), which now gets confused by bucket names that contain a ".". Trick is, this is Amazon's suggested/preferred naming convention.
>
> The recommended solution is to add a line to /etc/boto.conf. So I created the file with the necessary line, and now when I call boto from a trivial test script, it responds to the config file, and all is well. But it does NOT cure the problem running duplicity, where boto still dies with the ssl.CertificateError.
>
> Can anyone shed any light?
> Why is boto ignoring its configuration file when it is invoked from within duplicity?
> How CAN I get Duplicity to interact with an S3 bucket that uses Amazon's recommended naming scheme?
>

try setting env var BOTO_CONFIG as described here
http://docs.pythonboto.org/en/latest/boto_config_tut.html

..ede/duply.net

Robert Inder (robertii) said : #2

Thanks, edso, but no joy with BOTO_CONFIG.
Setting it made no difference.

I realise I had a typo in my question.
I said I have /etc/boto.conf, but I actually have /etc/boto.cfg
Which the tutorial you pointed me to lists as one of the places boto looks anyway...

edso (ed.so) said : #3

On 18.12.2019 16:52, Robert Inder wrote:
> Question #687232 on Duplicity changed:
> https://answers.launchpad.net/duplicity/+question/687232
>
> Status: Answered => Open
>
> Robert Inder is still having a problem:
> Thanks, edso, but no joy with BOTO_CONFIG.
> Setting it made no difference.
>
> I realise I had a typo in my question.
> I said I have /etc/boto.conf, but I actually have /etc/boto.cfg
> Which the tutorial you pointed me to lists as one of the places boto looks anyway...
>

how about trying boto3/duplicity 0.8? boto2 is deprecated now anyways. ..ede/duplicity.net

Robert Inder (robertii) said : #4

Right now, I need to get things going. So I'm going to take the lazy/dodgy way out, and switch to using bucket names with "-" instead of ".".

I'll think about moving to duplicity 0.8 once I have something out the door.

But you seem to be saying/implying that there is no way to get the version of duplicity that Fedora provide for Enterprise Linux to support Amazon's preferred bucket naming scheme.

And that is surprising, and worrying!

edso (ed.so) said : #5

On 20.12.2019 17:22, Robert Inder wrote:
> Question #687232 on Duplicity changed:
> https://answers.launchpad.net/duplicity/+question/687232
>
> Robert Inder posted a new comment:
> Right now, I need to get things going. So I'm going to take the
> lazy/dodgy way out, and switch to using bucket names with "-" instead of
> ".".
>
> I'll think about moving to duplicity 0.8 once I have something out the
> door.

up to you

> But you seem to be saying/implying that there is no way to get the
> version of duplicity that Fedora provide for Enterprise Linux to support
> Amazon's preferred bucket naming scheme.

nope i do not. just stated that the library that the backend is based on (boto2) is outdated and not maintained anymore. similarly duplicity 0.7 while stable is not the current version and will most likely not receive any updates any more.

> And that is surprising, and worrying!
>

don't worry, be happy.

happy tree festivities!.. ede/duply.net

Can you help with this problem?

Provide an answer of your own, or ask Robert Inder for more information if necessary.

To post a message you must log in.