22

Amazon S3, using rails and fog. Trying to precompile my assets with rake assets:precompile:

message: 

[WARNING] fog: followed redirect to myproject.de.s3-us-west-2.amazonaws.com, connecting to the matching region will be more performant
rake aborted!
hostname does not match the server certificate (OpenSSL::SSL::SSLError)

So there is something with OpenSSL

What I tried already:

  1. I have already tried to config certificates in application.rb like this: with no success.

    AWS.config(:http_handler => AWS::Http::HTTPartyHandler.new(:ssl_ca_path => "/etc/ssl/certs"))

  2. also installed openssl on Ubuntu 12.04 from here

Question is: How Amazon S3 deals with certificates

mark10
  • 571
  • 2
  • 7
  • 14

3 Answers3

26

Actually you can use a bucket name with a dot. All you have to do is add :path_style => true to your config.fog_credentials.

In your example, it would give:

config.fog_credentials = {
   :provider              => 'AWS',
   :aws_access_key_id     => ENV['S3_KEY'],
   :aws_secret_access_key => ENV['S3_SECRET'],
   :region                => ENV['S3_REGION'],
   :path_style            => true
}

config.fog_directory    = "myproject.de"
PEF
  • 973
  • 1
  • 11
  • 25
  • or add `Fog.credentials = { path_style: true }` in asset sync initializer – Gaurav Shah Jul 25 '14 at 09:51
  • 2
    `:region` _ALSO_ needs to be set, as shown in your example. If no region is specified, AWS may issue a 301 redirect back to the invalid bucket-name style address, with dots (rather than the path-style address). – MarkWPiper Jun 06 '18 at 21:18
17

TLDR; Solution

In order to access your S3 bucket URLs via httpS, you will need to either:

  • Choose a bucket name such that it contains no periods '.' and use the "Virtual Hosted–Style" URL, such as
    https://simplebucketname.s3.amazonaws.com/myObjectKey
    OR
  • Use the "Path Style" URL form that specifies the bucket name separately, after the host name, for example:
    https://s3.amazonaws.com/mybucket.mydomain.com/myObjectKey

With fog, you can set the option: :path_style => true as this solution explained.

The Problem & Explanation

The SSL Certificate Validation problem arises from using dots '.' in the S3 Bucket Name along with the "Virtual Hosted–Style Method" URL format.

The Amazon S3 Documentation states that it allows two main URL formats for accessing S3 Buckets and Objects:

  1. Path Style Method (being deprecated)
  2. Virtual Hosted–Style Method

So what's happening is this:

  1. Fog is trying to request a URL to your bucket like: https://myproject.de.s3-us-west-2.amazonaws.com/foo/bar
  2. The Hostname in the request is myproject.de.s3-us-west-2.amazonaws.com
  3. SSL Cert for *.amazonaws.net is served during SSL TLS Negotiation
  4. Fog tries to validate the SSL Cert & CA Cert Chain
  5. Fog tries to match the Cert's CN *.s3.amazonaws.com against myproject.de.s3-us-west-2.amazonaws.com
  6. According to Certificate CN wildcard matching rules in RFC 2818, the sub-subdomain does not match wildcard CN: *.s3.amazonaws.com
  7. Connection fails with hostname does not match the server certificate due to Invalid SSL Cert CA Validation

The dots in S3 URL problem is mentioned around the internet such as in the Drupal Project, AWS Forums, Python Boto Library and is very well explained in this blog post entitled: Amazon S3 Gotcha: Using Virtual Host URLs with HTTPS <-- I highly recommend reading this one for further clarification.

Community
  • 1
  • 1
TrinitronX
  • 4,959
  • 3
  • 39
  • 66
-4

Problem is with naming of bucket, in this case : myproject.de, which is format that Amazon S3 services do not consider as valid.(no dot in the name).

I have changed the name of bucket from myproject.de into myprojectde and it works now.

Rules for Bucket Naming

In all regions except for the US Standard region a bucket name must comply with the following rules. These result in a DNS compliant bucket name.

Bucket names must be at least 3 and no more than 63 characters long

Bucket name must be a series of one or more labels separated by a period (.), where each label:

Must start with a lowercase letter or a number

Must end with a lowercase letter or a number

Can contain lowercase letters, numbers and dashes

Bucket names must not be formatted as an IP address (e.g., 192.168.5.4)

The following are examples of valid bucket names:

myawsbucket

my.aws.bucket

myawsbucket.1

The following are examples of invalid bucket names:

Invalid Bucket Name Comment .myawsbucket Bucket name cannot start with a period (.). myawsbucket. Bucket name cannot end with a period (.). my..examplebucket There can only be one period between labels

Note if you want to access a bucket using a virtual hosted-style request, for example http://mybucket.s3.amazonaws.com over SSL, the bucket name cannot include a period (.).

further reference is here

mark10
  • 571
  • 2
  • 7
  • 14
  • 5
    This is not correct. The bucket name `myproject.de` is a valid bucket name. In some instances bucket names must contain periods.(from Amazon Docs http://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-custom-domain-walkthrough.html): 'In this step, you will sign in to the Amazon S3 console with your AWS account credentials and create the following two buckets: example.com & www.example.com' – Undistraction Nov 27 '13 at 19:37