duplicity-team team mailing list archive

Thread
Date

Re: [Question #674847]: Certificate Error when connecting to other-than-Virginia S3 endpoint

To: question674847@xxxxxxxxxxxxxxxxxxxxx, duplicity-team@xxxxxxxxxxxxxxxxxxx
From: edgar.soldin@xxxxxx
Date: Mon, 8 Oct 2018 15:05:50 +0200
Autocrypt: addr=edgar@xxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBE0iDLoBEADlSWA+orbwy0NzYvuPSXL7eEz5w3A/vCfqsL2vlN9qFdnOfgrMAnWNqxtL yQXMqawO8tnIXm9gXl8Cn1F6wo75RiRt3UrkJJT+EuXqyndXibcGF3ukOU8osf1l++kGRlad QeavIl9Y9daDYX7MhC22cdLNd24Lk8bHpueQ1zjknGuCmCPUY+/DYCJAMPVi0hQHv3VSCBbz YGvPtBvXd3Dqio49tSdssLyAg+MKbDOXzEhPmPUyfPbs1z/eyIvn5KYETCxLEhqVBMAyYuYH tq1EY1row51Tnaaz81inTnQLyd4Wx1uRFZNX4YSaUI6DuA2RwrTO/dGZBkvugVK5j+127uOw 6/dJr39n4VYs4getwREC0o/QpAv4oUne7lxAiLxBnaj2g0vpJXgsFlLiRgF3ut/QFLawydNK HfJRypBGvaPUliKUI7Sy15neOP9C0RyBcS5bJ3wR4e/x5vJ1I8TlsN7Gbt/MG8zrkY50Bqwp PtPQv3GxGgNJFs3rIJYNXDYaOuKA4cpLXVZi2f1pS7kMncFYkUu21Tjex3NS94NOSyEXh7w9 q46Z5QmMYpFCCd3JhpH22ZnKeHZnibbOYeKV5/VsiAu/Imp6duCVinSDjtXYa2eJYTHiP5vJ p8YHBqO/EWr+omrTtWlkQ0AxZuB0LIJlm/85mcn6kT7oDHg0wwARAQABzR5FZGdhciBTb2xk aW4gPGVkZ2FyQHNvbGRpbi5kZT7CwXgEEwECACIFAk0iDLoCGyMGCwkIBwMCBhUIAgkKCwQW AgMBAh4BAheAAAoJEO1SmFfrMhVgU9IQANV1zhG+U2WLNYwShrFdLcZWn4qFgpRYMSEQahme +sqvckMd+DsCuOsFQoa1ILvRjeMFNoY5Y/Rc+M8c1NVbNXu0ad9mv4CymKRsLJWaDZPvubh/ kmyMpIC3muFN8EDwFVL1068Lkj0zQO9fgj90+BAkzvSMsmS9tTEH+4K8tROcbg1wMOoaf/U2 aiBPKEAAuFeIpecztHG8oilE7z9b0dU4yt+mTq52fXQSy6oHOM2RBh7ZrQ/VvPrj/Oj+eB6E Phe1PrnM5xyKg4H2nY/wKF5VMzgs3XkpHb3d56i4mQWCm69/dZ1tFwHZ+SCPr0BJjnD9d23c pI/eDcqedGS3IDY4D6rWAW0xODxqNImJB1+3rCtFFMWz25pQ3O4CtL1qIt5yy0Zr2IKf4cO5 M8gFUqdu1ElEyOQqyCfiXzesddL05LXbItQxNInTLmpJri1y3WaHhVI8qnUiQC3yfxUDsuZ4 BV62GCtD0IjvdimpcStQUyB9c4t1RygpAKZ2I6RfmHQt8GsuZdiVYhF+G/D8n8RcwdJkRYsk wr6HlzXW0v8ez7WoXxXGniAzvagj/fBwHdKOc50Cb9Bml5Gf4dW0AkAa/a2omBWRRykjIwR1 OVTc0N7VUS8TAqQ9Ox7Vg/dK+Y8+H8dYnBmKhnGoTv/Jl4ApLeXo8nkNqrhUJve8tsD/zsFN BE0iDLoBEADgAA8bJ0ROgebC4JQxD7fsceGTFrbkqWu0+3DqoTPSuuBWOMRIKNJ3vLELxeE4 J0+9GWf6oW7hPhGunyw3E5aJmyV85YeUQctqtaRSOTJyT6LYUfS+DjcLtOe45inzfeRjQIRl I5gRDBhgxRj39MGCqaxlzyeIv3zmUY59wUoaxrs9UfQLUrLMdpjpgaeVhmQ5lqIY85BYiWCz 8FoeC1thx2AYWcn6TAqs/3lfVoh00ghqhoi0AVCcruX8T1hjd7Z4BEysQ2Gfd2/+ecuM0mD4 KYWpqIBQrYpSLD9xWFZphYgYi/bVwA9zPPgguxZcRx6N7+NWe6i62+Mn0zaY4tPTglGY82rA 9V2wtqTprnoefDWfd4Hc7tMBZ6EtOh8fGWVRioG7lV9RPsmj6IyfmDKNGebWyu6Qd0djIVmt EdrDr6R9XHeVFPCeiK/hi7C4eWpT+b+XIJFQNTB3GwPGz347Hl2BxBTA9Vv5szL6e+Y1r0Wy hS9nOjHWGt2Fwh/CSNTA19DL4BAQPNmzTUEcyT2JpRVfMcQpF1k6C0LT0IB53acFeQDR2h0u 0nazuHfokgr1t2TU/pJaCBZU6jWLPKw0s/sY3Xm24U+/Vyo8EM8+yLc1eYH070FGiIBPpNRx e7empJn9c1DmTYDgBoBUzRskwql1gBkebFJb9eQty2SR9wARAQABwsFfBBgBAgAJBQJNIgy6 AhsMAAoJEO1SmFfrMhVgFpAQAK7V1Yx+nk15EgMvBizOEKH+7b9KLJNBhIGaX20kX77Rem9X ILG8hpBAmTgiQzYOX9P490bdaYFZ1pjmPys87MtnaLmOv5dAS94AtosX4ZOhAoWIzLxTU0LN DdTr++pQ/MjTg2DrOUiuNxep2dNwDTQuV/1wlabvEUMLRHT3b5Vr6tUZbVfnsYElLHdX+EAB 1sTWJc27PgjhZuVtWnibwHFeatwDw2kxgs81MZIaCeqyj/aWMf/n2wXrjKyhso7r3jWAGR+1 ov89NtfcKUkRF37sfmZoXo723J+6b2ThKgpuHfr1np1vsi3Ddb5BAvB10cAaSvjEZlDqgMng 9ir/z87B8JT5t4nB38UlGPijrovmBiBovVQzVR4oWGLEhr5py8bSQfZFJfd5Ofw28ui1ypQT l8w7KMOWJSOVpvVdhfYYMWR+SXgDkT53yQJKpJ1YxlkzTCOY2C8D009iTXkTp1ggZCneak67 ZfTXMCxACkOWfCRbGW4yQ/w5h0PJknN6PX6ACCiMLnxXZ4DZ6YK07y7ZrU7zQpMqpUUUdaGw gJ3Re87PXxIA8tJV6xIyLaq+N+/0oyPCqF/4pZQs1xQRxr9G57DUWKLxt3u9CG5tVw1iFrs3 44PTKtPrK2kHGpHk6iCEFkCK8anlY/KBSnDrdzLC7tMnSLMz3Tj4kUP8/c+J
In-reply-to: <153900226761.24282.285155323763799346.launchpad@loganberry.canonical.com>
Openpgp: preference=signencrypt
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

On 08.10.2018 14:37, Eric Christensen wrote:
> New question #674847 on Duplicity:
> https://answers.launchpad.net/duplicity/+question/674847
> 
> I'm trying to use a S3 bucket I created in the Ohio region for my off-site backup storage.  When connecting to the server, however, I get the following error:
> 
> CertificateError: hostname 's3-us-east-2.amazonaws.com.s3.amazonaws.com' doesn't match either of '*.s3.amazonaws.com', 's3.amazonaws.com'
> 
> (That is the address to the Ohio S3 endpoint[0], by the way.)
> 
> My first thought was that Amazon was somehow using a bad wildcard certificate at the endpoint which was causing the problem.  Upon further investigation, it appears that the certificate used is proper[1].  Does Duplicity use a stored certificate for verifying the connection?  Why would this error being happening?
> 
> [0] https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
> [1] https://www.ssllabs.com/ssltest/analyze.html?d=s3.us-east-2.amazonaws.com
> 

hey Eric,

afaik and according to
  https://en.wikipedia.org/wiki/Wildcard_certificate
"
Limitations
Only a single level of subdomain matching is supported in accordance with RFC 2818.[7]
"
so the error is valid. where does 's3-us-east-2.amazonaws.com.s3.amazonaws.com' come from?
see
  https://www.ssllabs.com/ssltest/analyze.html?d=s3-us-east-2.amazonaws.com.s3.amazonaws.com

also note from your info above 
  s3-us-east-2.amazonaws.com.s3.amazonaws.com
is not the same as
  s3.us-east-2.amazonaws.com

the aws docs above seem to say 
  s3.us-east-2.amazonaws.com
  s3-us-east-2.amazonaws.com
(prefixed 's3.' or 's3-') are valid [0] .

what is you command line (especially the target url)?

..ede/duply.net

References

[Question #674847]: Certificate Error when connecting to other-than-Virginia S3 endpoint
From: Eric Christensen, 2018-10-08