duplicity-team team mailing list archive

Thread
Date

Re: [Question #674847]: Certificate Error when connecting to other-than-Virginia S3 endpoint

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: edso <question674847@xxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 08 Oct 2018 13:09:16 -0000
Reply-to: question674847@xxxxxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Question #674847 on Duplicity changed:
https://answers.launchpad.net/duplicity/+question/674847

    Status: Open => Answered

edso proposed the following answer:
On 08.10.2018 14:37, Eric Christensen wrote:
> New question #674847 on Duplicity:
> https://answers.launchpad.net/duplicity/+question/674847
> 
> I'm trying to use a S3 bucket I created in the Ohio region for my off-site backup storage.  When connecting to the server, however, I get the following error:
> 
> CertificateError: hostname 's3-us-east-2.amazonaws.com.s3.amazonaws.com' doesn't match either of '*.s3.amazonaws.com', 's3.amazonaws.com'
> 
> (That is the address to the Ohio S3 endpoint[0], by the way.)
> 
> My first thought was that Amazon was somehow using a bad wildcard certificate at the endpoint which was causing the problem.  Upon further investigation, it appears that the certificate used is proper[1].  Does Duplicity use a stored certificate for verifying the connection?  Why would this error being happening?
> 
> [0] https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
> [1] https://www.ssllabs.com/ssltest/analyze.html?d=s3.us-east-2.amazonaws.com
> 

hey Eric,

afaik and according to
  https://en.wikipedia.org/wiki/Wildcard_certificate
"
Limitations
Only a single level of subdomain matching is supported in accordance with RFC 2818.[7]
"
so the error is valid. where does 's3-us-east-2.amazonaws.com.s3.amazonaws.com' come from?
see
  https://www.ssllabs.com/ssltest/analyze.html?d=s3-us-east-2.amazonaws.com.s3.amazonaws.com

also note from your info above 
  s3-us-east-2.amazonaws.com.s3.amazonaws.com
is not the same as
  s3.us-east-2.amazonaws.com

the aws docs above seem to say 
  s3.us-east-2.amazonaws.com
  s3-us-east-2.amazonaws.com
(prefixed 's3.' or 's3-') are valid [0] .

what is you command line (especially the target url)?

..ede/duply.net

-- 
You received this question notification because your team duplicity-team
is an answer contact for Duplicity.