I get this error in my Nextjs Application where I use an image with next/image from my s3 bucket:
FetchError: request to https://bucketname.s3.us-west-1.amazonaws.com/1671375836114 failed, reason: Hostname/IP does not match certificate's altnames: Host: bucketname.s3.us-west-1.amazonaws.com. is not in the cert's altnames: DNS:s3-us-west-1.amazonaws.com, DNS:*.s3-us-west-1.amazonaws.com, DNS:s3.us-west-1.amazonaws.com, DNS:*.s3.us-west-1.amazonaws.com, DNS:s3.dualstack.us-west-1.amazonaws.com, DNS:*.s3.dualstack.us-west-1.amazonaws.com, DNS:*.s3.amazonaws.com, DNS:*.s3-control.us-west-1.amazonaws.com, DNS:s3-control.us-west-1.amazonaws.com, DNS:*.s3-control.dualstack.us-west-1.amazonaws.com, DNS:s3-control.dualstack.us-west-1.amazonaws.com, DNS:*.s3-accesspoint.us-west-1.amazonaws.com, DNS:*.s3-accesspoint.dualstack.us-west-1.amazonaws.com
Any idea how to fix this issue?
Related
With the config below the issued certificate works for www.example.org and abc.example.org.but doesn't work for www.abc.example.org.
http:
routers:
web-router:
rule: "Host(`example.org`) ||
Host(`www.example.org`) ||
HostRegexp(`{subdomain:[a-z-]+}.example.org`) ||
HostRegexp(`www.{subdomain:[a-z-]+}.example.org`)"
entryPoints:
- web
middlewares:
- redirect
- csrf
service: django
web-secure-router:
rule: "Host(`example.org`) ||
Host(`www.example.org`) ||
HostRegexp(`{subdomain:[a-z-]+}.example.org`) ||
HostRegexp(`www.{subdomain:[a-z-]+}.example.org`)"
entryPoints:
- web-secure
middlewares:
- csrf
service: django
tls:
certResolver: letsencrypt
domains:
- main: "*.example.org"
sans:
- "example.org"
certificatesResolvers:
letsencrypt:
acme:
email: "email#example.com"
storage: /etc/traefik/acme/acme.json
dnsChallenge:
provider: route53
delayBeforeCheck: 0
In the DNS I have A records for example.org and *.example.org.
Is it possible to get a certificate that works for www.*.example.org and *.example.org in the same time?
LetsEncrypt doesn't do nested wildcards. You can get a certificate for *.example.org or for *.sub.example.org, but *.example.org doesn't include . in the definition of *.
Furthermore, DNS itself doesn't support nested or embedded wildcards.
You can see this if you create a record for www.*.example.com and then query for something like www.foo.example.com. You'll get an NXDOMAIN response. If you query for www.\*.example.com (or wrap the FQDN in single quotes to avoid shell expansion), then you'll get the A record you created. The asterisk becomes a literal character when not at the beginning of the record.
➤ host www.sub.productionwebsite.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
Host www.sub.productionwebsite.com not found: 3(NXDOMAIN)
~
➤ host 'www.*.productionwebsite.com' 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
www.*.productionwebsite.com has address 10.68.0.73
I am trying to mount S3 bucket on AWS EC2 instance using RIOFS. I am unsuccessful.
Here is the logs
12:47:53 [main] (main main.c:753) Using config file: /home/ubuntu/.config/riofs/riofs.conf.xml
12:47:53 [con] (http_connection_init http_connection.c:79) [con: 0x561ff22c2be0] Connecting to s3.amazonaws.com:80
12:47:53 [con] (http_connection_make_request http_connection.c:814) [con: 0x561ff22c2be0] GET /csv-test/?acl bucket: csv-test, host: s3.amazonaws.com, out_len: 0
12:47:53 [con] (http_connection_on_response_cb http_connection.c:464) [con: 0x561ff22c2be0] Got HTTP response from server! (160msec)
12:47:53 [con] (http_connection_on_response_cb http_connection.c:544) [con: 0x561ff22c2be0] New URL: csv-test.s3.amazonaws.com
12:47:53 [con] (http_connection_init http_connection.c:79) [con: 0x561ff22c2be0] Connecting to csv-test.s3.amazonaws.com:80
12:47:53 [con] (http_connection_on_close http_connection.c:196) [con: 0x561ff22c2be0] Connection closed !
12:47:53 [con] (http_connection_make_request http_connection.c:814) [con: 0x561ff22c2be0] GET /?acl bucket: csv-test, host: csv-test.s3.amazonaws.com, out_len: 0
12:47:53 [con] (http_connection_on_close http_connection.c:196) [con: 0x561ff22c2be0] Connection closed !
12:47:53 [con] (http_connection_on_response_cb http_connection.c:464) [con: 0x561ff22c2be0] Got HTTP response from server! (9msec)
12:47:53 [con] (http_connection_on_response_cb http_connection.c:591) [con: 0x561ff22c2be0] Server returned HTTP error: 400 (Bad Request). AWS message: The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.
12:47:53 [con] (http_connection_on_response_cb http_connection.c:602) [con: 0x561ff22c2be0] Server returned HTTP error: 400 (Bad Request)! Retry ID: 1 of 20
Is there a way to enable the use of AWS4-HMAC-SHA256 in RIOFS connection. I am trying this in Frankfurt eu-central-1 and also in London eu-west-2 and unsuccessful in both the regions.
I also tried using s3fs and ended with unable to access bucket error but couldn't get detailed logs like riofs which pointed out the actual error.
AWS4-HMAC-SHA256 is Signature Version 4 and only few regions support it. I tested this against Frankfurt eu-central-1 and London eu-west-2. Both these region doesn't work. It works only on US-EAST-1 N. Virginia region.
I could successfully mount the S3 bucket created on us-east-1 on EC2.
I have used HTTPS for AWS Application Load Balancer listener by using ACM certificate.
I requested the public certificate for a subdomain from ACM: test.example.com and create a CNAME in route 53 for it:
Name: _xxxxxxxxxxx.test.example.com
Type: CNAME
Value: xxxxxx.xxx.acm-validations.aws.
I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com) to call the API successfully in POSTMAN, however, when I use python requests or cURL to call the same API, it will always tell me there is some issue with the SSL.
cURL:
Code:
curl -X POST \
https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi \
-H 'Content-Type: application/json' \
-H 'cache-control: no-cache' \
-d '{
"paras1": "xxxxx"
}'
Error:
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=test.example.com
* start date: Nov 11 00:00:00 2018 GMT
* expire date: Dec 11 12:00:00 2019 GMT
* subjectAltName does not match xxxx.us-east-1.elb.amazonaws.com
* SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (51) SSL: no alternative certificate subject name matches target host name 'xxxx.us-east-1.elb.amazonaws.com'
Python Requests:
Code:
import requests
url = "https://xxxxx.us-east-1.elb.amazonaws.com/prod/testapi"
payload = "{\"paras1\": \"xxxxx\"}"
headers = {
'Content-Type': "application/json",
'cache-control': "no-cache"
}
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)
Error:
HTTPSConnectionPool(host='xxxx.us-east-1.elb.amazonaws.com', port=443):
Max retries exceeded with url: /prod/testapi
(Caused by SSLError(CertificateError("hostname 'xxxx.us-east-1.elb.amazonaws.com' doesn't match 'test.example.com'",),))
I can use the DNS of ALB (xxxx.us-east-1.elb.amazonaws.com)
That isn't how this is designed to work. You need to point test.example.com to the ELB in DNS, and then:
url = "https://test.example.com/prod/testapi"
Clearly, you call xxxx.us-east-1.elb.amazonaws.com which is set up with a certificate for test.example.com. Despite the certificate may be valid it does not match the URL you are calling which means that the certificate is NOT valid for THIS call. I think you also must set a custom domain for the API gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html
Edit: thanks for the comment. I am not sure how I read "elb" as an api gateway. My fault. Still the DNS for the ELB has to match the one in the certificat. You can create a CNAME from your domain to the ELB domain. This should work (at least this is how we do that).
The documentation defines the endpoint thusly:
endpoint (String) — The endpoint URI to send requests to. The default endpoint is built from the configured region. The endpoint should be a string like 'https://{service}.{region}.amazonaws.com'.
I believe the service name is StepFunctions and I'm using the region us-east-1 so therefore the url should be:
https://stepfunctions.us-east-1.amazonaws.com
However this appears to not be right, what is the actual endpoint url for this service?
Edit: (answer)
https://states.us-east-1.amazonaws.com
I don't think you should manually edit the service endpoint, however, the {service} parameter is actually states for StepFunctions service.
The following should be your endpoint property:
Endpoint {
protocol: 'https:',
host: 'states.us-east-1.amazonaws.com',
port: 443,
hostname: 'states.us-east-1.amazonaws.com',
pathname: '/',
path: '/',
href: 'https://states.us-east-1.amazonaws.com/' }
My configuration.yml looks like this
default:
configuration
email_delivery:
delivery_method: :smtp
smtp_settings:
address: "mail.example.com"
port: 25
domain: "example.com"
authentication: :login
user_name: "redmine#example.com"
password: "xxxxxxxx"
I am getting the message An error occurred while sending mail (530 5.7.0 Authentication required ) while treying to send a test mail.
I have tried out different options with starttls, removing.adding quotes. It does not work. The configuration details work fine with Thunderbird. Somehow it does not work here.
Please note my redmine setup is on AWS and my mail server is on another shared hosting. Does it has anything to do with the security groups?
Please guide me fix the issue. Thanks in adavance.
You need to change default to production or development, and configuration line is too much so your config would look like this:
production:
email_delivery:
delivery_method: :smtp
smtp_settings:
address: "mail.example.com"
port: 25
domain: "example.com"
authentication: :login
user_name: "redmine#example.com"
password: "xxxxxxxx"