S3cmd certificate error

dreamobjects

#1

Hi all,

I’m trying to access DreamObjects using the s3cmd program. It works fine when I use HTTP. But with HTTPS enabled it gives:

A log of a session with -d and -v turned on is below. I’m using Python 2.7.10 on FreeBSD 10-Stable.

Thanks for any help,
Graham

[quote]DEBUG: ConfigParser: Reading file '/home/gfm/.s3cfg’
DEBUG: ConfigParser: access_key->gx…17_chars…4
DEBUG: ConfigParser: secret_key->UR…37_chars…C
DEBUG: ConfigParser: host_base->objects.dreamhost.com
DEBUG: ConfigParser: host_bucket->%(bucket)s.objects.dreamhost.com
DEBUG: ConfigParser: enable_multipart->True
DEBUG: ConfigParser: multipart_chunk_size_mb->15
DEBUG: ConfigParser: use_https->True
DEBUG: Updating Config.Config cache_file ->
DEBUG: Updating Config.Config follow_symlinks -> False
DEBUG: Updating Config.Config verbosity -> 10
DEBUG: Unicodising ‘la’ using UTF-8
DEBUG: Unicodising ‘s3://gramen’ using UTF-8
DEBUG: Command: la
DEBUG: CreateRequest: resource[uri]=/
DEBUG: Using signature v2
DEBUG: SignHeaders: 'GET\n\n\n\nx-amz-date:Tue, 21 Jul 2015 01:00:02 +0000\n/'
DEBUG: Processing request, please wait…
DEBUG: get_hostname(None): objects.dreamhost.com
DEBUG: ConnMan.get(): creating new connection: https://objects.dreamhost.com
DEBUG: Using ca_certs_file None
DEBUG: non-proxied HTTPSConnection(objects.dreamhost.com)
ERROR: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)[/quote]


#2

I just had another customer with the same issue, which is very specific to freebsd, and they were able to find a solution. Your mileage may vary but it may help.

They said that it seems like freebsd does not have a “system” to store CA root files. The administrator has to acquire and place the root ca file. They said there is a port in /usr/ports/security/ca_root_nss which will fetch the file for you, but it does not put it in the location that openssl expects. Their solution was to make a symlink from /usr/local/etc/ssl/cert.pem to /etc/ssl/cert.pem for openssl to be able to find the certs. There may be a build option for this or another solution, or there may be a bug why it doesn’t do this itself. They manually created that symlink and it started working for them.

Can you give that a try and see how it goes?


#3

Thanks Justin, that fixed it.

The sad thing is that I already thought of that and believed that I had the link in place. But I didn’t!

Anyway, for others using FreeBSD: install the security/ca_root_nss port and make sure that the ETCSYMLINK option is enabled (ticked).

Thanks again,
Graham