Connection Error - S3 Bug Endpoint?

kallados · December 31, 2021, 7:35pm

Hey,
I’m unfortunately not able to load the Data from Scaleway. Maybe Bug path with Wildcard? Thanks

expecting *.cloud
get *. cloud.

Message

Host: kallados.com-backup.s3.nl-ams.scw.cloud. is not in the cert’s altnames: DNS:.s3-website.nl-ams.scw.cloud, DNS:.s3.nl-ams.scw.cloud, DNS:s3-website.nl-ams.scw.cloud, DNS:s3.nl-ams.scw.cloud

Error

ERR_TLS_CERT_ALTNAME_INVALID

{"message":"Hostname/IP does not match certificate's altnames: Host: kallados.com-backup.s3.nl-ams.scw.cloud. is not in the cert's altnames: DNS:*.s3-website.nl-ams.scw.cloud, DNS:*.s3.nl-ams.scw.cloud, DNS:s3-website.nl-ams.scw.cloud, DNS:s3.nl-ams.scw.cloud","name":"Error","stack":"Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: kallados.com-backup.s3.nl-ams.scw.cloud. is not in the cert's altnames: DNS:*.s3-website.nl-ams.scw.cloud, DNS:*.s3.nl-ams.scw.cloud, DNS:s3-website.nl-ams.scw.cloud, DNS:s3.nl-ams.scw.cloud\n at Object.checkServerIdentity (tls.js:297:12)\n at TLSSocket.onConnectSecure (_tls_wrap.js:1517:27)\n at TLSSocket.emit (events.js:376:20)\n at TLSSocket._finishInit (_tls_wrap.js:932:8)\n at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)","code":"ERR_TLS_CERT_ALTNAME_INVALID"}

Scenario

Scaleway Bucket: public
n8n version: 0.155.2
Running n8n with the execution process: default
Running n8n via Docker, Cloudron 7.0.4

Jon · January 1, 2022, 3:32am

Hey @kallados,

The error coming back is saying the issue is with the SSL certificate.

Looking at the returned alt names *.com-backup.s3.nl-ams.scw.cloud is not in there so you would need to create a new certificate for that / add it to the alt names.

Wildcard certificates only do one level so a cert for *.n8n.io wouldn’t work for *.test.n8n.io.

kallados · January 1, 2022, 10:50am

Hey, this is Wildcard Cert from Scaleway. I have another one Bucket and there is working everything as well.

*.com-backup.s3.nl-ams.scw.cloud

and bucket is

kallados.com-backup.s3.nl-ams.scw.cloud - dont’ work

zalando.space.s3.fr-par.scw.cloud - everything fine
zalando.space.s3.nl-ams.scw.cloud - everything fine

Each one contains point, but it’s not handled like a subdomain. Issue with Wildcard would be creating the same error with zalando.space.s3* right? It would be nice, just to be certain, that the Issue is not the point at the End of the Request.

I’ve just created bucket with test.test.test name and get the same issue. The Address on N8N is generated with the point at the end.

Jon · January 1, 2022, 12:23pm

Hey @kallados,

The point at the end shouldn’t matter and should just be part of the error message.

If you look at the error and the list of domains in the certificate you are using a sub domain that has no entry in the cert file. As far as I know you can’t have a . in an fqdn without it being treated as a sub domain.

Do the Zalando URLs work in n8n? I would say if they are working then it seems unlikely that it would be a code level issue as the same logic would apply with adding the .

I can take a proper look in a few hours to see how the certs look.

Jon · January 1, 2022, 12:25pm

As a quick test from my phone I have tried to open https://kallados.com-backup.s3.nl-ams.scw.cloud and I get a certificate issue as well.

The SSL Labs test tool is also showing the same issue: SSL Server Test: kallados.com-backup.s3.nl-ams.scw.cloud (Powered by Qualys SSL Labs)

kallados · January 2, 2022, 9:46am

yeah Zalando Link working

Jon · January 2, 2022, 11:49am

It would be worth checking that certificate I am about 90% sure that is your issue as other things are also flagging the cert as being invalid.