Amazon S3 - hostname does not match the server certificate (OpenSSL::SSL::SSLError) + rails

Question

Amazon S3, using rails and fog. Trying to precompile my assets with rake assets:precompile:

message:

[WARNING] fog: followed redirect to myproject.de.s3-us-west-2.amazonaws.com, connecting to the matching region will be more performant rake aborted! hostname does not match the server certificate (OpenSSL::SSL::SSLError) 

So there is something with OpenSSL

What I tried already:

1. I have already tried to config certificates in application.rb like this: with no success.

   AWS.config(:http_handler => AWS::Http::HTTPartyHandler.new(:ssl_ca_path => "/etc/ssl/certs"))

2. also installed openssl on Ubuntu 12.04 from here

Question is: How Amazon S3 deals with certificates

Answer 1

Actually you can use a bucket name with a dot. All you have to do is add :path_style => true to your config.fog_credentials.

In your example, it would give:

config.fog_credentials = {    :provider              => 'AWS',    :aws_access_key_id     => ENV['S3_KEY'],    :aws_secret_access_key => ENV['S3_SECRET'],    :region                => ENV['S3_REGION'],    :path_style            => true }  config.fog_directory    = "myproject.de" 

Answer 2

TLDR; Solution

In order to access your S3 bucket URLs via httpS, you will need to either:

• Choose a bucket name such that it contains no periods '.' and use the "Virtual Hosted–Style" URL, such as
  https://simplebucketname.s3.amazonaws.com/myObjectKey
  OR
  
• Use the "Path Style" URL form that specifies the bucket name separately, after the host name, for example:
  https://s3.amazonaws.com/mybucket.mydomain.com/myObjectKey

With fog, you can set the option: :path_style => true as this solution explained.

The Problem & Explanation

The SSL Certificate Validation problem arises from using dots '.' in the S3 Bucket Name along with the "Virtual Hosted–Style Method" URL format.

The Amazon S3 Documentation states that it allows two main URL formats for accessing S3 Buckets and Objects:

1. Path Style Method (being deprecated)
2. Virtual Hosted–Style Method

So what's happening is this:

1. Fog is trying to request a URL to your bucket like: https://myproject.de.s3-us-west-2.amazonaws.com/foo/bar
2. The Hostname in the request is myproject.de.s3-us-west-2.amazonaws.com
3. SSL Cert for *.amazonaws.net is served during SSL TLS Negotiation
4. Fog tries to validate the SSL Cert & CA Cert Chain
5. Fog tries to match the Cert's CN *.s3.amazonaws.com against myproject.de.s3-us-west-2.amazonaws.com
6. According to Certificate CN wildcard matching rules in RFC 2818, the sub-subdomain does not match wildcard CN: *.s3.amazonaws.com
7. Connection fails with hostname does not match the server certificate due to Invalid SSL Cert CA Validation

The dots in S3 URL problem is mentioned around the internet such as in the Drupal Project, AWS Forums, Python Boto Library and is very well explained in this blog post entitled: Amazon S3 Gotcha: Using Virtual Host URLs with HTTPS <-- I highly recommend reading this one for further clarification.