973259 - Remove NODE_TLS_REJECT_UNAUTHORIZED override for s3

Status: RESOLVED FIXED

(Marketplace Graveyard :: Integration, defect, P1)

Description

[Austin King [:ozten]]

During development with awssum-amazon-s3, I'm occasionally seeing:

    Code: 'AwsSum-Request',
    Message: 'Something went wrong during the request',
    OriginalError: [Error: Hostname/IP doesn't match certificate's altnames]

The workaround in the code is to currently use

    process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0;

but this is bad, because we won't reject invalid server certificates.

Comment 1

[Kumar McMillan [:kumar]]

since we're not checking TLS certs here I think we need to bump priority

Comment 2

[Austin King [:ozten]]

I believe this is because we have periods '.' in our bucket names.

Example: mozilla.stuff.public

Changing to dashes fixes this bug

Example: mozilla-stuff-public

If this is true, why wouldn't the python code also be having cert hostname issues?

Comment 3

[Kumar McMillan [:kumar]]

This doesn't sound like the root of the problem. Bucket names follow DNS name conventions so dots are no problem: http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html

Do you have any more details about how you're connecting and what the exact error is? 

I had some SSL cert problems with subdomains. I was getting invalid cert errors with https://the.bucket.s3.amazonaws.com/ but when I switched it a directory, like https://s3.amazonaws.com/the.bucket , the cert was valid. I don't know if you were having the same kind of problem though. 

Seems really weird that it started working with a dash-named bucket!

Comment 4

[Austin King [:ozten]]

The S3 library we're using is nice for a few reasons. However it doesn't support path based access.

I'll look at switching to another library.

Comment 5

[Austin King [:ozten]]

A version that uses knox instead.
https://github.com/mozilla/apk-factory-service/pull/50

Comment 6

[Austin King [:ozten]]

We switched to knox.