cloudserver icon indicating copy to clipboard operation
cloudserver copied to clipboard
verified publisher icon scality

SSL with lets encrypt getting 405 on all actions.

Open cbaykam opened this issue 7 years ago • 3 comments

I am using scality s3 in a docker container which is tied to a rails application. Also mounting generated letsencrypt certificates for ssl and have the certs in my docker container.

My initial goal is to create bucket in the scality server using a Ruby on rails rake task on deployment (Any easier methods welcome)

I am getting 405 method not allowed on every request. When I try to create a bucket. I am sure that I have the correct keys as both the scality server and the rails are getting them from an environment file (Also tested manually)

  "certFilePaths": {
        "key": "/usr/src/app/certs/server.key",
        "cert": "/usr/src/app/certs/server.crt",
        "ca": "/usr/src/app/certs/ca.crt"
    },

This is my certFilePaths section in config

  "restEndpoints": {
        "localhost": "us-east-1",
        "127.0.0.1": "us-east-1",
        "cloudserver-front": "us-east-1",
        "s3.docker.test": "us-east-1",
        "127.0.0.2": "us-east-1",
        "s3.amazonaws.com": "us-east-1",
        "filserver": "us-east-1",
        "$DOMAIN": "us-east-1"
    },

And this is my configuration for the deployment ($DOMAIN is replaced by the actual domain during deploy)

I also tested with the jsvascript example given in the documentation and this is the output

message: null,
  code: 405,
  region: null,
  time: 2018-11-01T12:38:53.650Z,
  requestId: 'd2e769a86f419d07288f',
  extendedRequestId: 'd2e769a86f419d07288f',
  cfId: undefined,
  statusCode: 405,
  retryable: false,
  retryDelay: 7.7066412757188285 } '405: null\n    at Request.extractError

Thanks in advance

cbaykam avatar Nov 01 '18 12:11 cbaykam

I tried to remove the letsencrypt certs and followed the standard method for self signed certs as described here : https://www.zenko.io/blog/s3-server-with-ssl/

With the example code:

const AWS = require('aws-sdk');
const fs = require('fs');
const https = require('https');

const httpOptions = {
	agent: new https.Agent({
		// path on your host of the self-signed certificate
		ca: fs.readFileSync('/usr/src/app/certs/ca.crt', 'ascii'),
	}),
};

const s3 = new AWS.S3({
	httpOptions,
	accessKeyId: process.env.SCALITY_ACCESS_KEY_ID,
	secretAccessKey: process.env.SCALITY_SECRET_ACCESS_KEY,
	endpoint: process.env.DOMAIN,
	sslEnabled: true,
	s3ForcePathStyle: true,
});

const bucket = 'cocoriko';

s3.createBucket({ Bucket: bucket }, err => {
	if (err) {
		return console.log('err createBucket', err);
	}
	return s3.deleteBucket({ Bucket: bucket }, err => {
		if (err) {
			return console.log('err deleteBucket', err);
		}
		return console.log('SSL is cool!');
	});
});

I am getting error:

err createBucket { Error: unable to get local issuer certificate
    at Error (native)
    at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
    at emitNone (events.js:86:13)
    at TLSSocket.emit (events.js:185:7)
    at TLSSocket._finishInit (_tls_wrap.js:610:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38)
  message: 'unable to get local issuer certificate',
  code: 'NetworkingError',
  region: 'us-east-1',

cbaykam avatar Nov 05 '18 09:11 cbaykam

Hi @cbaykam, you can also try using SSL environment variable. It allows you to run CloudServer with SSL: https://s3-server.readthedocs.io/en/latest/DOCKER.html#ssl Here is how we generate SSL key and certificates when your Docker container is run: https://github.com/scality/cloudserver/blob/development/8.1/docker-entrypoint.sh#L29

nicolas2bert avatar Nov 07 '18 01:11 nicolas2bert

Thanks for the reply. But it seems like the ssl variable only supports self signed certs which are overriding the certificates we are using for other services too. We need a support for letsencrypt certs.

cbaykam avatar Nov 12 '18 12:11 cbaykam