Ignore self signed certificate

simondutertre commented 5 months ago

Hi,

I am using an S3 compatible service with a self signed cert.

In my file operation log file i have some : cURL error 60: SSL certificate problem: unable to get local issuer certificate

Is there an option to ignore certificate errors on requests ?

edwardspec commented 5 months ago

To completely disable SSL certificate verification, edit the file s3/AmazonS3FileBackend.php, adding the following line:

'http'  => [ 'verify' => false ],

... after this existing line:

$params['credentials'] = [

A more secure option: instead of false, specify the path to CA certificate bundle (which you can make yourself) that trusts the certificate you are using.

Please see this AWS documentation if you have any questions: https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_configuration.html#http-verify

simondutertre commented 5 months ago

Thank you for your help,

I have tried this param in both localSettings or in the extension code :

$wgAWSCredentials = [
        'http'  => [ 'verify' => false ],
        'key' => getenv('MW_S3_KEY'),
        'secret' => getenv('MW_S3_SECRET'),
        'token' => false,
];

or

in the codebase

                } elseif ( isset( $config['awsKey'] ) ) {
                        $params['credentials'] = [
                                'http'  => [ 'verify' => false ],
                                'key' => $config['awsKey'],
                                'secret' => $config['awsSecret'],
                                'token' => $config['awsToken'] ?? false
                        ];
                }

But i still have some ssl errors :

2024-05-14 07:53:03 b50164c7c1a8 mediawiki: S3FileBackend: found backend with S3 buckets: mediawiki, mediawiki/thumb, mediawiki/deleted, mediawiki/temp.

2024-05-14 07:53:03 b50164c7c1a8 mediawiki: S3FileBackend: doGetFileStat(): obtaining information about thumb/b/b9/logo.3ed6.png/575px-logo.3ed6.png in S3 bucket mediawiki

2024-05-14 07:53:04 b50164c7c1a8 mediawiki: S3FileBackend: exception [Null] in AmazonS3FileBackend::statUncached from HeadObject ({"Bucket":"mediawiki","Key":"thumb/b/b9/logo.3ed6.png/575px-logo.3ed6.png","@http":{"decode_content":false,"delay":101},"@context":[]}): Error executing "HeadObject" on "https://api-minio.xxx.xxx/mediawiki/thumb/b/b9/logo.3ed6.png/575px-logo.3ed6.png"; AWS HTTP error: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://api-minio.xxx.xxx/mediawiki/thumb/b/b9/logo.3ed6.png/575px-logo.3ed6.png

2024-05-14 07:53:04 b50164c7c1a8 mediawiki: FileBackendStore::ingestFreshFileStats: File mwstore://AmazonS3/local-thumb/b/b9/logo.3ed6.png/575px-logo.3ed6.png does not exist

2024-05-14 07:53:04 b50164c7c1a8 mediawiki: S3FileBackend: doGetFileStat(): obtaining information about thumb/b/b9/logo.3ed6.png/454px-logo.3ed6.png in S3 bucket mediawiki

2024-05-14 07:53:04 b50164c7c1a8 mediawiki: S3FileBackend: exception [Null] in AmazonS3FileBackend::statUncached from HeadObject ({"Bucket":"mediawiki","Key":"thumb/b/b9/logo.3ed6.png/454px-logo.3ed6.png","@http":{"decode_content":false,"delay":31},"@context":[]}): Error executing "HeadObject" on "https://api-minio.xxx.xxx/mediawiki/thumb/b/b9/logo.3ed6.png/454px-logo.3ed6.png"; AWS HTTP error: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://api-minio.xxx.xxx/mediawiki/thumb/b/b9/logo.3ed6.png/454px-logo.3ed6.png

2024-05-14 07:53:04 b50164c7c1a8 mediawiki: FileBackendStore::ingestFreshFileStats: File mwstore://AmazonS3/local-thumb/b/b9/logo.3ed6.png/454px-logo.3ed6.png does not exist

2024-05-14 07:53:04 b50164c7c1a8 mediawiki: S3FileBackend: getFileHttpUrl(): obtaining presigned S3 URL of b/b9/logo.3ed6.png in S3 bucket mediawiki

2024-05-14 07:53:04 b50164c7c1a8 mediawiki: S3FileBackend: downloading presigned S3 URL https://api-minio.xxx.xxx/mediawiki/b/b9/logo.3ed6.png?xxx

2024-05-14 07:53:04 b50164c7c1a8 mediawiki: copy(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

2024-05-14 07:53:04 b50164c7c1a8 mediawiki: copy(): Failed to enable crypto

edwardspec commented 5 months ago

My mistake, it should have been in $params, not $params['credentials'].

Does it work if you insert this line (in s3/AmazonS3FileBackend.php) above the following line?

            'version' => '2006-03-01',

simondutertre commented 5 months ago

Unfortunately there's still some errors :

Docker logs on mediawiki startup :

mediawiki | Aws\S3\Exception\S3Exception from line 196 of /var/www/mediawiki/w/user-extensions/AWS/vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php: Error executing "ListObjects" on "https://api-minio....-dev.xxx.com/mediawiki/?prefix=temp%2F&delimiter=&encoding-type=url"; AWS HTTP error: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://api-minio.xxx.xxx.com/mediawiki/?prefix=temp%2F&delimiter=&encoding-type=url mediawiki | #0 /var/www/mediawiki/w/user-extensions/AWS/vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php(98): Aws\WrappedHttpHandler->parseError() mediawiki | #1 /var/www/mediawiki/w/user-extensions/AWS/vendor/guzzlehttp/promises/src/Promise.php(209): Aws\WrappedHttpHandler->Aws{closure}() mediawiki | #2 /var/www/mediawiki/w/user-extensions/AWS/vendor/guzzlehttp/promises/src/Promise.php(174): GuzzleHttp\Promise\Promise::callHandler()

FileOperation log file on image resize :

2024-05-14 09:20:39 b50164c7c1a8 mediawiki: S3FileBackend: getFileHttpUrl(): obtaining presigned S3 URL of b/b9/logo.3ed6.png in S3 bucket mediawiki 2024-05-14 09:20:39 b50164c7c1a8 mediawiki: S3FileBackend: downloading presigned S3 URL https://api-minio.xxx-devxxx.com/mediawiki/b/b9/logo.3ed6.png?xxx 2024-05-14 09:20:39 b50164c7c1a8 mediawiki: copy(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed 2024-05-14 09:20:39 b50164c7c1a8 mediawiki: copy(): Failed to enable crypto 2024-05-14 09:20:39 b50164c7c1a8 mediawiki: copy(https://api-minio.xxx-devxxx.com/mediawiki/b/b9/logo.3ed6.png?X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&xxx): failed to open stream: operation failed 2024-05-14 09:20:39 b50164c7c1a8 mediawiki: S3FileBackend: Performance: 0.003 second spent on: downloading https://api-minio.xxx-devxxx.com/mediawiki/b/b9/logo.3ed6.png?xxxx from S3 2024-05-14 09:20:39 b50164c7c1a8 mediawiki: S3FileBackend: doGetLocalCopyMulti: b/b9/logo.3ed6.png from S3 bucket mediawiki couldn't be copied to: [Null]

For more info :

I have no errors locally in the docker-compose with 'http://minio:9000' in the env variable for $wgFileBackends['s3']['endpoint']. 'minio' being here the docker-compose service name I can upload and resize images.

But i have those errors on my server with the same docker-compose when i replace this url with my 'https://api-minio.xx' url.

My localSettings config :


wfLoadExtension( 'AWS' );

$wgAWSCredentials = [
    'key' => getenv('MW_S3_KEY'),
    'secret' => getenv('MW_S3_SECRET'),
    'token' => false
];
$wgAWSRegion = getenv('MW_S3_REGION') ?: 'eu-central-1';
$wgAWSBucketName =  getenv('MW_S3_BUCKET_NAME');
$wgAWSBucketDomain = getenv('MW_S3_FRONT_URL').'/'.$wgAWSBucketName;
$wgFileBackends['s3']['endpoint'] = getenv('MW_S3_API_URL');
$wgFileBackends['s3']['use_path_style_endpoint'] = true;
$wgAWSRepoHashLevels = '2';

edwardspec commented 5 months ago

What happens if you manually send a request to https://api-minio.xx/ ?

Try running the following command in the console of Docker container that runs your webserver: curl -X GET --insecure https://api-minio.xx/no/such/file (this command should ignore certificate verification)

simondutertre commented 5 months ago

I do get a xml response from the service :

With the equivalent of your request, a 403 xml response :

<Error><Code>AccessDenied</Code><Message>Access Denied.</Message><Resource>/</Resource><RequestId>17CF583F1F655B24</RequestId><HostId>ce219821-1727-41f9-80f3-756f2207af5d</HostId></Error>

edwardspec commented 5 months ago

I don't know what to tell you:

the error is occurring outside Extension:AWS,
is caused by certificate verification (outside of this extension's control),
adding 'http' => [ 'verify' => false ], to $params (what is passed to constructor of S3Client object) is (according to documentation of AWS PHP SDK) the correct way to completely disable this verification.

This code (in s3/AmazonS3FileBackend.php) should have worked:

        $params = [
            'http'  => [ 'verify' => false ], // this line was added
            'version' => '2006-03-01',
            'region' => $config['awsRegion'] ?? $wgAWSRegion,
            'scheme' => $useHTTPS ? 'https' : 'http'
        ];

If it doesn't work, you might want to look into ways to specify your self-signed certificate as trusted (maybe via curl.cainfo in php.ini?).

Unfortunately, as the error is not on the side of the extension, it's outside the scope of what I can help you with.

edwardspec / mediawiki-aws-s3

Ignore self signed certificate #78