Closed simondutertre closed 5 months ago
To completely disable SSL certificate verification, edit the file s3/AmazonS3FileBackend.php
, adding the following line:
'http' => [ 'verify' => false ],
... after this existing line:
$params['credentials'] = [
A more secure option: instead of false
, specify the path to CA certificate bundle (which you can make yourself) that trusts the certificate you are using.
Please see this AWS documentation if you have any questions: https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_configuration.html#http-verify
Thank you for your help,
I have tried this param in both localSettings or in the extension code :
$wgAWSCredentials = [
'http' => [ 'verify' => false ],
'key' => getenv('MW_S3_KEY'),
'secret' => getenv('MW_S3_SECRET'),
'token' => false,
];
or
in the codebase
} elseif ( isset( $config['awsKey'] ) ) {
$params['credentials'] = [
'http' => [ 'verify' => false ],
'key' => $config['awsKey'],
'secret' => $config['awsSecret'],
'token' => $config['awsToken'] ?? false
];
}
But i still have some ssl errors :
2024-05-14 07:53:03 b50164c7c1a8 mediawiki: S3FileBackend: found backend with S3 buckets: mediawiki, mediawiki/thumb, mediawiki/deleted, mediawiki/temp.
2024-05-14 07:53:03 b50164c7c1a8 mediawiki: S3FileBackend: doGetFileStat(): obtaining information about thumb/b/b9/logo.3ed6.png/575px-logo.3ed6.png in S3 bucket mediawiki
2024-05-14 07:53:04 b50164c7c1a8 mediawiki: S3FileBackend: exception [Null] in AmazonS3FileBackend::statUncached from HeadObject ({"Bucket":"mediawiki","Key":"thumb/b/b9/logo.3ed6.png/575px-logo.3ed6.png","@http":{"decode_content":false,"delay":101},"@context":[]}): Error executing "HeadObject" on "https://api-minio.xxx.xxx/mediawiki/thumb/b/b9/logo.3ed6.png/575px-logo.3ed6.png"; AWS HTTP error: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://api-minio.xxx.xxx/mediawiki/thumb/b/b9/logo.3ed6.png/575px-logo.3ed6.png
2024-05-14 07:53:04 b50164c7c1a8 mediawiki: FileBackendStore::ingestFreshFileStats: File mwstore://AmazonS3/local-thumb/b/b9/logo.3ed6.png/575px-logo.3ed6.png does not exist
2024-05-14 07:53:04 b50164c7c1a8 mediawiki: S3FileBackend: doGetFileStat(): obtaining information about thumb/b/b9/logo.3ed6.png/454px-logo.3ed6.png in S3 bucket mediawiki
2024-05-14 07:53:04 b50164c7c1a8 mediawiki: S3FileBackend: exception [Null] in AmazonS3FileBackend::statUncached from HeadObject ({"Bucket":"mediawiki","Key":"thumb/b/b9/logo.3ed6.png/454px-logo.3ed6.png","@http":{"decode_content":false,"delay":31},"@context":[]}): Error executing "HeadObject" on "https://api-minio.xxx.xxx/mediawiki/thumb/b/b9/logo.3ed6.png/454px-logo.3ed6.png"; AWS HTTP error: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://api-minio.xxx.xxx/mediawiki/thumb/b/b9/logo.3ed6.png/454px-logo.3ed6.png
2024-05-14 07:53:04 b50164c7c1a8 mediawiki: FileBackendStore::ingestFreshFileStats: File mwstore://AmazonS3/local-thumb/b/b9/logo.3ed6.png/454px-logo.3ed6.png does not exist
2024-05-14 07:53:04 b50164c7c1a8 mediawiki: S3FileBackend: getFileHttpUrl(): obtaining presigned S3 URL of b/b9/logo.3ed6.png in S3 bucket mediawiki
2024-05-14 07:53:04 b50164c7c1a8 mediawiki: S3FileBackend: downloading presigned S3 URL https://api-minio.xxx.xxx/mediawiki/b/b9/logo.3ed6.png?xxx
2024-05-14 07:53:04 b50164c7c1a8 mediawiki: copy(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2024-05-14 07:53:04 b50164c7c1a8 mediawiki: copy(): Failed to enable crypto
My mistake, it should have been in $params
, not $params['credentials']
.
Does it work if you insert this line (in s3/AmazonS3FileBackend.php
) above the following line?
'version' => '2006-03-01',
Unfortunately there's still some errors :
Docker logs on mediawiki startup :
mediawiki | Aws\S3\Exception\S3Exception from line 196 of /var/www/mediawiki/w/user-extensions/AWS/vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php: Error executing "ListObjects" on "https://api-minio....-dev.xxx.com/mediawiki/?prefix=temp%2F&delimiter=&encoding-type=url"; AWS HTTP error: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://api-minio.xxx.xxx.com/mediawiki/?prefix=temp%2F&delimiter=&encoding-type=url mediawiki | #0 /var/www/mediawiki/w/user-extensions/AWS/vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php(98): Aws\WrappedHttpHandler->parseError() mediawiki | #1 /var/www/mediawiki/w/user-extensions/AWS/vendor/guzzlehttp/promises/src/Promise.php(209): Aws\WrappedHttpHandler->Aws{closure}() mediawiki | #2 /var/www/mediawiki/w/user-extensions/AWS/vendor/guzzlehttp/promises/src/Promise.php(174): GuzzleHttp\Promise\Promise::callHandler()
FileOperation log file on image resize :
2024-05-14 09:20:39 b50164c7c1a8 mediawiki: S3FileBackend: getFileHttpUrl(): obtaining presigned S3 URL of b/b9/logo.3ed6.png in S3 bucket mediawiki 2024-05-14 09:20:39 b50164c7c1a8 mediawiki: S3FileBackend: downloading presigned S3 URL https://api-minio.xxx-devxxx.com/mediawiki/b/b9/logo.3ed6.png?xxx 2024-05-14 09:20:39 b50164c7c1a8 mediawiki: copy(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed 2024-05-14 09:20:39 b50164c7c1a8 mediawiki: copy(): Failed to enable crypto 2024-05-14 09:20:39 b50164c7c1a8 mediawiki: copy(https://api-minio.xxx-devxxx.com/mediawiki/b/b9/logo.3ed6.png?X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&xxx): failed to open stream: operation failed 2024-05-14 09:20:39 b50164c7c1a8 mediawiki: S3FileBackend: Performance: 0.003 second spent on: downloading https://api-minio.xxx-devxxx.com/mediawiki/b/b9/logo.3ed6.png?xxxx from S3 2024-05-14 09:20:39 b50164c7c1a8 mediawiki: S3FileBackend: doGetLocalCopyMulti: b/b9/logo.3ed6.png from S3 bucket mediawiki couldn't be copied to: [Null]
For more info :
I have no errors locally in the docker-compose with 'http://minio:9000' in the env variable for $wgFileBackends['s3']['endpoint']. 'minio' being here the docker-compose service name I can upload and resize images.
But i have those errors on my server with the same docker-compose when i replace this url with my 'https://api-minio.xx' url.
My localSettings config :
wfLoadExtension( 'AWS' );
$wgAWSCredentials = [
'key' => getenv('MW_S3_KEY'),
'secret' => getenv('MW_S3_SECRET'),
'token' => false
];
$wgAWSRegion = getenv('MW_S3_REGION') ?: 'eu-central-1';
$wgAWSBucketName = getenv('MW_S3_BUCKET_NAME');
$wgAWSBucketDomain = getenv('MW_S3_FRONT_URL').'/'.$wgAWSBucketName;
$wgFileBackends['s3']['endpoint'] = getenv('MW_S3_API_URL');
$wgFileBackends['s3']['use_path_style_endpoint'] = true;
$wgAWSRepoHashLevels = '2';
What happens if you manually send a request to https://api-minio.xx/
?
Try running the following command in the console of Docker container that runs your webserver:
curl -X GET --insecure https://api-minio.xx/no/such/file
(this command should ignore certificate verification)
I do get a xml response from the service :
With the equivalent of your request, a 403 xml response :
<Error><Code>AccessDenied</Code><Message>Access Denied.</Message><Resource>/</Resource><RequestId>17CF583F1F655B24</RequestId><HostId>ce219821-1727-41f9-80f3-756f2207af5d</HostId></Error>
I don't know what to tell you:
'http' => [ 'verify' => false ],
to $params
(what is passed to constructor of S3Client
object) is (according to documentation of AWS PHP SDK) the correct way to completely disable this verification.This code (in s3/AmazonS3FileBackend.php
) should have worked:
$params = [
'http' => [ 'verify' => false ], // this line was added
'version' => '2006-03-01',
'region' => $config['awsRegion'] ?? $wgAWSRegion,
'scheme' => $useHTTPS ? 'https' : 'http'
];
If it doesn't work, you might want to look into ways to specify your self-signed certificate as trusted (maybe via curl.cainfo
in php.ini
?).
Unfortunately, as the error is not on the side of the extension, it's outside the scope of what I can help you with.
Hi,
I am using an S3 compatible service with a self signed cert.
In my file operation log file i have some :
cURL error 60: SSL certificate problem: unable to get local issuer certificate
Is there an option to ignore certificate errors on requests ?