minio / mc

Unix like utilities for object store
https://min.io/download
GNU Affero General Public License v3.0
2.86k stars 548 forks source link

Unable to add S3 compatible host #3635

Closed GreyArea765 closed 3 years ago

GreyArea765 commented 3 years ago

Expected behavior

The host is added to the mc config

Actual behavior

Error: The request signature we calculated does not match the signature you provided.

Steps to reproduce the behavior

This may be difficult as we are using two "S3 compatible" providers, NetApp StorageGRID and Zadara ZIOS (we're trying to migrate data between the two).

  1. Add the host ./mc --debug --insecure config host add s3dest https://1.2.3.4:443
  2. Observe error

mc --version

mc version RELEASE.2021-02-19T05-34-40Z

System information

Ubuntu 20.04 desktop system.

Debug output

$ ./mc --debug  --insecure config host add s3dest https://1.2.3.4:443
Enter Access Key: my-access-key
Enter Secret Key:
mc: <DEBUG> GET /probe-bucket-sign-rfwkppjbonun/?location= HTTP/1.1
Host: 1.2.3.4
User-Agent: MinIO (linux; amd64) minio-go/v7.0.9
Authorization: AWS4-HMAC-SHA256 Credential=my-access-key/20210303/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, S*
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20210303T141031Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Wed, 03 Mar 2021 14:10:32 GMT
X-Amz-Id-2: tx5462739cc57a46f1a77bf-00603f98d7
X-Amz-Request-Id: tx5462739cc57a46f1a77bf-00603f98d7
X-Openstack-Request-Id: tx5462739cc57a46f1a77bf-00603f98d7
X-Trans-Id: tx5462739cc57a46f1a77bf-00603f98d7

75b
<?xml version='1.0' encoding='UTF-8'?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</T
/probe-bucket-sign-rfwkppjbonun/
location=
host:1.2.3.4
x-amz-content-sha256:UNSIGNED-PAYLOAD
x-amz-date:20210303T141031Z

host;x-amz-content-sha256;x-amz-date
UNSIGNED-PAYLOAD</CanonicalRequest><CanonicalRequestBytes>47 45 54 0a 2f 70 72 6f 62 65 2d 62 75 63 6b 65 74 2d 73 69 67 6e 2d 72 66 77 6b 70 70 6a 62 6f 6e 75 6e 2f6
20210303T141031Z
20210303/my-custom-region/s3/aws4_request
4ed5e79cf24ee6628a39cf5ec29f0286c53825ce4bebf235844afe2d33f09332</StringToSign><SignatureProvided>6cab643c45b60f716c239f0d9fc78d90a164eb9346aa0b2ea258be50c8ec9a29</S>
0

mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: DigiCert Inc
mc: <DEBUG>  >> Expires: 2021-05-12 12:00:00 +0000 UTC
mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: DigiCert Inc
mc: <DEBUG>  >> Expires: 2023-03-08 12:00:00 +0000 UTC
mc: <DEBUG> Response Time:  50.336436ms

mc: <DEBUG> GET /probe-bucket-sign-rfwkppjbonun/?location= HTTP/1.1
Host: 1.2.3.4
User-Agent: MinIO (linux; amd64) minio-go/v7.0.9
Authorization: AWS4-HMAC-SHA256 Credential=my-access-key/20210303/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, S*
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20210303T141032Z
Accept-Encoding: gzip

mc: <DEBUG> HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Wed, 03 Mar 2021 14:10:32 GMT
X-Amz-Id-2: txb654ff34e1334f6ca3fa9-00603f98d8
X-Amz-Request-Id: txb654ff34e1334f6ca3fa9-00603f98d8
X-Openstack-Request-Id: txb654ff34e1334f6ca3fa9-00603f98d8
X-Trans-Id: txb654ff34e1334f6ca3fa9-00603f98d8

75b
<?xml version='1.0' encoding='UTF-8'?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</T
/probe-bucket-sign-rfwkppjbonun/
location=
host:1.2.3.4
x-amz-content-sha256:UNSIGNED-PAYLOAD
x-amz-date:20210303T141032Z

host;x-amz-content-sha256;x-amz-date
UNSIGNED-PAYLOAD</CanonicalRequest><CanonicalRequestBytes>47 45 54 0a 2f 70 72 6f 62 65 2d 62 75 63 6b 65 74 2d 73 69 67 6e 2d 72 66 77 6b 70 70 6a 62 6f 6e 75 6e 2f6
20210303T141032Z
20210303/my-custom-region/s3/aws4_request
bf5ae35b890a0c60210cc183b5297fb246f6eea4badb8988844859a9408490c9</StringToSign><SignatureProvided>65c1460774b8626962490d72bc8aaa5b1af960afd7410842f3dda8ad42f52fa7</S>
0

mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: DigiCert Inc
mc: <DEBUG>  >> Expires: 2021-05-12 12:00:00 +0000 UTC
mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: DigiCert Inc
mc: <DEBUG>  >> Expires: 2023-03-08 12:00:00 +0000 UTC
mc: <DEBUG> Response Time:  14.543984ms

mc: <ERROR> Unable to initialize new alias from the provided credentials. The request signature we calculated does not match the signature you provided. Check your k.
 (5) alias-set.go:318 cmd.mainAliasSet(..) Tags: [s3dest, https://1.2.3.4:443]
 (4) alias-set.go:242 cmd.BuildS3Config(..) Tags: [https://1.2.3.4:443, my-access-key, Secret key: my-secret-key, , auto]
 (3) alias-set.go:216 cmd.probeS3Signature(..) Tags: [s3v4, s3v2]
 (2) alias-set.go:208 cmd.probeS3Signature.func1(..) Tags: [s3v2]
 (1) client-s3.go:1382 cmd.(*S3Client).Stat(..) Tags: [probe-bucket-sign-rfwkppjbonun]
 (0) client-s3.go:1948 cmd.(*S3Client).bucketStat(..)
 Release-Tag:RELEASE.2021-02-19T05-34-40Z | Commit:b3c692d6eb49 | Host:my-client-host | OS:linux | Arch:amd64 | Lang:go1.15.7 | Mem:4.3 MB/74 MB | .
harshavardhana commented 3 years ago

If you add port that will be ignored from signature calculation, not sure why are you adding port when with https port 443 is implicit.

GreyArea765 commented 3 years ago

Removing the port does not resolve the issue, could this be reopened please?

harshavardhana commented 3 years ago

Removing the port does not resolve the issue, could this be reopened please?

@GreyArea765 mc works with AWS S3 and MinIO - you need to ask your S3 vendor on what they are doing wrong.