|
Error
When accessing Amazon S3 buckets with a period (.) in their name, S3Express reports error "51 - SSL: no alternative certificate subject name matches target host name".
This error is caused by validation failure of the SSL certificate for the Amazon S3 servers.
Explanation
The Amazon S3 servers all have a certificate issued to *.s3.amazonaws.com.
If you request an object in a bucket without any periods (.) in its name, things will work fine. For example the URL can be https://bucketname.s3.amazonaws.com/myObjectKey. This request will arrive at an S3 server (whose certificate was issued to *.s3.amazonaws.com), which will notice that the URL’s host name is indeed a subdomain of s3.amazonaws.com, and the secure https connection will succeed.
However, if you request an object in a bucket with a period (.) in its name, such as https://my.bucket.s3.amazonaws.com/myObjectKey, the host name component of the URL is my.bucket.s3.amazonaws.com, but the actual server that gets the request is an S3 server whose certificate was issued to *.s3.amazonaws.com.
my.bucket.s3.amazonaws.com is NOT considered a subdomain of s3.amazonaws.com.
A multi-level subdomain – that is, a subdomain that has more than one period in it – is not considered to be a proper subdomain. So S3Express will report that the server’s SSL certificate, issued to *.s3.amazonaws.com, does NOT match the host name of the request, my.bucket.s3.amazonaws.com, and refuse the connection.
Solution
a) Do not use periods (.) in bucket names.
b) Switch to using unsecured HTTP.
You can do this using command setopt -protocol:http in S3Express.
|
