Skip to main content
Question

S3 Compatible object storage with cert verification

G
  • gavezm
  • Comes here often
  • 8 comments

Hello, I want to connect Kasten K10 with S3 Compatible storage with TLS encryption and certificate verification.

If I check the checkbox 'Skip certificate chain and hostname verification', the connection works. However, if I uncheck it, I get an error:

There was a problem validating the profile
failed to get bucket s3-backup: GetBucketLocation: RequestError: send request failed caused by: Get "https://qwe.qwe.qwe:9021/s3-backup?location=": tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match qwe.qwe.qwe

 

I have downloaded the certificate from https://qwe.qwe.qwe:9021 and added it to the YAML file of the Kasten K10 instance (custom-ca-bundle-store).

 

After making this change, the same error still persists.

 

Could someone please assist me what I’m doing wrong.

 

Br, Mike

    4 comments

    Hagag
    Forum|alt.badge.img+2
    • Hagag
    • Experienced User
    • 154 comments
    • May 23, 2024

    Hi @gavezm try to download k10tool  and use The k10tools debug ca-certificate command to check if the CA certificate is installed properly in K10.

    Check the below link for more details

    https://docs.kasten.io/latest/operating/k10tools.html?highlight=k10tools%20debug%20ca%20certificate#ca-certificate-check

    BR,
    Ahmed Hagag

    S
    1 person likes this
    • S
      Satish
    G
    • gavezm
    • Author
    • Comes here often
    • 8 comments
    • May 24, 2024

    Hello, I did it, and the certificate exists.

    What else I can to to check what I’m doing wrong?

    Br, Mike

    leduardoserrano
    1 person likes this
    • leduardoserrano
      leduardoserrano
    Hagag
    Forum|alt.badge.img+2
    • Hagag
    • Experienced User
    • 154 comments
    • May 24, 2024

    hi @gavezm  do you have any intermediates CA as well, as You need to get the CA of the Root that signed the certificate for the S3 endpoint and intermediates if any into a  file custom-ca-bundle.pem
     

    also, make sure you have enabled s3 permission for GetBucketLocation ( it is not related )

    if the issue still persists i’d recommend to collect the debug logs and open a trial case to our Kasten support team to check.

    BR,
    Ahmed Hagag
     

    leduardoserrano
    1 person likes this
    • leduardoserrano
      leduardoserrano
    G
    • gavezm
    • Author
    • Comes here often
    • 8 comments
    • May 24, 2024

    I think the problem is that the certificate of the S3 endpoint doesn’t have any Subject Alternative Name (SAN) inside the certificate.

    Error: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match s3.qwe.qweqwe.qwe

     

    Is it possible to remove only matching?

     

    Br, Mike

    leduardoserrano
    1 person likes this
    • leduardoserrano
      leduardoserrano

    Comment


    Terms & Conditions