Help us understand the problem. What is going on with this article?

ドット(.)を含むS3バケットへgsutilからアクセスする

More than 5 years have passed since last update.

ドット(.)を含むS3バケットへgsutilからアクセスすると、エラーが生じることがあるので、その原因と対応策を説明するとともに、根本的な問題解消の方法を提案する。

発生しうる問題

$ gsutil ls s3://dot.example.com

Failure: Host dot.example.com.s3.amazonaws.com returned an invalid certificate (remote hostname "dot.example.com.s3.amazonaws.com" does not match certificate): {'notAfter': 'Apr  9 23:59:59 2015 GMT', 'subjectAltName': (('DNS', '*.s3.amazonaws.com'), ('DNS', 's3.amazonaws.com')), 'subject': ((('countryName', u'US'),), (('stateOrProvinceName', u'Washington'),), (('localityName', u'Seattle'),), (('organizationName', u'Amazon.com Inc.'),), (('commonName', u'*.s3.amazonaws.com'),))}.

この問題が発生する原因

Amazon S3が提供しているワイルドカード証明書のSANが*.s3.amazonaws.comなので、dot.example.com.s3.amazonaws.comとホスト名ミスマッチが生じる。

この問題に対するワークアラウンド

https://github.com/GoogleCloudPlatform/gsutil/blob/master/gslib/commands/config.py
にも説明がある通り、

    [Boto]

[...]

      https_validate_certificates

[...]

# Set 'https_validate_certificates' to False to disable server certificate
# checking. The default for this option in the boto library is currently
# 'False' (to avoid breaking apps that depend on invalid certificates); it is
# therefore strongly recommended to always set this option explicitly to True
# in configuration files, to protect against "man-in-the-middle" attacks.
https_validate_certificates = True

BotoのConfig (e.g., ~/.boto)のここの

https_validate_certificates = True

https_validate_certificates = False

とすればよい。

まとめ

S3 Static Website Hosting機能を使わないバケットに対して、ドット(.)を含む名前を使わない。(重要)

S3のバケットを作成する際、そのバケットでStatic Website Hosting機能を使うかどうか判断してから、バケット名を決める。(重要)

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした