[Wasabi] Failed to retrieve certificate from https://s3.ap-northeast-1.wasabisys.com

pirx · Post by **pirx** » Dec 16, 2023 6:06 pm this post

Those certificates.... I've a location in China where we offload backups to s3.ap-northeast-1.wasabisys.com. Or we want to do that.

For the majority of tasks I get this error. But not for all.

16.12.2023 17:56:25 :: Processing xxxx Error: Failed to retrieve certificate from https://s3.ap-northeast-1.wasabisys.com

Sometimes when I configure the gateway for capacity tier I get the same error, sometimes not. The openssl check looks the same on gateway and VBR server, as well as on my private computer at home. I know that CRL can't be an issue but I already set ObjectStorageCRLCheckMode to 3.

Before I open tickets (again) at Veeam and Wasabi, is someone else seeing something similar to this Wasabi region? And are there other steps to debug?

Code: Select all

PS D:\software\openssl-3.2.0\openssl-3\x64\bin> .\openssl.exe s_client -connect 's3.ap-northeast-1.wasabisys.com:443' -servername s3.ap-northeast-1.wasabisys.com
Connecting to 103.151.85.100
CONNECTED(000001B0)
depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
verify return:1
depth=1 C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C=US, ST=Massachusetts, L=Boston, O=Wasabi Technologies LLC, CN=*.s3.ap-northeast-1.wasabisys.com
verify return:1
---
Certificate chain
 0 s:C=US, ST=Massachusetts, L=Boston, O=Wasabi Technologies LLC, CN=*.s3.ap-northeast-1.wasabisys.com
   i:C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 27 00:00:00 2023 GMT; NotAfter: Oct  3 23:59:59 2024 GMT
 1 s:C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
   i:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 30 00:00:00 2021 GMT; NotAfter: Mar 29 23:59:59 2031 GMT
 2 s:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
   i:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHKDCCBhCgAwIBAgIQBYz8zZmcXiX+7Ccbe6sK+zANBgkqhkiG9w0BAQsFADBZ
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypE
aWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjMw
OTI3MDAwMDAwWhcNMjQxMDAzMjM1OTU5WjCBhDELMAkGA1UEBhMCVVMxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxDzANBgNVBAcTBkJvc3RvbjEgMB4GA1UEChMXV2Fz
YWJpIFRlY2hub2xvZ2llcyBMTEMxKjAoBgNVBAMMISouczMuYXAtbm9ydGhlYXN0
LTEud2FzYWJpc3lzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AIXM9bh8wfgo/74rEJS4qifTDHIXGwUr5Lj6jECWJ9a6bGNKGHM3lWp5vSOxr6IK
wUYTXYqVlR03vbv2C/gEKkqF1hECPSEML7PM6oXmhlOBY/SgBJQQajrQEYWdX1YB
lEkEuZH4CRpDjr6WKrRQMAi2RvyeTH8UPb4stQuRX4O66EXg/Gi9JCUOjp31BpRo
yZ4M+LYUr2KAIO8V7Lvo/BTjXrceoMGUFP++OGA6GJNvMOQ4dsrWgUQn0LtOypFT
oit+TR61cr+0HLCHNdi9XBncK8xJOSlO2X0MtrqjIaQda4GO17yDNckq5gKTCTQl
ARNUV3Rycm0DvBHAY+A1oqUCAwEAAaOCA74wggO6MB8GA1UdIwQYMBaAFHSFgMBm
x9833s+9KTeqAx2+7c0XMB0GA1UdDgQWBBTjP1gxf/IS21WelOWtHm6LahOU+DBN
BgNVHREERjBEgiEqLnMzLmFwLW5vcnRoZWFzdC0xLndhc2FiaXN5cy5jb22CH3Mz
LmFwLW5vcnRoZWFzdC0xLndhc2FiaXN5cy5jb20wPgYDVR0gBDcwNTAzBgZngQwB
AgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgZ8G
A1UdHwSBlzCBlDBIoEagRIZCaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lD
ZXJ0R2xvYmFsRzJUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3JsMEigRqBEhkJodHRw
Oi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRMU1JTQVNIQTI1
NjIwMjBDQTEtMS5jcmwwgYcGCCsGAQUFBwEBBHsweTAkBggrBgEFBQcwAYYYaHR0
cDovL29jc3AuZGlnaWNlcnQuY29tMFEGCCsGAQUFBzAChkVodHRwOi8vY2FjZXJ0
cy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRMU1JTQVNIQTI1NjIwMjBD
QTEtMS5jcnQwDAYDVR0TAQH/BAIwADCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFo
AHYA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGK1EEkpAAABAMA
RzBFAiEAjKPQYF23FlJJ5A4mg2MQaMqwQtZVKOUIoQcPNNUvmqkCIEqPy71g6j9N
rrb3rIi3ynT92v2B/4ANy2dSYYph9fpJAHYASLDja9qmRzQP5WoC+p0w6xxSActW
3SyB2bu/qznYhHMAAAGK1EEk7wAABAMARzBFAiBznNub1RcUtK6TMJWK4yGm96pW
Qogx86yVyVqZedj81QIhAIPp7ped/j/k99Y1Ci0KFjWwHx09r4xHkus1vpHjPXyC
AHYA2ra/az+1tiKfm8K7XGvocJFxbLtRhIU0vaQ9MEjX+6sAAAGK1EEkyQAABAMA
RzBFAiEAtbRkavkLwrLlCBOFHoTDlHo5fRGmlHKQ1EladV9vuncCIHZQ0IqiaksX
+5EymroeV5cLpqpVjX4swPd+m6CHArDwMA0GCSqGSIb3DQEBCwUAA4IBAQB0xiS/
TcMmVn3Uuff47On0GgUnBtcrzCiN0+P2lc9eSJ2rH5O5U2n6EWXjwl/d8+JDNzbk
k16SGV+59VECS/uOAsbZeAhs0LjD6pTJQ5N1VyTwJ8RL8pQbE6U6mgN5Srqs/BY0
aEYflWceHdbTamF0PlaOQqbAjBJwn28rSfAMM9A5Lw7/au5y0HetFMdWYDanHbKD
oy8oXg1K4gmeJPdIseEirCdWnYMAFBhYNfPxBs4VGiaei8O9EMazb4iHhOANRu6I
O7VoOlvaEkMihsprCePEKjmL9SN7cq2qPeWmJCSVrxhyNIZOjLCeTW16Ug9guiJn
8FB19odT2gSCwDaK
-----END CERTIFICATE-----
subject=C=US, ST=Massachusetts, L=Boston, O=Wasabi Technologies LLC, CN=*.s3.ap-northeast-1.wasabisys.com
issuer=C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4528 bytes and written 403 bytes
Verification error: self-signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
This TLS version forbids renegotiation.
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self-signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: A62B7DC3F40C1FE709FA3A4CE13ED2BCC7585CEAB0FD41BE95022A1A4651A949
    Session-ID-ctx:
    Resumption PSK: 15A705EBF2490333C93B9F1B933EA9047C0DDAA03CBCCE3892CBED57E84B6A16
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 6a e6 00 34 94 40 54 3e-cd a9 77 b8 12 2f c0 76   j..4.@T>..w../.v
    0010 - 09 00 1c 98 a8 99 40 1a-52 ed 93 1f 0d e4 67 dd   ......@.R.....g.
    0020 - ce ac 62 55 cc 5c ea a6-88 04 75 8d c5 bd 02 45   ..bU.\....u....E
    0030 - 92 f5 c5 d1 18 48 6f b7-fb ab c5 02 b1 1b 93 ad   .....Ho.........
    0040 - 2b aa 88 70 8a 33 c4 2b-6a 6d 3d ea 8c 6c 11 89   +..p.3.+jm=..l..
    0050 - 80 5f a4 d8 9d d0 d8 7f-ff 11 9d b3 53 0e 46 c2   ._..........S.F.
    0060 - 68 09 b9 5a 46 40 4d 12-b7 63 29 76 da 70 9f ff   h..ZF@M..c)v.p..
    0070 - 18 4b c8 84 80 81 f9 0e-e5 c3 da da 6c 2d 34 95   .K..........l-4.
    0080 - eb 97 41 41 9f 98 d2 09-20 33 92 13 59 12 05 14   ..AA.... 3..Y...
    0090 - d8 4a 9f d5 24 99 64 e9-ff 6f 84 6b 35 1a 9c 85   .J..$.d..o.k5...
    00a0 - 9e 1d 12 79 20 ea f5 97-f2 a6 38 86 ff 46 13 1a   ...y .....8..F..

    Start Time: 1702749603
    Timeout   : 7200 (sec)
    Verify return code: 19 (self-signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: B9D540AEAC3788887B31307C1573A9E17677B078E331330D17DE5E5F8828C482
    Session-ID-ctx:
    Resumption PSK: 2D77B2859FADDD9BF041E3FFB15CCEEEF27472B5BFC77E41B53D946A1EA0E624
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 6a e6 00 34 94 40 54 3e-cd a9 77 b8 12 2f c0 76   j..4.@T>..w../.v
    0010 - 21 93 6b 5d 14 82 19 11-20 45 98 47 a8 4d b9 b1   !.k].... E.G.M..
    0020 - 81 23 ca 73 ed 36 06 87-b5 8b f2 c0 47 57 dd 06   .#.s.6......GW..
    0030 - 2b fe ae 9e 63 6a f0 ef-73 fe fb 63 e8 8c 13 61   +...cj..s..c...a
    0040 - 6d 41 be 4c d8 3f be ca-d1 16 77 e1 26 74 d8 5f   mA.L.?....w.&t._
    0050 - 40 b1 4b 9a 92 72 54 7a-4b 8a 82 85 4e 91 2c b9   @.K..rTzK...N.,.
    0060 - 59 16 2d a9 5c 84 c8 cd-ab 1a 1b 69 2f 38 2c 85   Y.-.\......i/8,.
    0070 - a5 7c 42 2c ba fd 05 bb-10 f8 28 1f 4b 45 fe 88   .|B,......(.KE..
    0080 - 4c 9b 60 e3 b0 86 60 13-d2 1f 25 32 a6 8b b7 d3   L.`...`...%2....
    0090 - b0 1f 00 8f 38 61 d9 a7-90 98 73 aa 60 5f d0 46   ....8a....s.`_.F
    00a0 - 63 99 b9 85 65 f2 66 02-93 2d 00 33 5c a4 1f ab   c...e.f..-.3\...

    Start Time: 1702749603
    Timeout   : 7200 (sec)
    Verify return code: 19 (self-signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

Post by **Mildur** » Dec 18, 2023 10:15 am this post

Hi Pirx

There are some cases with similar error message. The cases I checked had issues related to the customers network. I recommend to open a support case to troubleshoot the issue in your environment. Please don't forget to provide me with the case number.

Best,
Fabian

pirx · Post by **pirx** » Dec 18, 2023 5:37 pm this post

#07055728 It's possible that something on firewall side is missing, I requested clearance for

Destination, port 443/80:
gw --> s3.ap-northeast-1.wasabisys.com, s3.ap-southeast-1.wasabisys.com
gw --> s3.ap-northeast-1.wasabisys.com, s3.ap-southeast-1.wasabisys.com
gw --> s3.ap-northeast-1.wasabisys.com, s3.ap-southeast-1.wasabisys.com

And in addition Destinations, Port 80:
ocsp.sectigo.com
ocsp.usertrust.com
ocsp.comodoca.com
crl.sectigo.com
crl.usertrust.com
crl.comodoca.com

It's strange that the openssl connection test from gw looks ok to me.

R&D Forums

[Wasabi] Failed to retrieve certificate from https://s3.ap-northeast-1.wasabisys.com

Re: [Wasabi] Failed to retrieve certificate from https://s3.ap-northeast-1.wasabisys.com

Re: [Wasabi] Failed to retrieve certificate from https://s3.ap-northeast-1.wasabisys.com

Who is online