Mozilla 도움말 검색

고객 지원 사기를 피하세요. 저희는 여러분께 절대로 전화를 걸거나 문자를 보내거나 개인 정보를 공유하도록 요청하지 않습니다. "악용 사례 신고"옵션을 사용하여 의심스러운 활동을 신고해 주세요.

자세히 살펴보기

Subdomains of s3.amazonaws.com are untrusted in Firefox 36.0

  • 7 답장
  • 20 이 문제를 만남
  • 14 보기
  • 최종 답변자: Meteor

more options

Hi, since FF 36.0 was released we are experiencing problems when loading content from S3 on our website. Images that are stored on S3 are not displayed at all. All other browsers display our site/images correctly.

When you go to images url directly you get warning that connection is untrusted. https://eventsquare_vsr_dev.s3.amazonaws.com/uploads/images/Solo_Reg_Icon-201411281520.png

It seem that since FF 36.0 all the subdomains of s3.amazonaws.com are untrusted.

The only way how we can make this work is to change s3 url format from: https://[bucket].s3.amazonaws.com/[path_to_file] to: https://s3.amazonaws.com/[bucket]/[path_to_file]

Can you explain me why subdomains of s3.amazonaws.com are not trusted anymore? Is that a problem on amazon's end? Do you have any other alternative solutions for our problem?

Thank you for your help.

Jano

Hi, since FF 36.0 was released we are experiencing problems when loading content from S3 on our website. Images that are stored on S3 are not displayed at all. All other browsers display our site/images correctly. When you go to images url directly you get warning that connection is untrusted. https://eventsquare_vsr_dev.s3.amazonaws.com/uploads/images/Solo_Reg_Icon-201411281520.png It seem that since FF 36.0 all the subdomains of s3.amazonaws.com are untrusted. The only way how we can make this work is to change s3 url format from: https://[bucket].s3.amazonaws.com/[path_to_file] to: https://s3.amazonaws.com/[bucket]/[path_to_file] Can you explain me why subdomains of s3.amazonaws.com are not trusted anymore? Is that a problem on amazon's end? Do you have any other alternative solutions for our problem? Thank you for your help. Jano

선택된 해결법

jscher2000 said

EDIT: I see you discovered the underscore character is the problem (it is not valid in a host name) but Firefox's error message certainly could be improved.

The error page says:

eventsquare-vsr-dev.s3.amazonaws.com:443 uses an invalid security certificate.
The certificate is only valid for the following names:
  *.s3.amazonaws.com, s3.amazonaws.com  
(Error code: ssl_error_bad_cert_domain)

Since it's a wildcard cert, this domain should be okay.

Firefox 36 did make a change with respect to wildcard certificates described in this bug report: 1089104 – ssl_error_bad_cert_domain when subjectAltName extension is missing and Subject CN is encoded as TeletexString, but it seems that the Amazon S3 certificate should satisfy the requirement because it does have the Certificate Subject Alt Name field.

I don't understand what's going on here...

We discovered that if we replace underscores with hyphens in our bucket names, then everything works fine. I created new bucket with hyphens and copied that file over there and it works fine:

https://eventsquare-vsr-dev.s3.amazonaws.com/uploads/images/Manage_My_Team_Icon-201411281519.png

Underscores seems to be working similarly like dots - split your subdomain to subdomain and subsubdomain. amazon's awd domain is using *.s3.amazonaws.com wildcard SSL certificate. Wildcard ssl certificates do not cover sub-sub domains (http://stackoverflow.com/questions/3088022/is-it-possible-to-have-a-valid-sub-subdomain-with-a-wildcard-certificate) That would explain why FireFox thinks that there is certificate issue with amazon's aws domain.

문맥에 따라 이 답변을 읽어주세요 👍 2

모든 댓글 (7)

more options

We're sorry that you are running into this issue the reason you are getting this message is because while the site you are visiting does have SSL it is not providing a valid certificate for the subdomain.

See "This connection is untrusted - what to do"

more options

janovalaska said

Hi, since FF 36.0 was released we are experiencing problems when loading content from S3 on our website. Images that are stored on S3 are not displayed at all. All other browsers display our site/images correctly. When you go to images url directly you get warning that connection is untrusted. https://eventsquare_vsr_dev.s3.amazonaws.com/uploads/images/Solo_Reg_Icon-201411281520.png It seem that since FF 36.0 all the subdomains of s3.amazonaws.com are untrusted. The only way how we can make this work is to change s3 url format from: https://[bucket].s3.amazonaws.com/[path_to_file] to: https://s3.amazonaws.com/[bucket]/[path_to_file] Can you explain me why subdomains of s3.amazonaws.com are not trusted anymore? Is that a problem on amazon's end? Do you have any other alternative solutions for our problem? Thank you for your help. Jano

bkerensa said

We're sorry that you are running into this issue the reason you are getting this message is because while the site you are visiting does have SSL it is not providing a valid certificate for the subdomain. See "This connection is untrusted - what to do"

Thank you for your opinion.

It is hard to believe that amazon can have problems with SSL certificates.

We find out that we have invalid names of our buckets... Our buckets contain underscores, which is invalid character.

more options

Amazon AWS does provide documentation on how to setup your S3 buckets with a certificate so it provides that for all HTTPS requests. I would consult their documentation on this.

more options

EDIT: I see you discovered the underscore character is the problem (it is not valid in a host name) but Firefox's error message certainly could be improved.


The error page says:

eventsquare_vsr_dev.s3.amazonaws.com:443 uses an invalid security certificate.
The certificate is only valid for the following names:
  *.s3.amazonaws.com, s3.amazonaws.com  
(Error code: ssl_error_bad_cert_domain)

Since it's a wildcard cert, this domain should be okay.

Firefox 36 did make a change with respect to wildcard certificates described in this bug report: 1089104 – ssl_error_bad_cert_domain when subjectAltName extension is missing and Subject CN is encoded as TeletexString, but it seems that the Amazon S3 certificate should satisfy the requirement because it does have the Certificate Subject Alt Name field.

I don't understand what's going on here...

글쓴이 jscher2000 - Support Volunteer 수정일시

more options

선택된 해결법

jscher2000 said

EDIT: I see you discovered the underscore character is the problem (it is not valid in a host name) but Firefox's error message certainly could be improved.

The error page says:

eventsquare-vsr-dev.s3.amazonaws.com:443 uses an invalid security certificate.
The certificate is only valid for the following names:
  *.s3.amazonaws.com, s3.amazonaws.com  
(Error code: ssl_error_bad_cert_domain)

Since it's a wildcard cert, this domain should be okay.

Firefox 36 did make a change with respect to wildcard certificates described in this bug report: 1089104 – ssl_error_bad_cert_domain when subjectAltName extension is missing and Subject CN is encoded as TeletexString, but it seems that the Amazon S3 certificate should satisfy the requirement because it does have the Certificate Subject Alt Name field.

I don't understand what's going on here...

We discovered that if we replace underscores with hyphens in our bucket names, then everything works fine. I created new bucket with hyphens and copied that file over there and it works fine:

https://eventsquare-vsr-dev.s3.amazonaws.com/uploads/images/Manage_My_Team_Icon-201411281519.png

Underscores seems to be working similarly like dots - split your subdomain to subdomain and subsubdomain. amazon's awd domain is using *.s3.amazonaws.com wildcard SSL certificate. Wildcard ssl certificates do not cover sub-sub domains (http://stackoverflow.com/questions/3088022/is-it-possible-to-have-a-valid-sub-subdomain-with-a-wildcard-certificate) That would explain why FireFox thinks that there is certificate issue with amazon's aws domain.

글쓴이 janovalaska 수정일시

more options

Awesome research and analysis. Hopefully any other affected S3 users will find this thread so they won't have to pull out as many hairs.

more options