Those certificates.... I've a location in China where we offload backups to s3.ap-northeast-1.wasabisys.com. Or we want to do that.
For the majority of tasks I get this error. But not for all.
16.12.2023 17:56:25 :: Processing xxxx Error: Failed to retrieve certificate from https://s3.ap-northeast-1.wasabisys.com
Sometimes when I configure the gateway for capacity tier I get the same error, sometimes not. The openssl check looks the same on gateway and VBR server, as well as on my private computer at home. I know that CRL can't be an issue but I already set ObjectStorageCRLCheckMode to 3.
Before I open tickets (again) at Veeam and Wasabi, is someone else seeing something similar to this Wasabi region? And are there other steps to debug?
For the majority of tasks I get this error. But not for all.
16.12.2023 17:56:25 :: Processing xxxx Error: Failed to retrieve certificate from https://s3.ap-northeast-1.wasabisys.com
Sometimes when I configure the gateway for capacity tier I get the same error, sometimes not. The openssl check looks the same on gateway and VBR server, as well as on my private computer at home. I know that CRL can't be an issue but I already set ObjectStorageCRLCheckMode to 3.
Before I open tickets (again) at Veeam and Wasabi, is someone else seeing something similar to this Wasabi region? And are there other steps to debug?
Code:
PS D:\software\openssl-3.2.0\openssl-3\x64\bin> .\openssl.exe s_client -connect 's3.ap-northeast-1.wasabisys.com:443' -servername s3.ap-northeast-1.wasabisys.comConnecting to 103.151.85.100CONNECTED(000001B0)depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2verify error:num=19:self-signed certificate in certificate chainverify return:1depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2verify return:1depth=1 C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1verify return:1depth=0 C=US, ST=Massachusetts, L=Boston, O=Wasabi Technologies LLC, CN=*.s3.ap-northeast-1.wasabisys.comverify return:1---Certificate chain 0 s:C=US, ST=Massachusetts, L=Boston, O=Wasabi Technologies LLC, CN=*.s3.ap-northeast-1.wasabisys.com i:C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 27 00:00:00 2023 GMT; NotAfter: Oct 3 23:59:59 2024 GMT 1 s:C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1 i:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 30 00:00:00 2021 GMT; NotAfter: Mar 29 23:59:59 2031 GMT 2 s:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 i:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Aug 1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT---Server certificate-----BEGIN CERTIFICATE-----MIIHKDCCBhCgAwIBAgIQBYz8zZmcXiX+7Ccbe6sK+zANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypEaWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjMwOTI3MDAwMDAwWhcNMjQxMDAzMjM1OTU5WjCBhDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxDzANBgNVBAcTBkJvc3RvbjEgMB4GA1UEChMXV2FzYWJpIFRlY2hub2xvZ2llcyBMTEMxKjAoBgNVBAMMISouczMuYXAtbm9ydGhlYXN0LTEud2FzYWJpc3lzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIXM9bh8wfgo/74rEJS4qifTDHIXGwUr5Lj6jECWJ9a6bGNKGHM3lWp5vSOxr6IKwUYTXYqVlR03vbv2C/gEKkqF1hECPSEML7PM6oXmhlOBY/SgBJQQajrQEYWdX1YBlEkEuZH4CRpDjr6WKrRQMAi2RvyeTH8UPb4stQuRX4O66EXg/Gi9JCUOjp31BpRoyZ4M+LYUr2KAIO8V7Lvo/BTjXrceoMGUFP++OGA6GJNvMOQ4dsrWgUQn0LtOypFToit+TR61cr+0HLCHNdi9XBncK8xJOSlO2X0MtrqjIaQda4GO17yDNckq5gKTCTQlARNUV3Rycm0DvBHAY+A1oqUCAwEAAaOCA74wggO6MB8GA1UdIwQYMBaAFHSFgMBmx9833s+9KTeqAx2+7c0XMB0GA1UdDgQWBBTjP1gxf/IS21WelOWtHm6LahOU+DBNBgNVHREERjBEgiEqLnMzLmFwLW5vcnRoZWFzdC0xLndhc2FiaXN5cy5jb22CH3MzLmFwLW5vcnRoZWFzdC0xLndhc2FiaXN5cy5jb20wPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgZ8GA1UdHwSBlzCBlDBIoEagRIZCaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsRzJUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3JsMEigRqBEhkJodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRMU1JTQVNIQTI1NjIwMjBDQTEtMS5jcmwwgYcGCCsGAQUFBwEBBHsweTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFEGCCsGAQUFBzAChkVodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRMU1JTQVNIQTI1NjIwMjBDQTEtMS5jcnQwDAYDVR0TAQH/BAIwADCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHYA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGK1EEkpAAABAMARzBFAiEAjKPQYF23FlJJ5A4mg2MQaMqwQtZVKOUIoQcPNNUvmqkCIEqPy71g6j9Nrrb3rIi3ynT92v2B/4ANy2dSYYph9fpJAHYASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGK1EEk7wAABAMARzBFAiBznNub1RcUtK6TMJWK4yGm96pWQogx86yVyVqZedj81QIhAIPp7ped/j/k99Y1Ci0KFjWwHx09r4xHkus1vpHjPXyCAHYA2ra/az+1tiKfm8K7XGvocJFxbLtRhIU0vaQ9MEjX+6sAAAGK1EEkyQAABAMARzBFAiEAtbRkavkLwrLlCBOFHoTDlHo5fRGmlHKQ1EladV9vuncCIHZQ0IqiaksX+5EymroeV5cLpqpVjX4swPd+m6CHArDwMA0GCSqGSIb3DQEBCwUAA4IBAQB0xiS/TcMmVn3Uuff47On0GgUnBtcrzCiN0+P2lc9eSJ2rH5O5U2n6EWXjwl/d8+JDNzbkk16SGV+59VECS/uOAsbZeAhs0LjD6pTJQ5N1VyTwJ8RL8pQbE6U6mgN5Srqs/BY0aEYflWceHdbTamF0PlaOQqbAjBJwn28rSfAMM9A5Lw7/au5y0HetFMdWYDanHbKDoy8oXg1K4gmeJPdIseEirCdWnYMAFBhYNfPxBs4VGiaei8O9EMazb4iHhOANRu6IO7VoOlvaEkMihsprCePEKjmL9SN7cq2qPeWmJCSVrxhyNIZOjLCeTW16Ug9guiJn8FB19odT2gSCwDaK-----END CERTIFICATE-----subject=C=US, ST=Massachusetts, L=Boston, O=Wasabi Technologies LLC, CN=*.s3.ap-northeast-1.wasabisys.comissuer=C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1---No client certificate CA names sentPeer signing digest: SHA256Peer signature type: RSA-PSSServer Temp Key: X25519, 253 bits---SSL handshake has read 4528 bytes and written 403 bytesVerification error: self-signed certificate in certificate chain---New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256Server public key is 2048 bitThis TLS version forbids renegotiation.No ALPN negotiatedEarly data was not sentVerify return code: 19 (self-signed certificate in certificate chain)------Post-Handshake New Session Ticket arrived:SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: A62B7DC3F40C1FE709FA3A4CE13ED2BCC7585CEAB0FD41BE95022A1A4651A949 Session-ID-ctx: Resumption PSK: 15A705EBF2490333C93B9F1B933EA9047C0DDAA03CBCCE3892CBED57E84B6A16 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 6a e6 00 34 94 40 54 3e-cd a9 77 b8 12 2f c0 76 j..4.@T>..w../.v 0010 - 09 00 1c 98 a8 99 40 1a-52 ed 93 1f 0d e4 67 dd ......@.R.....g. 0020 - ce ac 62 55 cc 5c ea a6-88 04 75 8d c5 bd 02 45 ..bU.\....u....E 0030 - 92 f5 c5 d1 18 48 6f b7-fb ab c5 02 b1 1b 93 ad .....Ho......... 0040 - 2b aa 88 70 8a 33 c4 2b-6a 6d 3d ea 8c 6c 11 89 +..p.3.+jm=..l.. 0050 - 80 5f a4 d8 9d d0 d8 7f-ff 11 9d b3 53 0e 46 c2 ._..........S.F. 0060 - 68 09 b9 5a 46 40 4d 12-b7 63 29 76 da 70 9f ff h..ZF@M..c)v.p.. 0070 - 18 4b c8 84 80 81 f9 0e-e5 c3 da da 6c 2d 34 95 .K..........l-4. 0080 - eb 97 41 41 9f 98 d2 09-20 33 92 13 59 12 05 14 ..AA.... 3..Y... 0090 - d8 4a 9f d5 24 99 64 e9-ff 6f 84 6b 35 1a 9c 85 .J..$.d..o.k5... 00a0 - 9e 1d 12 79 20 ea f5 97-f2 a6 38 86 ff 46 13 1a ...y .....8..F.. Start Time: 1702749603 Timeout : 7200 (sec) Verify return code: 19 (self-signed certificate in certificate chain) Extended master secret: no Max Early Data: 0---read R BLOCK---Post-Handshake New Session Ticket arrived:SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: B9D540AEAC3788887B31307C1573A9E17677B078E331330D17DE5E5F8828C482 Session-ID-ctx: Resumption PSK: 2D77B2859FADDD9BF041E3FFB15CCEEEF27472B5BFC77E41B53D946A1EA0E624 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 6a e6 00 34 94 40 54 3e-cd a9 77 b8 12 2f c0 76 j..4.@T>..w../.v 0010 - 21 93 6b 5d 14 82 19 11-20 45 98 47 a8 4d b9 b1 !.k].... E.G.M.. 0020 - 81 23 ca 73 ed 36 06 87-b5 8b f2 c0 47 57 dd 06 .#.s.6......GW.. 0030 - 2b fe ae 9e 63 6a f0 ef-73 fe fb 63 e8 8c 13 61 +...cj..s..c...a 0040 - 6d 41 be 4c d8 3f be ca-d1 16 77 e1 26 74 d8 5f mA.L.?....w.&t._ 0050 - 40 b1 4b 9a 92 72 54 7a-4b 8a 82 85 4e 91 2c b9 @.K..rTzK...N.,. 0060 - 59 16 2d a9 5c 84 c8 cd-ab 1a 1b 69 2f 38 2c 85 Y.-.\......i/8,. 0070 - a5 7c 42 2c ba fd 05 bb-10 f8 28 1f 4b 45 fe 88 .|B,......(.KE.. 0080 - 4c 9b 60 e3 b0 86 60 13-d2 1f 25 32 a6 8b b7 d3 L.`...`...%2.... 0090 - b0 1f 00 8f 38 61 d9 a7-90 98 73 aa 60 5f d0 46 ....8a....s.`_.F 00a0 - 63 99 b9 85 65 f2 66 02-93 2d 00 33 5c a4 1f ab c...e.f..-.3\... Start Time: 1702749603 Timeout : 7200 (sec) Verify return code: 19 (self-signed certificate in certificate chain) Extended master secret: no Max Early Data: 0---read R BLOCKclosedStatistics: Posted by pirx — Dec 16, 2023 6:06 pm
