SSL_connect returned=1 errno=0 peeraddr=162.243.189.2:443 state=error: certificate verify failed (Hostname mismatch)

installation
17

OK I added a binding.pry to the start of ssl_socket_connect and what I see when trying to use these settings is:

→ DISCOURSE_USE_S3=true DISCOURSE_S3_REGION=ap-singapore-1 DISCOURSE_S3_ENDPOINT=https://axhjdarc4cuy.compat.objectstorage.ap-singapore-1.oraclecloud.com DISCOURSE_S3_ACCESS_KEY_ID=foo DISCOURSE_S3_SECRET_ACCESS_KEY=bar DISCOURSE_S3_BUCKET=bucketname bin/rails c
Loading development environment (Rails 7.0.7)
[1] pry(main)> s3 = S3Helper.build_from_config; s3.list

From: /home/michael/.rvm/gems/ruby-3.2.2@discourse/gems/net-protocol-0.2.2/lib/net/protocol.rb:42 Net::Protocol#ssl_socket_connect:

    40: def ssl_socket_connect(s, timeout)
    41:   binding.pry
 => 42:   if timeout
    43:     while true
    44:       raise Net::OpenTimeout if timeout <= 0
    45:       start = Process.clock_gettime Process::CLOCK_MONOTONIC
    46:       # to_io is required because SSLSocket doesn't have wait_readable yet
    47:       case s.connect_nonblock(exception: false)
    48:       when :wait_readable; s.to_io.wait_readable(timeout)
    49:       when :wait_writable; s.to_io.wait_writable(timeout)
    50:       else; break
    51:       end
    52:       timeout -= Process.clock_gettime(Process::CLOCK_MONOTONIC) - start
    53:     end
    54:   else
    55:     s.connect
    56:   end
    57: end

[1] pry(#<Net::HTTP>)> s.hostname
=> "bucketname.axhjdarc4cuy.compat.objectstorage.ap-singapore-1.oraclecloud.com"

so the actual hostname being connected to is bucketname.axhjdarc4cuy.compat.objectstorage.ap-singapore-1.oraclecloud.com, which does not match *.compat.objectstorage.ap-singapore-1.oraclecloud.com so the error is correct.

Unfortunately OCI does not support this style access:

Use path-based access in your application. Virtual host-style access (accessing a bucket as {bucketnamespace}.compat.objectstorage.{region}.oraclecloud.com [sic]) is not supported.

Conversely Discourse only supports virtual host-style access ({bucketname}.{namespace}.compat.objectstorage.{region}.oraclecloud.com.)

We removed the setting that might have made it work a while back as it wasn’t well supported (see the commit message).

Getting this working is not going to be simple and will require complex development and testing to add this support.

Here be dragons.

(xref: S3 Path Style Access)

4 Likes