Re: [I] [Python][Packaging] S3FileSystem curl error when using `localstack`-created S3 bucket or custom ca-certificate [arrow]

Wed, 27 Mar 2024 03:45:41 -0700 


pitrou commented on issue #37001:
URL: https://github.com/apache/arrow/issues/37001#issuecomment-2022451857

   I've tried it locally and it works using `SSL_CERT_FILE` and Minio:
   ```python
   >>> import os
   >>> from pyarrow.fs import S3FileSystem, FileSelector
   >>> os.environ['SSL_CERT_FILE']
   '/home/antoine/t/miniocert/public.crt'
   >>> fs = S3FileSystem(endpoint_override="localhost:9000", scheme="https", 
access_key="minioadmin", secret_key="minioadmin")
   >>> fs.get_file_info(FileSelector('', recursive=True))
   []
   ```
   
   You have to make sure that your `endpoint_override` matches the 
certificate's subject name (i.e. the host name it is allowed to authentify). 
For example, if the certificate's subject name is "localhost", you should use 
"localhost" in your `endpoint_override` (not "127.0.0.1" or anything else).
   
   Unfortunately, the error message returned by the AWS SDK is not terribly 
informative if you're not giving the right hostname:
   ```python
   >>> fs = S3FileSystem(endpoint_override="127.0.0.1:9000", scheme="https", 
access_key="minioadmin", secret_key="minioadmin")
   >>> fs.get_file_info(FileSelector('', recursive=True))
     [...]
   OSError: When listing buckets: AWS Error NETWORK_CONNECTION during 
ListBuckets operation: curlCode: 60, SSL peer certificate or SSH remote key was 
not OK
   ```
   
   You can try using the `curl` command line to get a more meaningful error 
message, for example here:
   ```console
   $ curl --cacert ./t/miniocert/public.crt  https://127.0.0.1:9000
   curl: (60) SSL: no alternative certificate subject name matches target host 
name '127.0.0.1'
   More details here: https://curl.se/docs/sslcerts.html
   
   curl failed to verify the legitimacy of the server and therefore could not
   establish a secure connection to it. To learn more about this situation and
   how to fix it, please visit the web page mentioned above.
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to