Subdomains of s3.amazonaws.com are untrusted in Firefox 36.0
Hi, since FF 36.0 was released we are experiencing problems when loading content from S3 on our website. Images that are stored on S3 are not displayed at all. All other browsers display our site/images correctly.
When you go to images url directly you get warning that connection is untrusted. https://eventsquare_vsr_dev.s3.amazonaws.com/uploads/images/Solo_Reg_Icon-201411281520.png
It seem that since FF 36.0 all the subdomains of s3.amazonaws.com are untrusted.
The only way how we can make this work is to change s3 url format from: https://[bucket].s3.amazonaws.com/[path_to_file] to: https://s3.amazonaws.com/[bucket]/[path_to_file]
Can you explain me why subdomains of s3.amazonaws.com are not trusted anymore? Is that a problem on amazon's end? Do you have any other alternative solutions for our problem?
Thank you for your help.
Jano
Solution choisie
jscher2000 said
EDIT: I see you discovered the underscore character is the problem (it is not valid in a host name) but Firefox's error message certainly could be improved.
The error page says:
eventsquare-vsr-dev.s3.amazonaws.com:443 uses an invalid security certificate.The certificate is only valid for the following names: *.s3.amazonaws.com, s3.amazonaws.com(Error code: ssl_error_bad_cert_domain)Since it's a wildcard cert, this domain should be okay.
Firefox 36 did make a change with respect to wildcard certificates described in this bug report: 1089104 – ssl_error_bad_cert_domain when subjectAltName extension is missing and Subject CN is encoded as TeletexString, but it seems that the Amazon S3 certificate should satisfy the requirement because it does have the Certificate Subject Alt Name field.
I don't understand what's going on here...
We discovered that if we replace underscores with hyphens in our bucket names, then everything works fine. I created new bucket with hyphens and copied that file over there and it works fine:
https://eventsquare-vsr-dev.s3.amazonaws.com/uploads/images/Manage_My_Team_Icon-201411281519.png
Underscores seems to be working similarly like dots - split your subdomain to subdomain and subsubdomain. amazon's awd domain is using *.s3.amazonaws.com wildcard SSL certificate. Wildcard ssl certificates do not cover sub-sub domains (http://stackoverflow.com/questions/3088022/is-it-possible-to-have-a-valid-sub-subdomain-with-a-wildcard-certificate) That would explain why FireFox thinks that there is certificate issue with amazon's aws domain.
Lire cette réponse dans son contexte 👍 2Toutes les réponses (7)
We're sorry that you are running into this issue the reason you are getting this message is because while the site you are visiting does have SSL it is not providing a valid certificate for the subdomain.
janovalaska said
Hi, since FF 36.0 was released we are experiencing problems when loading content from S3 on our website. Images that are stored on S3 are not displayed at all. All other browsers display our site/images correctly. When you go to images url directly you get warning that connection is untrusted. https://eventsquare_vsr_dev.s3.amazonaws.com/uploads/images/Solo_Reg_Icon-201411281520.png It seem that since FF 36.0 all the subdomains of s3.amazonaws.com are untrusted. The only way how we can make this work is to change s3 url format from: https://[bucket].s3.amazonaws.com/[path_to_file] to: https://s3.amazonaws.com/[bucket]/[path_to_file] Can you explain me why subdomains of s3.amazonaws.com are not trusted anymore? Is that a problem on amazon's end? Do you have any other alternative solutions for our problem? Thank you for your help. Jano
bkerensa said
We're sorry that you are running into this issue the reason you are getting this message is because while the site you are visiting does have SSL it is not providing a valid certificate for the subdomain. See "This connection is untrusted - what to do"
Thank you for your opinion.
It is hard to believe that amazon can have problems with SSL certificates.
We find out that we have invalid names of our buckets... Our buckets contain underscores, which is invalid character.
Amazon AWS does provide documentation on how to setup your S3 buckets with a certificate so it provides that for all HTTPS requests. I would consult their documentation on this.
EDIT: I see you discovered the underscore character is the problem (it is not valid in a host name) but Firefox's error message certainly could be improved.
The error page says:
eventsquare_vsr_dev.s3.amazonaws.com:443 uses an invalid security certificate.
The certificate is only valid for the following names: *.s3.amazonaws.com, s3.amazonaws.com
(Error code: ssl_error_bad_cert_domain)
Since it's a wildcard cert, this domain should be okay.
Firefox 36 did make a change with respect to wildcard certificates described in this bug report: 1089104 – ssl_error_bad_cert_domain when subjectAltName extension is missing and Subject CN is encoded as TeletexString, but it seems that the Amazon S3 certificate should satisfy the requirement because it does have the Certificate Subject Alt Name field.
I don't understand what's going on here...
Modifié le
Solution choisie
jscher2000 said
EDIT: I see you discovered the underscore character is the problem (it is not valid in a host name) but Firefox's error message certainly could be improved.
The error page says:
eventsquare-vsr-dev.s3.amazonaws.com:443 uses an invalid security certificate.The certificate is only valid for the following names: *.s3.amazonaws.com, s3.amazonaws.com(Error code: ssl_error_bad_cert_domain)Since it's a wildcard cert, this domain should be okay.
Firefox 36 did make a change with respect to wildcard certificates described in this bug report: 1089104 – ssl_error_bad_cert_domain when subjectAltName extension is missing and Subject CN is encoded as TeletexString, but it seems that the Amazon S3 certificate should satisfy the requirement because it does have the Certificate Subject Alt Name field.
I don't understand what's going on here...
We discovered that if we replace underscores with hyphens in our bucket names, then everything works fine. I created new bucket with hyphens and copied that file over there and it works fine:
https://eventsquare-vsr-dev.s3.amazonaws.com/uploads/images/Manage_My_Team_Icon-201411281519.png
Underscores seems to be working similarly like dots - split your subdomain to subdomain and subsubdomain. amazon's awd domain is using *.s3.amazonaws.com wildcard SSL certificate. Wildcard ssl certificates do not cover sub-sub domains (http://stackoverflow.com/questions/3088022/is-it-possible-to-have-a-valid-sub-subdomain-with-a-wildcard-certificate) That would explain why FireFox thinks that there is certificate issue with amazon's aws domain.
Modifié le
Awesome research and analysis. Hopefully any other affected S3 users will find this thread so they won't have to pull out as many hairs.
This bug is fixed in 36.0.1. See bug #1136616 https://bugzilla.mozilla.org/show_bug.cgi?id=1136616 Test URL: https://coursera_assets.s3.amazonaws.com/about/overview/about_discover_a_course_youre_interested_in.jpg