Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Subdomains of s3.amazonaws.com are untrusted in Firefox 36.0

  • 7 replies
  • 20 have this problem
  • 72 views
  • Last reply by Meteor

more options

Hi, since FF 36.0 was released we are experiencing problems when loading content from S3 on our website. Images that are stored on S3 are not displayed at all. All other browsers display our site/images correctly.

When you go to images url directly you get warning that connection is untrusted. https://eventsquare_vsr_dev.s3.amazonaws.com/uploads/images/Solo_Reg_Icon-201411281520.png

It seem that since FF 36.0 all the subdomains of s3.amazonaws.com are untrusted.

The only way how we can make this work is to change s3 url format from: https://[bucket].s3.amazonaws.com/[path_to_file] to: https://s3.amazonaws.com/[bucket]/[path_to_file]

Can you explain me why subdomains of s3.amazonaws.com are not trusted anymore? Is that a problem on amazon's end? Do you have any other alternative solutions for our problem?

Thank you for your help.

Jano

Hi, since FF 36.0 was released we are experiencing problems when loading content from S3 on our website. Images that are stored on S3 are not displayed at all. All other browsers display our site/images correctly. When you go to images url directly you get warning that connection is untrusted. https://eventsquare_vsr_dev.s3.amazonaws.com/uploads/images/Solo_Reg_Icon-201411281520.png It seem that since FF 36.0 all the subdomains of s3.amazonaws.com are untrusted. The only way how we can make this work is to change s3 url format from: https://[bucket].s3.amazonaws.com/[path_to_file] to: https://s3.amazonaws.com/[bucket]/[path_to_file] Can you explain me why subdomains of s3.amazonaws.com are not trusted anymore? Is that a problem on amazon's end? Do you have any other alternative solutions for our problem? Thank you for your help. Jano

Chosen solution

jscher2000 said

EDIT: I see you discovered the underscore character is the problem (it is not valid in a host name) but Firefox's error message certainly could be improved.

The error page says:

eventsquare-vsr-dev.s3.amazonaws.com:443 uses an invalid security certificate.
The certificate is only valid for the following names:
  *.s3.amazonaws.com, s3.amazonaws.com  
(Error code: ssl_error_bad_cert_domain)

Since it's a wildcard cert, this domain should be okay.

Firefox 36 did make a change with respect to wildcard certificates described in this bug report: 1089104 – ssl_error_bad_cert_domain when subjectAltName extension is missing and Subject CN is encoded as TeletexString, but it seems that the Amazon S3 certificate should satisfy the requirement because it does have the Certificate Subject Alt Name field.

I don't understand what's going on here...

We discovered that if we replace underscores with hyphens in our bucket names, then everything works fine. I created new bucket with hyphens and copied that file over there and it works fine:

https://eventsquare-vsr-dev.s3.amazonaws.com/uploads/images/Manage_My_Team_Icon-201411281519.png

Underscores seems to be working similarly like dots - split your subdomain to subdomain and subsubdomain. amazon's awd domain is using *.s3.amazonaws.com wildcard SSL certificate. Wildcard ssl certificates do not cover sub-sub domains (http://stackoverflow.com/questions/3088022/is-it-possible-to-have-a-valid-sub-subdomain-with-a-wildcard-certificate) That would explain why FireFox thinks that there is certificate issue with amazon's aws domain.

Read this answer in context 👍 2

All Replies (7)

more options

We're sorry that you are running into this issue the reason you are getting this message is because while the site you are visiting does have SSL it is not providing a valid certificate for the subdomain.

See "This connection is untrusted - what to do"

more options

janovalaska said

Hi, since FF 36.0 was released we are experiencing problems when loading content from S3 on our website. Images that are stored on S3 are not displayed at all. All other browsers display our site/images correctly. When you go to images url directly you get warning that connection is untrusted. https://eventsquare_vsr_dev.s3.amazonaws.com/uploads/images/Solo_Reg_Icon-201411281520.png It seem that since FF 36.0 all the subdomains of s3.amazonaws.com are untrusted. The only way how we can make this work is to change s3 url format from: https://[bucket].s3.amazonaws.com/[path_to_file] to: https://s3.amazonaws.com/[bucket]/[path_to_file] Can you explain me why subdomains of s3.amazonaws.com are not trusted anymore? Is that a problem on amazon's end? Do you have any other alternative solutions for our problem? Thank you for your help. Jano

bkerensa said

We're sorry that you are running into this issue the reason you are getting this message is because while the site you are visiting does have SSL it is not providing a valid certificate for the subdomain. See "This connection is untrusted - what to do"

Thank you for your opinion.

It is hard to believe that amazon can have problems with SSL certificates.

We find out that we have invalid names of our buckets... Our buckets contain underscores, which is invalid character.

more options

Amazon AWS does provide documentation on how to setup your S3 buckets with a certificate so it provides that for all HTTPS requests. I would consult their documentation on this.

more options

EDIT: I see you discovered the underscore character is the problem (it is not valid in a host name) but Firefox's error message certainly could be improved.


The error page says:

eventsquare_vsr_dev.s3.amazonaws.com:443 uses an invalid security certificate.
The certificate is only valid for the following names:
  *.s3.amazonaws.com, s3.amazonaws.com  
(Error code: ssl_error_bad_cert_domain)

Since it's a wildcard cert, this domain should be okay.

Firefox 36 did make a change with respect to wildcard certificates described in this bug report: 1089104 – ssl_error_bad_cert_domain when subjectAltName extension is missing and Subject CN is encoded as TeletexString, but it seems that the Amazon S3 certificate should satisfy the requirement because it does have the Certificate Subject Alt Name field.

I don't understand what's going on here...

Modified by jscher2000 - Support Volunteer

more options

Chosen Solution

jscher2000 said

EDIT: I see you discovered the underscore character is the problem (it is not valid in a host name) but Firefox's error message certainly could be improved.

The error page says:

eventsquare-vsr-dev.s3.amazonaws.com:443 uses an invalid security certificate.
The certificate is only valid for the following names:
  *.s3.amazonaws.com, s3.amazonaws.com  
(Error code: ssl_error_bad_cert_domain)

Since it's a wildcard cert, this domain should be okay.

Firefox 36 did make a change with respect to wildcard certificates described in this bug report: 1089104 – ssl_error_bad_cert_domain when subjectAltName extension is missing and Subject CN is encoded as TeletexString, but it seems that the Amazon S3 certificate should satisfy the requirement because it does have the Certificate Subject Alt Name field.

I don't understand what's going on here...

We discovered that if we replace underscores with hyphens in our bucket names, then everything works fine. I created new bucket with hyphens and copied that file over there and it works fine:

https://eventsquare-vsr-dev.s3.amazonaws.com/uploads/images/Manage_My_Team_Icon-201411281519.png

Underscores seems to be working similarly like dots - split your subdomain to subdomain and subsubdomain. amazon's awd domain is using *.s3.amazonaws.com wildcard SSL certificate. Wildcard ssl certificates do not cover sub-sub domains (http://stackoverflow.com/questions/3088022/is-it-possible-to-have-a-valid-sub-subdomain-with-a-wildcard-certificate) That would explain why FireFox thinks that there is certificate issue with amazon's aws domain.

Modified by janovalaska

more options

Awesome research and analysis. Hopefully any other affected S3 users will find this thread so they won't have to pull out as many hairs.

more options