S3FS with Client Certificate on RHEL8
wil2business opened this issue · comments
************************ START OF #2425 DATA ******************************
Additional Information
Version of s3fs being used (s3fs --version)
V1.93 (commit:b97fd47) with OpenSSL
Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse or dpkg -s fuse)
2.9.7
Kernel information (uname -r)
4.18.0-513.18.1.el8_9.x86_64
GNU/Linux Distribution, if applicable (cat /etc/os-release)
Red Hat Enterprise Linux release 8.9 (Ootpa)
How to run s3fs, if applicable
[] command line
s3fs mybucket /path/to/mountpoint -o passwd_file=${HOME}/.passwd-s3fs -o url=<$URL> -o use_path_request_style
Details about issue
I am having a problem passing client certificate to the server. my setup has NGINX server with "ssl_verify_client on" requiring S3FS to read and submit client certificate.
It would equivalent to "curl --cert --cacert <cert_path> --key --cacert <key_path>--cacert <cert_path> ... or setting up .curlrc configuration file.
How do I achieve this functionality on RHEL8 machine?
************************ END OF #2425 DATA ******************************
I am trying to run s3fs version 1.93 included inside RHEL8 packages. This version was compiled with openssl.
I am having trouble connecting to a S3 bucket that requires client certificate. I get an error message that client certificate was not sent.
I am either using wrong configuration for my system or s3fs version v1.93 can not find my client certificate.
Can you please help me with a proper way to configure s3fs to use openssl/pkcs11?
Note: connection without requiring client certificate works well on an SSL enabled site.
Thank you
no action
@wil2business
Please tell us the version of s3fs you are using.
(s3fs --version will display the results.)
And did you build your s3fs yourself?
If you are trying to build on RHEL, try using the --with-nss option when running configure command.
@wil2business
Is this issue the same as #2425?
If they are the same, please close #2425 and consolidate them into this issue.
Thanks in advance for your assistance.
@ggtakec
I consolidated this and #2425 issue because it is a same problem as this one.
I tried compiling with --with-nss but it did not work.
I created a $HOME/.curlrc file assuming that s3fs curl code would use it to read my cert paths but it didn't.
Is there a way to include certificate path location in a s3fs command?
@wil2business
(I'm concerned about not being able to build with --with-nss, but since the content is the same for OpenSSL, I'll omit it here. If that's what you need, you can separate the issue.)
Is it correct that what you want to do is that s3fs needs to access the server using client certification(ex, PEM)?
Currently, s3fs does not implement loading a client certificate and using it to connect to the server.
(s3fs is not using libcurl CURLOPT_SSLCERT options)
Until now, this request like you did not exist, so it has not been implemented.
But I think it is possible to consider implementation.
Is the reason you need this feature to verify the peer using the certificate when accessed on the server side?
(It would be helpful if you could explain how useful this feature is to you.)
Thanks for your help.
@wil2business
I've posted PR code( #2436 ) that adds an option to specify the client certificate.
If you can use that code, I would appreciate it if you could test it.
@wil2business Thank you for checking.
I close this issue once PR #2436 has been merged.
If you still find the problem please reopen or post a new issue.