AWS S3 endpoint and proper SSL verification

Question

We would like to have our custom brew repository to allow our developers to easy manage/update our company tools. We made a decision to keep all these files on AWS S3 bucket and in brew formulas just point directly to the object's url. The only restriction which we have is to be sure that access to that AWS S3 bucket is available behind our VPN network.

So what we did:

1. Created new bucket, let's say with following name: downloads.example.com

2. Created S3 endpoint. AWS created dns entry: *.vpce-XXXXXXXXXXXXXXX-XXXXXX.s3.eu-west-1.vpce.amazonaws.com

3. In the bucket policy we limited access only to that AWS S3 endpoint:

            "Condition": {
                "StringEquals": {
                    "aws:SourceVpce": "vpce-XXXXXXXXXXXXXXX"
                }
            }

4. We created a route53 DNS entry:

record A downloads.example.com as an alias to *.vpce-XXXXXXXXXXXXXXX-XXXXXX.s3.eu-west-1.vpce.amazonaws.com

After that simple configuration we are able to get/push objects only when we are connected to our VPN server using AWS CLI commands.

Unfortunately problem is when we want to use curl for example:

*   Trying 10.X.X.X:443...
* Connected to downloads.example.com (10.X.X.X) port 443 (#0)
...
* Server certificate:
*  subject: CN=s3.eu-west-1.amazonaws.com
*  start date: Dec 16 00:00:00 2021 GMT
*  expire date: Jan 14 23:59:59 2023 GMT
*  subjectAltName does not match downloads.example.com
* SSL: no alternative certificate subject name matches target host name 'downloads.example.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):

If i do the same command with skipping CA verification it works:

20211217 16:56:52 kamil@thor ~$ curl -Ls https://downloads.example.com/getMe.txt -k
test file

Do you know if there is an any way to makes that work properly?

I know that we could do following things but we would like see other options:

1. push route s3.eu-west-1.amazonaws.com via VPN and in the bucket policy limit access only to our VPN public IP
2. install right certificates on ingress/nginx to do some redirect/proxy
3. we tried some combination with Loadbalancers and ACMs but didn't work.

Thank you in advance for help Kamil

Answer 1

I'm afraid it is not possible to do what you want.

When you create an endpoint, AWS is not creating certificates for your own domain. It create a certificate for it owns domains.

You check it with:

First, download the certificate

$ echo | openssl s_client -connect 10.99.16.29:443 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > vpce.pem

Then you can verify what names are in the certificate.

$ openssl x509 -noout -text -in vpce.pem  | grep DNS | tr "," "\n" | sort -u
 DNS:s3.eu-central-1.amazonaws.com
 DNS:*.accesspoint.vpce-0f0d06a5091e70758-7mtj4kk7-eu-central-1a.s3.eu-central-1.vpce.amazonaws.com
 DNS:*.accesspoint.vpce-0f0d06a5091e70758-7mtj4kk7.s3.eu-central-1.vpce.amazonaws.com
 DNS:*.bucket.vpce-0f0d06a5091e70758-7mtj4kk7-eu-central-1a.s3.eu-central-1.vpce.amazonaws.com
 DNS:*.bucket.vpce-0f0d06a5091e70758-7mtj4kk7.s3.eu-central-1.vpce.amazonaws.com
 DNS:*.control.vpce-0f0d06a5091e70758-7mtj4kk7-eu-central-1a.s3.eu-central-1.vpce.amazonaws.com
 DNS:*.control.vpce-0f0d06a5091e70758-7mtj4kk7.s3.eu-central-1.vpce.amazonaws.com
 DNS:*.s3-accesspoint.eu-central-1.amazonaws.com
 DNS:*.s3-control.eu-central-1.amazonaws.com
 DNS:*.s3.eu-central-1.amazonaws.com
 DNS:bucket.vpce-0f0d06a5091e70758-7mtj4kk7-eu-central-1a.s3.eu-central-1.vpce.amazonaws.com
 DNS:bucket.vpce-0f0d06a5091e70758-7mtj4kk7.s3.eu-central-1.vpce.amazonaws.com

note for brevity, I've remove some names from the list.

So, to access to your endpoint and do not have problems with certificates, you need to use one of the names provided in the certificate.