X509 Certificate error when using with S3 Wasabi

Restic just stopped working for me recently on my server and I’m not entirely sure why. I’ve tried talking to Wasabi and they sent me here saying it isn’t an issue on their end.

Running on Ubuntu 20.04

restic 0.8.3
compiled with go1.10 on linux/amd64

I’m currently running restic like so

AWS_ACCESS_KEY_ID="<omit>" AWS_SECRET_ACCESS_KEY="<omit>" RESTIC_PASSWORD="<omit>" restic -r s3:s3.us-west-1.wasabisys.com/zactmp init

And getting this error

Fatal: create repository at s3:https://s3.us-west-1.wasabisys.com/zactmp failed: client.BucketExists: Get https://s3.us-west-1.wasabisys.com/zactmp/?location=: x509: certificate is valid for *.adguard.com, adguard.com, not s3.us-west-1.wasabisys.com

I’ve tried running with this flag, didn’t do anything

-o rclone.program="rclone --no-check-certificate"

Tried grabbing the Wasabi cert and
specifying it manually with no change

--cacert cacert.pem

Tried updating my certs, nothin

sudo update-ca-certificates

Anyone know what’s up?

1 Like

Thanks a lot for being so specific when describing the problem and what you did!

For starters, please use a recent version of restic, version 0.8.3 is very very old.

I would recommend using the latest master build from here, but if you don’t want to use that, at least use the 0.9.6 release.

Just to be sure the problem persists with a current version, then we can look into it.

Adguard does provide a VPN service. Are you using it when connecting to Wasabi?

No problem! I know how it goes :slight_smile: Thanks for the quick reply. I’ve updated restic and tried again with the same error

$ restic version
restic 0.9.6 (v0.9.6-377-gc34c7316) compiled with go1.14.3 on linux/amd64
$ AWS_ACCESS_KEY_ID="omit" AWS_SECRET_ACCESS_KEY="omit" RESTIC_PASSWORD="omit" restic -r s3:s3.us-west-1.wasabisys.com/zactmp init
Fatal: create repository at s3:s3.us-west-1.wasabisys.com/zactmp failed: client.BucketExists: Get "https://s3.us-west-1.wasabisys.com/zactmp/?location=": x509: certificate is valid for *.adguard.com, adguard.com, not s3.us-west-1.wasabisys.com

I am using a VPN, but not Adguard. I’m currently using Wireguard and have my IP tables setup to only route traffic from a single internal IP being a docker container.

PostUp = ip rule add from table 42; ip route add default dev %i table 42;
PostDown = ip rule del from table 42;

I have no idea where it’s getting this Adguard stuff to be honest. I don’t remember installing anything Adguard related… maybe it (or certs related to AG) tagged along with something else? I’m just not entirely sure how to investigate that to be honest.

Sorry to say this but I don’t see how this is caused by restic. You are getting a certificate for another host than the one you expect when you connect to it. That’s fishy.

To debug it I would probably use tools like openssl and tcpdump to try and inspect the connection that’s taking place.

Ahh it was a DNS issue! Thanks for pointing us in the right direction. I have no idea where my machine is getting the Adguard servers but for some reason it want’s to use these servers…

$ sudo cat /etc/resolv.conf

I don’t feel like chasing the root cause here, so this was essentially my solution (don’t use these commands literally if anyone else sees this)

$ sudo apt install resolvconf
$ echo "nameserver" >> /etc/resolvconf/resolv.conf.d/head
$ sudo reboot now

After reboot

$ sudo cat /etc/resolv.conf

And it works fine! Thank you again for the help :slight_smile:

It must be rather worrying to be using a system where you have no idea where it gets its DNS server settings from :stuck_out_tongue: