Comments (7)
I can reproduce the same error, however, logstash-input-s3
does not modify the endpoint setting, see here and here. It passes to aws SDK straightly. The plugin use aws SDK to access aws service, so this could be an issue of the SDK or the SDK require more setup to make it work with vpc.
Need further investigation.
from logstash-input-s3.
@glen-uc Looks like you are encountering aws/aws-sdk-ruby#2483
Can you try setting the environment variable AWS_S3_US_EAST_1_REGIONAL_ENDPOINT
to 'regional'
and report back?
[Edit]
The environment variable has other issues, try setting
s3_us_east_1_regional_endpoint=regional
in your aws config file
from logstash-input-s3.
@robbavey Thank you for your reply.
we tried adding s3_us_east_1_regional_endpoint=regional
to the config file and deployed the logstash with interface endpoint, but we got this error
hostname "<bucket_name>.<vpc_id>.s3.us-east-1.vpce.amazonaws.com" does not match the server certificate
Exception: Seahorse::Client::NetworkingError
Looks like it's not replacing the region
in the endpoint as expected, in order to solve this error we tried passing ssl_verify_peer
as false in additional setting and redeployed the logstash but it again failed but this time with this error
{:exception=>Aws::S3::Errors::NoSuchBucket, :message=>"The specified bucket does not exist"
We verified that specified bucket exists and logstash has necessary permissions (it works when we use default endpoint)
from logstash-input-s3.
@glen-uc, we're seeing the same issue with the s3 output plugin (logstash-output-s3 v4.3.5), our workaround is to set the endpoint value with 2 region strings, e.g.:
s3 {
region => "us-east-1"
endpoint => "https://<our_vpc_endpoint_id>.s3.us-east-1.us-east-1.vpce.amazonaws.com"
}
this "tricks" the plugin's logic to replace the first us-east-1
string, but keeping the second us-east-1
string, so that the final value contains the aws region.
from logstash-input-s3.
@jacqclouseau Thank you for the suggestion
I tried your approach by adding one more region to the endpoint URL i.e endpoint => "https://<our_vpc_endpoint_id>.s3.us-east-1.us-east-1.vpce.amazonaws.com"
But still, I am getting
{:exception=>Aws::S3::Errors::NoSuchBucket, :message=>"The specified bucket does not exist"
Here is my full logstash s3 input configuration
s3 {
bucket => <my_bucket>
type => <my_type>
sincedb_path => <my_path>
prefix => <my_prefix>
endpoint => "<vpc_ep_id>.s3.us-east-1.us-east-1.vpce.amazonaws.com"
region => "us-east-1"
additional_settings => {
ssl_verify_peer => false
}
}
Note: If i remove the custom endpoint logstash works again so not an issue with the bucket being missing
from logstash-input-s3.
@glen-uc, we've encountered the name or service not known
and hostname does not match the server certificate
errors only.
We've seen the name resolution error message when the 'us-east-1'
string was removed from the target's address.
The certificate validation error was seen when we set the endpoint value to endpoint => "https://<vpc endpoint>.s3.us-east-1.us-east-1.vpce.amazonaws.com"
. After having a look at the certificate properties we had to change the value to endpoint => "https://bucket.<vpc endpoint>.s3.us-east-1.us-east-1.vpce.amazonaws.com"
. I don't know if this applies to our setup only, or if that's how the AWS S3 certificates for the VPC interfaces get generally created.
We could reproduce the cert issue without Logstash by running curl -v https://<bucket name>.<vpc endpoint>.s3.us-east-1.vpce.amazonaws.com
, what gave us a SSL_ERROR_BAD_CERT_DOMAIN
response. We then inspected the certificate by running the following command:
fqdn='<bucket name>.<vpc interface>.s3.us-east-1.vpce.amazonaws.com'
echo | openssl s_client -showcerts -servername "${fqdn}" -connect "${fqdn}":443 2>/dev/null | openssl x509 -inform pem -noout -text
Looking at the X509v3 Subject Alternative Name
values told us what names the certificate would recognise.
Running curl -v https://<bucket name>.bucket.<vpc endpoint>.s3.us-east-1.vpce.amazonaws.com
was then just the confirmation we needed.
Apologies if I went off topic with the cert issue description.
from logstash-input-s3.
@jacqclouseau Thank you for the detailed description due to which we were able to solve the problem with logstash
Here is what happened in our case
We were running logstash in a K8 cluster along with other logging components like fluentbit, when we migrated to using interface endpoints for s3 we first did changes to fluent bit so that it uses the interface endpoint by setting the endpoint to something like this https://<vpc_ep_id>.s3.us-east-1.vpce.amazonaws.com
and it worked fine without any additional configuration ( hence we assumed bucket.<vpc_ep_id> not required while setting up endpoint URL )
When doing the same for logstash we encountered errors as described above but finally we are able to solve it by setting endpoint URL to something like this https://bucket.<vpc_ep_id>.s3.us-east-1.us-east-1.vpce.amazonaws.com
Note: not using bucket.<vpc_ep_id>...
might also be the reason why setting s3_us_east_1_regional_endpoint=regional
did not work, will try by setting this and using only one region in endpoint URL something like https://bucket.<vpc_ep_id>.s3.us-east-1.vpce.amazonaws.com
to see if it works
from logstash-input-s3.
Related Issues (20)
- logstash s3 input enable use_accelerate_endpoint failed
- Logstash S3 input plugin assume role not working HOT 9
- backup_to_dir backups rotation
- seahorse::client:: networking error HOT 2
- S3 input plugin is not reading AWS-KMS (CMK) encrypted bucket HOT 2
- Large files are very slow to read locally HOT 2
- Files being unprocessed with the same last modified timestamp HOT 6
- Could not fetch objects from "requester pays" enabled bucket HOT 1
- logstash-input-s3 3.6.0 restarting due to unrecoverable error with CipherSuites array issue HOT 1
- s3 input plugin not handling shutdown correctly, leading to duplicates once started again HOT 2
- Files being unprocessed because of cutoff time calculation part
- logstash-input-s3 Error: Net::OpenTimeout 没人解决就关闭问题吗?
- [Docs] Document workaround when using s3 private link endpoints with us-east-1
- sincedb file not created, files from bucket not deleted HOT 2
- S3 input plugin does not work with IAM role WebIdentity HOT 3
- Plugin dont process objects correctly, dont delete or backup HOT 11
- Files with same last modified timestamp miss processing HOT 1
- Constant and frequent s3 plugin restart due to TCP connection failure
- java.util.concurrent.ScheduledThreadPoolExecutor related to S3 input resulting in all pipeline logstash failure. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from logstash-input-s3.