"SignatureDoesNotMatch" issue on upload to Object Storage

I am developing an iOS client for Linode that uploads large files (> 1 GB) to Linode Object Storage.

The essential functionality is working fine for me - the app is able to obtain a presigned URL, and upload a file to the Object Storage bucket.

But I want to use the payload validation option (specification of an MD5 checksum) to increase reliability of the uploads. My understanding, by reading here (https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/s3-example-presigned-urls.html) - "Generate a Pre-Signed URL for an Amazon S3 PUT Operation with a Specific Payload", is that it's a matter of adding a "Content-MD5: base64_md5_checksum" header to the initial request for the presigned URL, and to the subsequent call to upload the content (file in my case).

But when I add the Content-MD5 header I only ever get back a "SignatureDoesNotMatch" response with a HTTP 403 - Forbidden error.

I am able to reproduce my issue using curl scripts, so here is an example:

I generate the base64 checksum for the file with this command:

openssl dgst -md5 -binary example_content.txt | base64
2cll7gQQLnqIfRPeJTDnIA==

Request the presigned URL:

curl --verbose -H "Content-Type: application/json" -H "Content-MD5: 2cll7gQQLnqIfRPeJTDnIA==" -H "Authorization: Bearer XXX" -d '{ "method": "PUT", "content_type": "application/octet-stream", "name": "example_content.txt", "expires_in": 86400 }' https://api.linode.com/v4/object-storage/buckets/us-east-1/bucket_name/object-url

Then make the call to upload the file using the presigned URL:

curl --verbose -H "Content-Type: application/octet-stream" -H "Content-MD5: 2cll7gQQLnqIfRPeJTDnIA==" -X PUT -T example_content.txt 'https://us-east-1.linodeobjects.com:443/bucket_name/example_content.txt?Signature=f7YMf9bQxYznqf2OLNgIuCx4BkM%3D&Expires=1613756067&AWSAccessKeyId=6DDC765NIE5I3A6P52QS'

Here's the relevant curl output:

  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server accepted to use http/1.1
  • Server certificate:
  • subject: CN=us-east-1.linodeobjects.com
  • start date: Dec 16 15:44:23 2020 GMT
  • expire date: Mar 16 15:44:23 2021 GMT
  • subjectAltName: host "us-east-1.linodeobjects.com" matched cert's "us-east-1.linodeobjects.com"
  • issuer: C=US; O=Let's Encrypt; CN=R3
  • SSL certificate verify ok.
    PUT /bucket_name/example_content.txt?Signature=f7YMf9bQxYznqf2OLNgIuCx4BkM%3D&Expires=1613756067&AWSAccessKeyId=6DDC765NIE5I3A6P52QS HTTP/1.1
    Host: us-east-1.linodeobjects.com
    User-Agent: curl/7.64.1
    Accept: /
    Content-Type: application/octet-stream
    Content-MD5: 2cll7gQQLnqIfRPeJTDnIA==
    Content-Length: 566855
    Expect: 100-continue

< HTTP/1.1 100 Continue
< HTTP/1.1 403 Forbidden
< Date: Thu, 18 Feb 2021 17:40:12 GMT
< Content-Type: application/xml
< Content-Length: 200
< Connection: keep-alive
< x-amz-request-id: tx000000000000006c1bfb8-00602ea67c-1e5d58c-default
< Accept-Ranges: bytes

  • HTTP error before end of send, stop sending
    <
  • Closing connection 0
  • TLSv1.2 (OUT), TLS alert, close notify (256):
    <error>SignatureDoesNotMatch<requestid>tx000000000000006c1bfb8-00602ea67c-1e5d58c-default</requestid><hostid>1e5d58c-default-default</hostid></error>

I looked here to see if any of the remedies and workarounds could work for me: https://www.linode.com/community/questions/21069/some-file-with-signaturedoesnotmatch, but none made a difference.

Please note the above curl calls work just fine to do the upload when I remove the "Content-MD5" headers.

I tried disabling the "Expect: 100-continue" header, as suggested by others, but that did not help.

Can you please help me figure out where I am going wrong?

3 Replies

Hey there -

I wanted to get the conversation started on this, and since you've already tried the steps I gave in the other post you linked, I did some more digging. I don't know if these solutions are the right ones, but I think they're worth a try.

For the 403 error, I found a post on Stack Overflow that states it might be an error with the system clock. Is that something you've considered? Here's the page where I found that:

Amazon S3 bucket returning 403 Forbidden

Here's a page from Amazon's help docs that also gives reasons you might be running into the 403 Forbidden error. (Our Object Storage us Amazon S3 compatible, so much of this should be the same):

Why am I getting an HTTP 403 Forbidden error when I try to upload files using the Amazon S3 console?

I'd recommend taking a look at those links and seeing if any of that works for you. Please let us know of any successes or failures you have when trying those troubleshooting steps.

Linode object storage just shows "SignatureDoesNotMatch" in every circumstances. If you set mismatched content-type, SignatureDoesNotMatch. Use mismatched method, SignatureDoesNotMatch.

Setting Content-MD5 also gets SignatureDoesNotMatch every time, luckily there is "Etag" in the response header which contains the md5 result.

However, Linode should return proper error code for each cases. And, please support Content-MD5.

This is still an issue.

Always getting SignatureDoesNotMatch and no real explanation why.

Whats a good fix for this?

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct