HTTP-4 PluginsManager.cpp:153] AWS S3 Storage: error while creating object, response code = -1 curlCode: 60, SSL peer certificate or SSH remote key was not OK

General
1

Hi comunnity, im deploying an orthanc server in AWS using S3 Plugin and reverse proxy with apache2, but when i try to upload studies, i get this error:

HTTP-4 PluginsManager.cpp:153] AWS S3 Storage: error while creating object, response code = -1 curlCode: 60, SSL peer certificate or SSH remote key was not OK

Someone could help? i cant find a post about how to fixit.

2

Hi,

This error comes from the S3 client embedded in Orthanc and this is the first time we see it. It seems to indicate that the S3 client does not provide a valid SSL certificate to authentication on the S3 server.

Anything special in your S3 configuration ? I’m not aware of any authentication mode for S3 that would require a client certificate - but I’m not a specialist.

Best regards,

Alain.

3

I encountered this error while using jodogne/orthanc-plugins:1.12.7 and a non-AWS, S3-compatible object storage with HTTPS enabled (specifically, OpenStack Swift).

If the S3-compatible provider has a valid certificate, all you need to do is add "HttpsCACertificates": "/etc/ssl/certs/ca-certificates.crt" to /etc/orthanc/orthanc.json.

Note that without setting HttpsCACertificates manually, HTTP works but HTTPS will not work at all. For example, for troubleshooting I tried setting AwsS3Storage.Endpoint=https://google.com:443 and it gave me the same curlCode 60, SSL error.

4

Does the s3-like api (minio?) have https activated with a self-signed or other non trusted certificate? What is the base url to your S3-like server? Can you use curl cli to check the url? If you’re using minio you could try Healthcheck API — MinIO Object Storage for Linux curl https://minio.example.net:9000/minio/health/live - I suspect the https certificate used by the server isn’t a trusted cert.

5

I am experiencing the same problem.
Error message: curlCode: 60, SSL peer certificate or SSH remote key was not OK
Any help please?

System : Ubuntu 24.04.2
Orthanc : 1.12.2+dfsg-1build4
AwsS3 plugin version : 2.5.0 (also tried mainline)
Config:
“AwsS3Storage”: {
“BucketName”: “my-bucket”,
“Region”: “eu-central-1”,
“AccessKey”: “xxxxxxxxx”,
“SecretKey”: “xxxxxxxxxx”,
“Endpoint”:“my-bucket.s3-accelerate.amazonaws.com”,
“ConnectionTimeout”: 30,
“RequestTimeout”: 1200,
“RootPath”: “data”,
“MigrationFromFileSystemEnabled”: false,
“StorageStructure”: “flat”,
“EnableLegacyUnknownFiles”: true,
“VirtualAddressing”: true,
“StorageEncryption”: {},
“HybridMode”: “Disabled”,
“UseTransferManager”: false,
“EnableAwsSdkLogs”: true,
“StorageClass”: “STANDARD”,
“Verbose”: true
}

Log:
I0520 16:15:27.031122 DICOM-1 PluginsManager.cpp:161] (plugins) CurlHandleContainerAttempting to acquire curl connection.

I0520 16:15:27.031125 DICOM-1 PluginsManager.cpp:161] (plugins) CurlHandleContainerNo current connections available in pool. Attempting to create new connections.

I0520 16:15:27.031128 DICOM-1 PluginsManager.cpp:161] (plugins) CurlHandleContainerattempting to grow pool size by 2

E0520 16:15:27.031140 DICOM-1 PluginsManager.cpp:153] CurlHandleContainerPool grown by 2

I0520 16:15:27.031143 DICOM-1 PluginsManager.cpp:161] (plugins) CurlHandleContainerConnection has been released. Continuing.

I0520 16:15:27.031146 DICOM-1 PluginsManager.cpp:161] (plugins) CurlHandleContainerReturning connection handle 0x57ca96061ea0

I0520 16:15:27.031149 DICOM-1 PluginsManager.cpp:161] (plugins) CurlHttpClientObtained connection handle 0x57ca96061ea0

E0520 16:15:27.067664 DICOM-1 PluginsManager.cpp:153] CurlHttpClientCurl returned error code 60 - SSL peer certificate or SSH remote key was not OK

I0520 16:15:27.067757 DICOM-1 PluginsManager.cpp:161] (plugins) CurlHandleContainerDestroy curl handle: 0x57ca96061ea0

I0520 16:15:27.067790 DICOM-1 PluginsManager.cpp:161] (plugins) CurlHandleContainerCreated replacement handle and released to pool: 0x57ca96063410

I0520 16:15:27.067811 DICOM-1 PluginsManager.cpp:161] (plugins) AWSClientRequest returned error. Attempting to generate appropriate error codes from response

E0520 16:15:27.067823 DICOM-1 PluginsManager.cpp:153] AWSXmlClientHTTP response code: -1
Resolved remote host IP address:
Request ID:
Exception name:
Error message: curlCode: 60, SSL peer certificate or SSH remote key was not OK
0 response headers:

W0520 16:15:27.067859 DICOM-1 PluginsManager.cpp:157] AWSClientIf the signature check failed. This could be because of a time skew. Attempting to adjust the signer.

I0520 16:15:27.067867 DICOM-1 PluginsManager.cpp:161] (plugins) AWSClientDate header was not found in the response, can’t attempt to detect clock skew

W0520 16:15:27.067875 DICOM-1 PluginsManager.cpp:157] AWSClientRequest failed, now waiting 0 ms before attempting again.

Using curl from command line works:

  • Host xxxxxxxxx.s3-accelerate.amazonaws.com:443 was resolved.
  • IPv6: (none)
  • IPv4: 65.9.68.101
  • Trying 65.9.68.101:443…
  • Connected to xxxxxx.s3-accelerate.amazonaws.com (65.9.68.101) port 443
  • ALPN: curl offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
  • ALPN: server did not agree on a protocol. Uses default.
  • Server certificate:
  • subject: CN=*.s3-accelerate.amazonaws.com
  • start date: Sep 9 00:00:00 2024 GMT
  • expire date: Aug 28 23:59:59 2025 GMT
  • subjectAltName: host “xxxxxx.s3-accelerate.amazonaws.com” matched cert’s “*.s3-accelerate.amazonaws.com”
  • issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
  • SSL certificate verify ok.
  • Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
  • Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
  • Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
  • using HTTP/1.x

GET / HTTP/1.1
Host: xxxxx.s3-accelerate.amazonaws.com
User-Agent: curl/8.5.0
Accept: /

6

I have compiled Orthanc 1.12.7 and OrthancAwsS3Storage 2.5.0 instead of using the pre-compiled versions and it works just fine.