s3 client certificate errors on windows #1338
Description
Describe the bug
I'm getting the following errors from several concurrent s3 get_object requests on windows
DispatchFailure(DispatchFailure { source: ConnectorError { kind: Io, source: hyper::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssue
r) } }), connection: Unknown } })
This is kind of surprising since dozens of previous requests worked fine just seconds earlier and I assume the Client (we're using the default configuration) uses connection pooling and does retries so at that point I don't expect it to make new TLS connections.
Regression Issue
- Select this option if this issue appears to be a regression.
Expected Behavior
The requests succeed
Current Behavior
Certificate errors prevent downloads to complete during system startup.
Reproduction Steps
I have not observed this issue when testing locally, so I don't have a simple reproducer.
Possible Solution
That would depend on the root-cause.
- if http connection pooling worked as expected then presumably the client wouldn't need to make new TLS handshakes that could fail
- if the retry default configuration isn't applied as expected maybe that needs fixing
- if there are issues with the cert loading then maybe we need to bake certs into our application build
- ....
Additional Information/Context
This happens on windows server 2025 EC2 instances in a rust program started early during instance initialization via userdata. The failures are intermittend, some instances launch fine, others see those errors and then cannot complete their lifecycle.
Additionally we're using the S3 gateway endpoint in the VPC.
We're building the SDK without default features so that ring gets used instead of aws-lc
Version
├── aws-config v1.8.3
│ ├── aws-credential-types v1.2.4
│ │ ├── aws-smithy-async v1.2.5
│ │ ├── aws-smithy-runtime-api v1.8.5
│ │ │ ├── aws-smithy-async v1.2.5 (*)
│ │ │ ├── aws-smithy-types v1.3.2
│ │ ├── aws-smithy-types v1.3.2 (*)
│ ├── aws-runtime v1.5.9
│ │ ├── aws-credential-types v1.2.4 (*)
│ │ ├── aws-sigv4 v1.3.3
│ │ │ ├── aws-credential-types v1.2.4 (*)
│ │ │ ├── aws-smithy-eventstream v0.60.10
│ │ │ │ ├── aws-smithy-types v1.3.2 (*)
│ │ │ ├── aws-smithy-http v0.62.2
│ │ │ │ ├── aws-smithy-eventstream v0.60.10 (*)
│ │ │ │ ├── aws-smithy-runtime-api v1.8.5 (*)
│ │ │ │ ├── aws-smithy-types v1.3.2 (*)
│ │ │ ├── aws-smithy-runtime-api v1.8.5 (*)
│ │ │ ├── aws-smithy-types v1.3.2 (*)
│ │ ├── aws-smithy-async v1.2.5 (*)
│ │ ├── aws-smithy-eventstream v0.60.10 (*)
│ │ ├── aws-smithy-http v0.62.2 (*)
│ │ ├── aws-smithy-runtime v1.8.5
│ │ │ ├── aws-smithy-async v1.2.5 (*)
│ │ │ ├── aws-smithy-http v0.62.2 (*)
│ │ │ ├── aws-smithy-http-client v1.0.6
│ │ │ │ ├── aws-smithy-async v1.2.5 (*)
│ │ │ │ ├── aws-smithy-runtime-api v1.8.5 (*)
│ │ │ │ ├── aws-smithy-types v1.3.2 (*)
│ │ │ ├── aws-smithy-observability v0.1.3
│ │ │ │ └── aws-smithy-runtime-api v1.8.5 (*)
│ │ │ ├── aws-smithy-runtime-api v1.8.5 (*)
│ │ │ ├── aws-smithy-types v1.3.2 (*)
│ │ ├── aws-smithy-runtime-api v1.8.5 (*)
│ │ ├── aws-smithy-types v1.3.2 (*)
│ │ ├── aws-types v1.3.8
│ │ │ ├── aws-credential-types v1.2.4 (*)
│ │ │ ├── aws-smithy-async v1.2.5 (*)
│ │ │ ├── aws-smithy-runtime-api v1.8.5 (*)
│ │ │ ├── aws-smithy-types v1.3.2 (*)
│ ├── aws-sdk-sts v1.80.0
│ │ ├── aws-credential-types v1.2.4 (*)
│ │ ├── aws-runtime v1.5.9 (*)
│ │ ├── aws-smithy-async v1.2.5 (*)
│ │ ├── aws-smithy-http v0.62.2 (*)
│ │ ├── aws-smithy-json v0.61.4
│ │ │ └── aws-smithy-types v1.3.2 (*)
│ │ ├── aws-smithy-query v0.60.7
│ │ │ ├── aws-smithy-types v1.3.2 (*)
│ │ ├── aws-smithy-runtime v1.8.5 (*)
│ │ ├── aws-smithy-runtime-api v1.8.5 (*)
│ │ ├── aws-smithy-types v1.3.2 (*)
│ │ ├── aws-smithy-xml v0.60.10
│ │ ├── aws-types v1.3.8 (*)
│ ├── aws-smithy-async v1.2.5 (*)
│ ├── aws-smithy-http v0.62.2 (*)
│ ├── aws-smithy-json v0.61.4 (*)
│ ├── aws-smithy-runtime v1.8.5 (*)
│ ├── aws-smithy-runtime-api v1.8.5 (*)
│ ├── aws-smithy-types v1.3.2 (*)
│ ├── aws-types v1.3.8 (*)
├── aws-sdk-autoscaling v1.88.0
│ ├── aws-credential-types v1.2.4 (*)
│ ├── aws-runtime v1.5.9 (*)
│ ├── aws-smithy-async v1.2.5 (*)
│ ├── aws-smithy-http v0.62.2 (*)
│ ├── aws-smithy-json v0.61.4 (*)
│ ├── aws-smithy-query v0.60.7 (*)
│ ├── aws-smithy-runtime v1.8.5 (*)
│ ├── aws-smithy-runtime-api v1.8.5 (*)
│ ├── aws-smithy-types v1.3.2 (*)
│ ├── aws-smithy-xml v0.60.10 (*)
│ ├── aws-types v1.3.8 (*)
├── aws-sdk-s3 v1.100.0
│ ├── aws-credential-types v1.2.4 (*)
│ ├── aws-runtime v1.5.9 (*)
│ ├── aws-sigv4 v1.3.3 (*)
│ ├── aws-smithy-async v1.2.5 (*)
│ ├── aws-smithy-checksums v0.63.5
│ │ ├── aws-smithy-http v0.62.2 (*)
│ │ ├── aws-smithy-types v1.3.2 (*)
│ ├── aws-smithy-eventstream v0.60.10 (*)
│ ├── aws-smithy-http v0.62.2 (*)
│ ├── aws-smithy-json v0.61.4 (*)
│ ├── aws-smithy-runtime v1.8.5 (*)
│ ├── aws-smithy-runtime-api v1.8.5 (*)
│ ├── aws-smithy-types v1.3.2 (*)
│ ├── aws-smithy-xml v0.60.10 (*)
│ ├── aws-types v1.3.8 (*)
│ ├── aws-config v1.8.3 (*)
│ ├── aws-sdk-s3 v1.100.0 (*)
├── aws-config v1.8.3 (*)
├── aws-sdk-s3 v1.100.0 (*)
├── aws-config v1.8.3 (*)
├── aws-sdk-autoscaling v1.88.0 (*)
├── aws-sdk-s3 v1.100.0 (*)
├── aws-smithy-runtime v1.8.5 (*)
Environment details (OS name and version, etc.)
Windows Server 2025
Logs
No response