InvalidSignatureException: Signature expired #527
Comments
|
Just curious are you able to synchronize your NTP server/clock with AWS' ? Several months ago, I encountered this error a couple of times, when creating signatures on my local machine. Hopefully this doc will be relevant: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html |
|
I've looked into the clock thing before but don't think that's it. In the stack trace above, the date is off by like 48 hours, so that would be a lot of clock skew. |
|
@evansolomon I'm not sure why clock skew would be ruled out, it seems to coincide precisely with your usage pattern described above:
If Docker images only resync NTP when they are re-activated through commands and they have not been activated in multiple days, that would explain the skew pretty accurately. The SDK definitely relies on "current system time" when making requests, so it needs to be synced prior to sending requests. You might see the exact same behavior on a development machine right after waking the machine up from sleep (prior to clock sync), for example. I would recommend taking stock of the |
|
I have tried running I don't know how the internals of docker image clocks work, but I just took a couple of old (and not recently used) docker images on my machine and ran I agree it does seem like a good theory, but I haven't been able to find any evidence of it. |
|
@evansolomon Do you also encounter the error when you run the same code outside your Docker image? Alternatively, would you be able to share your Docker image? This would help debug the issue. |
I assume you mean this line I parsed that as March 7, 2015 19:47 is earlier than March 9, 2015 20:40. I don't really know what the 5 minute thing on the end means, I was thinking maybe that was the threshold.
Just tried again on an image I haven't used since yesterday and got "Tue Mar 10 18:22:48 UTC 2015" (which is correct at the time I'm writing this).
I'm not sure. Our workflow is pretty heavily Docker-centric, so this isn't much of a use case for me.
It is based on https://github.com/phusion/passenger-docker. The only differences are some nginx configs, the shared |
|
@evansolomon did you ever find the cause/solution for this? I've got the same issue on a docker machine running on debian:jessie. Pretty much same exact stack trace as yours. |
|
@kyriesent Sorry, never really figured it out |
|
Turns out mine was a clock syncing issue on my VM. Running a sync between the VM and the host cleared it up. |
|
@evansolomon I've just pushed a patch that offsets the SDK clock when a clock skew error is detected. Simply set the Here's an example: var dynamodb = new AWS.DynamoDB({correctClockSkew: true});Let me know if this works for you. Thanks for your patience. |
|
Thanks for the update. Is there a reason this shouldn't be on by default? |
|
@evansolomon This is turned off by default because there may be other customers who are applying a clock skew correction using the |
|
Are there cases where systemClockOffset is set to 0 and the user would not want the skew correction to be applied? It seems like that would be a sensible default, but maybe I'm missing something. |
|
hi all, same issue 'Signature expired' on aws command line hope it helps |
|
I encountered this issue locally, and restarting my docker daemon fixed it. |
|
@Clee681 thank you for sharing your experience and solution! Restarting docker daemon fixed my problem as well - could take much longer to solve it without seeing your comment. |
|
None of the above mentions workarounds worked for me, even though the environment was similar. One difference may be that I was uploading via the --zip-file method of the aws-cli over a slow network. The upload was actually taking more than 5 minutes and consequently giving the SignatureDoesNotMatch error. I was able to work around this slow network by uploading first to s3, and then instead of the zip-file command line option using the --s3-bucket and --s3-key options. Perhaps this is an unrelated issue but it took me long enough to solve that I thought I'd document it here in case. |
|
if you are running docker on OS X then this is probably the cause, a long-standing issue with docker not resyncing the clock after sleep. Fix coming in next release. |
|
go to vm settings -> date&time -> enable date and time with internetaccess ... this issue should be fix. |
|
would love to see correctClockSkew default to True in the future since this fixes a problem that virtually everyone will eventually run in to. Having it default to false is like embedding a non-deterministic bug that causes problem for ~0.1% of users in everyone's AWS implementation. Any site with lots of diverse users will eventually have to deal with this likely after their implementation has gone into production. I've opened an issue regarding this for discussion: #1632 |
|
I have an exactly same issue. I run Ubuntu terminal on Windows 10. Any solution for this? |
|
a restart of the VM helped me |
srchase
added
guidance
|
Run the command to sync clock |
|
restarting docker daemon fixed it |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread. |
First, I know there have been several similar issues in the past. I've tried to read through them all but they all seem to be either for issues that are closed or for different problems.
I have a bunch of apps that run on AWS + Docker and at some point will randomly start throwing these errors. I think the error usually comes up when I haven't worked on the app for a couple days, so the "expiration" is pretty extreme. For example, the one I just got is "expired" by 2 days.
Some details that are probably relevant:
~/.aws/.awsdirectory along the lines ofdocker run --volume "${HOME}/.aws":/home/app/.aws whatever-image-nameI've dug through the internals of the SDK a bit, but I don't quite know what I'm looking for and hoping you can point me in a more productive direction.
Currently I'm using v2.1.14 (I know there are a couple newer patch releases in the last couple days). Here is a recent stack track.
The text was updated successfully, but these errors were encountered: