I'm running into the following error when I test the action.:
REST call for action execute failed. Message:Unable to send message after 2 attempts, due to: SSLPeerUnverifiedException: Certificate for <aaron-mader-public.s3.amazonaws.com> doesn't match any of the subject alternative names: [*.s3.amazonaws.com, s3.amazonaws.com] [7085bf36-dca6-414a-93cd-07fd530116e7]
It looks like wildcard SSL certs are not supported? Is there a reason for this? I believe that my actual production endpoint is also serviced by a wildcard SSL certificate.
The issue here ended up being a DNS thing specific to S3. Under the covers, S3 uses regional endpoints. So the endpoint you are really hitting is *.s3.us-east-1.amazonaws.com, and that mismatch is what's causing the error.
For my own education; I'm not sure that I follow your explanation. It sounds like you're saying the issue is related to AWS's use of CNAMEs? But I wouldn't expect CNAMEs to be a factor as long as the server responding to the request responds with the correct certificate for the given hostname.
I'd love read more about the technical approach you're taking here to perform this SSL verification. In part; so I can understand whether I'll have any issues connecting to my production environment. And in part; for my own curiosity. But that's just a want, not a need.
I was able to find the root cause for this issue this morning. We currently don't allow a certificate for *.s3.amazonaws.com due to an out of date configuration file that has this address marked as not acceptable for certificates. For example, no certificate should be able to be *.com as that would allow one cert to be trusted for google.com, amazon.com, etc. In this case *.s3.amazonaws.com is on that list, so it is not trusted. Adding the .us-east-1. to the domain name works around this issue.
Unfortunately, this file is tied up with some of our other tooling, so I don't know when we will be able to get it updated.
Thanks for asking about this issue, it was a doozy!
