Error uploading media asset when using S3 storage

nannuabhi · April 21, 2022, 4:00am

System Information

Strapi v4
PostgresDB
S3 storage on-prem for media assets

I am using S3 storage and getting error 500 in Strapi admin when I am trying to upload media assets. When I check in the Strapi logs, I see the error “error: unable to verify the first certificate”.

If I don’t use S3 and don’t make these config changes, then I can upload media assets fine. But, in that case I don’t have persisting media storage.

I used Provider upload AWS S3 for uploading with the recommended settings as

config/plugins.js

module.exports = ({ env }) => ({
    upload: {
      config: {
        provider: 'aws-s3',
        providerOptions: {
          endpoint: "https://my-onprem-url",
          accessKeyId: env('AWS_ACCESS_KEY_ID'),
          secretAccessKey: env('AWS_ACCESS_SECRET'),
          region: env('AWS_REGION'),
          params: {
            Bucket: env('AWS_BUCKET'),
          },
        },
      },
    }
  });

config/middlewares.js

{
    name: 'strapi::security',
    config: {
      contentSecurityPolicy: {
        useDefaults: true,
        directives: {
          'connect-src': ["'self'", 'https:'],
          'img-src': ["'self'", 'data:', 'blob:', 'https://my-onprem-url'],
          'media-src': ["'self'", 'data:', 'blob:', 'https://my-onprem-url'],
          upgradeInsecureRequests: null,
        },
      },
    },
  },
...

.env

AWS_ACCESS_KEY_ID="my-key-id"
AWS_ACCESS_SECRET="myaccesssecret"
AWS_REGION="aws-region"
AWS_BUCKET="my-bucket-name"

I have asked this question in Strapi discord community too but didn’t get a response there. This issue is blocking our progress, so any pointers/help will be appreciated.
Note- I did see that there was a similar question but the suggestions there didn’t work in my case.

Eventyret · April 21, 2022, 7:33am

The Error has to do with your certificate and how you are uploading it.
Also are you making the bucket public or is it private ? I think the default plugin forces it to upload to public buckets etc.

Again the error comes down to your SSL certificate etc.

Adding a note here:

You can also try set the NODE_TLS_REJECT_UNAUTHORIZED=0

nannuabhi · April 21, 2022, 3:01pm

I didn’t get any certificate for S3. I just got the information like access key id, access secret, bucket name and URI for on-prem location.

Eventyret · April 21, 2022, 4:15pm

Are you using a VPN by any chance at work etc ?Because it might be injecting a certificate etc.

nannuabhi · April 21, 2022, 9:10pm

Yes, this is using VPN. Also, setting NODE_TLS_REJECT_UNAUTHORIZED=0 is risky.

Eventyret · April 22, 2022, 8:01am

If you can, can you try turn OFF you VPN and then test the upload see if you get the same error.

nannuabhi · April 22, 2022, 9:24pm

I can’t turn VPN OFF because without that I won’t be able to connect to internet and my Strapi CMS site or any site won’t be accessible.
I was able to upload the media asset by setting NODE_TLS_REJECT_UNAUTHORIZED=0, but in addition to it being risky, I was seeing a new error in the browser console "Refused to load the image ‘https://bucket-name.on-prem-url/image-name.png?width=3580&height=2174’ because it violates the following Content Security Policy directive: "img-src ‘self’ data: blob: bucket-name”

nannuabhi · April 22, 2022, 11:55pm

After seeing my last error Refused to load the image ‘https://bucket-name.on-prem-url/image-name.png?width=3580&height=2174’ because it violates the following Content Security Policy directive: "img-src ‘self’ data: blob: bucket-name, I appended my-bucket-name to my-onprem-url in middlewares.js

img-src'img-src': ["'self'", 'data:', 'blob:', 'https://my-bucket-name.my-onprem-url'], 'media-src': ["'self'", 'data:', 'blob:', 'https://my-bucket-name.my-onprem-url']

This seems to be letting me see the asset in the S3 bucket, but I can’t see the asset in media gallery and get the error " GET https://bucket-name.on-prem-url/image-name.png?width=3580&height=2174 403 (Forbidden)"

ptas · November 28, 2022, 4:00pm

Hi @nannuabhi. Did you find an answer for this last issue? I’m also experiencing 403:s after having fixed that CSP issue.

@Eventyret, do you have any insight in this? My S3 is configured the exact same way as recommended in all guides I can read (this one for instance). The app is using the aws access id + access key of the IAM user who is the creator of the bucket. Uploading works just fine.

ptas · November 30, 2022, 7:58am

If anyone else comes across this issue in the future, this was the issue and “solution” for me. I think the documentation/guides for setting up the provider should be updated with the information about policy + cors. I’ll make a PR for that once I get time

nannuabhi · January 3, 2023, 7:47pm

@ptas Sorry for the late reply. I ended up using an express proxy server that acted as a bridge between my CMS and S3.

EvanVaughn · March 2, 2023, 9:34pm

Sorry to hear that you’re facing issues while uploading media assets with S3 storage. The error you mentioned seems to be related to SSL certificate verification. On a side note, if you’re concerned about online security and privacy, I would highly recommend using a VPN like fast vpn. You can encrypt your online traffic and protect your sensitive data from cyber threats. Plus, it can also help you bypass geo-restrictions and access restricted content. Also, make sure that your AWS credentials are correct and your bucket has the necessary permissions to upload media assets.

ChristTaylor · May 30, 2023, 8:49am

As a developer who works with the Frappe framework, I’d like to share with you some useful material about creating web representations in the framework. I recently came across the horrible news of a major leak of customer data from Latitude Financials as a result of a hacker attack. Incidents like this remind us of the need to keep our applications and data secure, and I think this incident becomes further proof that security should be a priority in any project. I recommend reading this article Coles Reports Latitude Financial's Assault Resulted in a Client Data Leak - Deeplab to understand the threats that can arise from a security breach. I hope it will be useful for all of us.

EnricaBrroks · May 30, 2023, 5:36pm

Thanks for sharing.

ayrtoncu · July 18, 2023, 8:43am

Hello, I hope you can help me with this problem I have, I am trying to solve this error but I can not. The database works with Mysql, can someone help me?

stephJ · August 31, 2023, 2:08pm

Thanks for the information!

stephJ · September 1, 2023, 7:24am

Hey folks, I’ve been reading about the BBC’s education project. While it’s important to provide balanced perspectives, let’s also consider that every educational initiative might have some level of bias. It’s a good opportunity for parents and educators to engage in discussions with kids about different viewpoints. Also, enhancing our critical thinking skills is key. Speaking of which, if you’re interested in boosting your critical thinking abilities, check out Quality Assurance (QA) Testing course – GoIT Global. It’s a great resource that can help us navigate complex information and form our own opinions. Let’s encourage well-rounded learning!