ec2-autoscale-reactor icon indicating copy to clipboard operation
ec2-autoscale-reactor copied to clipboard

Published 20 hours ago verified publisher icon saltstack-formulas

Getting Ec2 Autoscale Signature Errors after sending subscription request to Salt from SNS

Open presleyacuna opened this issue 9 years ago • 3 comments

Hi,

Here's the body of the e-mail I receive from init.sls:

There was an error with the EC2 Signature. Content received was:

{'Message': '{"notificationType":"Delivery","mail":{"timestamp":"2016-01-05T21:53:41.711Z","source":"[email protected]","sourceArn":"arn:aws:ses:us-east-1:119183261856:identity/[email protected]","sendingAccountId":"119183261856","messageId":"0000015213c8054f-5ea63928-47a9-4094-a787-dd8d004fe1a7-000000","destination":["[email protected]"]},"delivery":{"timestamp":"2016-01-05T21:53:42.365Z","processingTimeMillis":654,"recipients":["[email protected]"],"smtpResponse":"250 2.0.0 OK 1452030822 b6si8242311qhb.113 - gsmtp","reportingMTA":"a9-40.smtp-out.amazonses.com"}}',
 'MessageId': '73756525-2fee-5876-8163-2a231248adaf',
 'Signature': 'Tf+hoY9dfVesumthZ3chSXOBXd81ivsYWqiqdfIblapgiyNRdd4qavzWWhURF6r0sXO8kTfh4UzERIk2NpMVzi0P2UE4UFlyZWLLMyLmMgYGDQ4EGNvx60D/IU4rbNaBmZf/TXrOzj0VxtNl3T0QWwBZo7W/f7Fzgmv+lzuASNaCUM8oBm7dO1FcR6WX8UJm4+uAsoWQ50Gr9tvqO7eeKFC18FKhr9iMtgi6zy6luJ30mUGOmWwTWmqBqDBh/qMpxgwQsUyqLGq4XBMc/8mLR2brb7phw5vvk5SXDOxttIeVxH2z5bqZFkZ08DomuOQG9hy3KKAezbMSKFiofC5WzA==',
 'SignatureVersion': '1',
 'SigningCertURL': 'https://sns.us-east-1.amazonaws.com/SimpleNotificationService-bb750dd426d95ee9390147a5624348ee.pem',
 'Subject': '',
 'Timestamp': '2016-01-05T21:53:42.442Z',
 'TopicArn': 'arn:aws:sns:us-east-1:119183261856:Delivery-Autoscaling-Events',
 'Type': 'Notification',
 'UnsubscribeURL': 'https://sns.us-east-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-1:119183261856:Delivery-Autoscaling-Events:72b708fc-d558-4284-8a59-5093798b4e91'}

It's this bit of code that's doing it, I'm pretty sure.

    cert = M2Crypto.X509.load_cert_string(str(pem))
    pubkey = cert.get_pubkey()
    pubkey.reset_context(md='sha1')
    pubkey.verify_init()
    pubkey.verify_update(str_to_sign.encode())

    decoded = binascii.a2b_base64(sns['Signature'])
    result = pubkey.verify_final(decoded)

    if result != 1:
        msg_kwargs = {
            'smtp.subject': 'EC2 Autoscale Signature Error (via Salt Reactor)',
            'smtp.content': (
                'There was an error with the EC2 Signature. '
                'Content received was:\r\n\r\n{0}\r\n').format(
                    pprint.pformat(sns)
                ),

Something derailing during the binascii.a2b_base64 function maybe? Any ideas what could be wrong? OR things I could check?

Thanks for any hints!

-Presley

presleyacuna avatar Jan 05 '16 22:01 presleyacuna

The state needs to be updated. Subscription confirmations don't include a subject, so https://github.com/saltstack-formulas/ec2-autoscale-reactor/blob/master/ec2-autoscale/init.sls#L55 I'm working on this actually right now too. I'm using it as a basis for an RDS notification and I need to abstract out the verification and subscription process.

benhosmer avatar Feb 08 '16 13:02 benhosmer

Here are the updated fields from AWS: http://docs.aws.amazon.com/sns/latest/dg/SendMessageToHttp.verify.signature.html

benhosmer avatar Feb 08 '16 13:02 benhosmer

Is there an update on this issue? I'm receiving the same error.

lanmalkieri avatar Dec 06 '16 19:12 lanmalkieri