[serve s3] SignatureDoesNotMatch error when using --baseurl

jaimedelano · August 23, 2025, 8:40pm

What is the problem you are having with rclone?

Getting api error SignatureDoesNotMatch

Run the command 'rclone version' and share the full output of the command.

rclone v1.71.0

os/version: rocky 9.5 (64 bit)
os/kernel: 5.14.0-503.38.1.el9_5.x86_64 (x86_64)
os/type: linux
os/arch: amd64
go/version: go1.25.0
go/linking: static
go/tags: none

Which cloud storage system are you using? (eg Google Drive)

N/A

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

rclone serve s3 --addr 127.0.0.1:2025 --auth-key XXX,XXX --baseurl /data /backup

The rclone config contents with secrets removed.

N/A

A log from the command with the `-vv` flag

# rclone --config s3test.conf lsf fastly:/ --s3-endpoint http://127.0.0.1:2025/data -vvv
2025/08/23 17:24:52 DEBUG : rclone: Version "v1.71.0" starting with parameters ["rclone" "--config" "s3test.conf" "lsf" "fastly:/" "--s3-endpoint" "http://127.0.0.1:2025/data" "-vvv"]
2025/08/23 17:24:52 DEBUG : Creating backend with remote "fastly:/"
2025/08/23 17:24:52 DEBUG : Using config file from "/root/s3test.conf"
2025/08/23 17:24:52 DEBUG : fastly: detected overridden config - adding "{h7Aen}" suffix to name
2025/08/23 17:24:52 DEBUG : fs cache: renaming cache item "fastly:/" to be canonical "fastly{h7Aen}:"
2025/08/23 17:24:52 ERROR : : error listing: operation error S3: ListBuckets, https response error StatusCode: 403, RequestID: , HostID: , api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
2025/08/23 17:24:52 DEBUG : 5 go routines active
2025/08/23 17:24:52 NOTICE: Failed to lsf with 2 errors: last error was: error in ListJSON: operation error S3: ListBuckets, https response error StatusCode: 403, RequestID: , HostID: , api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.

kapitainsky · August 24, 2025, 6:28am

What is the content of s3test.conf config file?

How do you provide authentication keys?

Post full output of when attempting to connect:

rclone serve s3 --addr 127.0.0.1:2025 --auth-key XXX,XXX --baseurl /data /backup -vv

Overall your issue looks like problem with authentication

jaimedelano · August 24, 2025, 11:45am

It’s the full output.

The authentication error only appears when the --baseurl flag is used.
It looks like S3 v4 auth includes the url path (?) in the signature calculation, but Rclone is not doing this correctly.

[fastly]
type = s3
provider = Minio
access_key_id = XXX
secret_access_key = XXX
endpoint = http://domain.tld
acl = bucket-owner-full-control

kapitainsky · August 24, 2025, 11:48am

It is not Minio. Isn’t it? Not all S3 providers are created the same:) Otherwise we would not need provider field at all.

Also take note of use_multipart_uploads comment.

jaimedelano · August 24, 2025, 12:02pm

You're right.
But the same error still occurs when using the --s3-provider Rclone flag.

kapitainsky · August 24, 2025, 12:27pm

You are right. I can replicate it myself now. It works only without --baseurl

$ rclone config redacted s3rclone:
[s3rclone]
type = s3
provider = Rclone
access_key_id = test
secret_access_key = test
use_multipart_uploads = false

$ rclone serve s3 --addr 127.0.0.1:2025 --auth-key test,test ~/Temp/test

$ rclone lsf s3rclone: --s3-endpoint http://127.0.0.1:2025
dst/
src/
test/

vs

$ rclone serve s3 --addr 127.0.0.1:2025 --auth-key test,test --baseurl rclone ~/Temp/test -vv
2025/08/24 14:21:28 DEBUG : rclone: Version "v1.71.0" starting with parameters ["rclone" "serve" "s3" "--addr" "127.0.0.1:2025" "--auth-key" "test,test" "--baseurl" "rclone" "/Users/kptsky/Temp/test" "-vv"]
2025/08/24 14:21:28 DEBUG : Creating backend with remote "/Users/kptsky/Temp/test"
2025/08/24 14:21:28 DEBUG : Using config file from "/Users/kptsky/.config/rclone/rclone.conf"
2025/08/24 14:21:28 DEBUG : Local file system at /Users/kptsky/Temp/test: Using hash md5 for ETag
2025/08/24 14:21:28 INFO  : Local file system at /Users/kptsky/Temp/test: poll-interval is not supported by this remote
2025/08/24 14:21:28 NOTICE: Local file system at /Users/kptsky/Temp/test: Starting s3 server on [http://127.0.0.1:2025/rclone/]
2025/08/24 14:21:38 INFO  : serve s3: Access Denied:%!(EXTRA string=127.0.0.1:64217, string==>, *url.URL=/?x-id=ListBuckets)

$ rclone lsf s3rclone: --s3-endpoint http://127.0.0.1:2025/rclone -vv
2025/08/24 14:29:35 DEBUG : rclone: Version "v1.71.0" starting with parameters ["rclone" "lsf" "s3rclone:" "--s3-endpoint" "http://127.0.0.1:2025/rclone" "-vv"]
2025/08/24 14:29:35 DEBUG : Creating backend with remote "s3rclone:"
2025/08/24 14:29:35 DEBUG : Using config file from "/Users/kptsky/.config/rclone/rclone.conf"
2025/08/24 14:29:35 DEBUG : s3rclone: detected overridden config - adding "{Ugr4a}" suffix to name
2025/08/24 14:29:35 DEBUG : S3 root: Disabling multipart uploads
2025/08/24 14:29:35 DEBUG : fs cache: renaming cache item "s3rclone:" to be canonical "s3rclone{Ugr4a}:"
2025/08/24 14:29:35 ERROR : error listing: operation error S3: ListBuckets, https response error StatusCode: 403, RequestID: , HostID: , api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
2025/08/24 14:29:35 DEBUG : 7 go routines active
2025/08/24 14:29:35 NOTICE: Failed to lsf with 2 errors: last error was: error in ListJSON: operation error S3: ListBuckets, https response error StatusCode: 403, RequestID: , HostID: , api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.

I think it deserves its own github issue:)

Would you mind to create one and refer to this thread?

jaimedelano · August 25, 2025, 6:18pm

I have submitted a few patches.

system · September 24, 2025, 6:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.