What do I do if the 0002-00000040 error code is returned? - Object Storage Service

Problem description

The "SignatureDoesNotMatch" error message is returned when an Object Storage Service (OSS) API operation or SDK is used.

<?xml version="1.0" encoding="UTF-8"?>
<Error>
  <Code>SignatureDoesNotMatch</Code>
  <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
  <RequestId>646DCB189AE2D1333018****</RequestId>
  <HostId>bucket.oss-cn-hangzhou.aliyuncs.com</HostId>
  <OSSAccessKeyId>LTAI******** </OSSAccessKeyId>
  <SignatureProvided>tPN3LTAI******** </SignatureProvided>
  <StringToSign>PUT\n\n\nTue, 23 May 2023 15:24:55 GMT\n/bucket/?acl</StringToSign>
  <StringToSignBytes>50 55 54 0A 0A 0A 54 75 65 2C 20 32 33 20 4D 61 79 20 32 30 32 33 20 31 35 3A 32 34 3A 35 35 20 47 4D 54 0A 2F 64 69 6E 61 72 79 2F 3F 61 63 6C </StringToSignBytes>
  <EC>0002-00000040</EC>
</Error>

Causes

When you call an API operation or use an OSS SDK to access OSS, the client must include a signature for the OSS server to perform identity authentication. If the server returns the preceding error message, the signature that you provided in the request is inconsistent with the signature calculated by the server. As a result, the request is rejected.

Examples

OSS returns a signature error when you use a WeChat mini program to send a request, but no signature errors occur when you use a browser to send a request.
The signed request is modified by a client proxy before it is sent to OSS. For example, a new header is added to the request.
When a domain name that is accelerated by Alibaba Cloud CDN is used to initiate a HEAD request, the HEAD request is automatically converted to a GET request.
```
HEAD /ObjectName?objectMeta HTTP/1.1
Host: your.cdn.com
Date: Fri, 24 Feb 2012 06:38:30 GMT
Authorization: OSS qn6q**************:77Dv****************
```
The x-oss-range-behavior: standard request header is configured by using Alibaba Cloud CDN to modify the Range header in the back-to-origin request. OSS adds all request headers that have the x-oss- prefix to the request for signature calculation.

A CNAME record is added to map a custom domain name to a specific bucket, but CNAME is disabled during initialization.

<?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\OssClient;
use OSS\Core\OssException;
$accessKeyId = getenv("OSS_ACCESS_KEY_ID");
$accessKeySecret = getenv("OSS_ACCESS_KEY_SECRET");
$endpoint = "https://your.cname.com";

try {
    // A CNAME record is added to map a custom domain name to a specific bucket, but CNAME is disabled during initialization. 
    $isCNAME = false;
    $ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint, $isCNAME);
} catch (OssException $e) {
    print $e->getMessage();
}

The calculated signature string contains a plus sign (+) and is not URL-encoded.

GET /oss.jpg?OSSAccessKeyId=nz2p**********&Expires=1141889120&Signature=ab+cd HTTP/1.1
Host: oss-example.oss-cn-hangzhou.aliyuncs.com
Date: Fri, 24 Feb 2012 06:38:30 GMT

Solutions

If a signature error occurs, perform the following steps to troubleshoot the signature error:

Check whether the AccessKey ID and AccessKey secret are valid.
You can use the AccessKey ID and AccessKey secret to log on to ossbrowser to check whether the AccessKey ID and AccessKey secret are valid. For more information, see Install and log on to ossbrowser.

Check whether the signature algorithm is valid.

OSS provides two request methods that can include signatures. For more information, see Include signatures in the Authorization header and Add signatures to URLs. The following items describe the algorithms for the two signature methods:

Include signatures in the Authorization header

StringToSign = VERB + "\n"
              + Content-MD5 + "\n" 
              + Content-Type + "\n" 
              + Date + "\n" 
              + CanonicalizedOSSHeaders
              + CanonicalizedResource
Signature = base64(hmac-sha1(AccessKeySecret, StringToSign)

Add signatures to URLs

StringToSign = VERB + "\n" 
              + CONTENT-MD5 + "\n" 
              + CONTENT-TYPE + "\n" 
              + EXPIRES + "\n" 
              + CanonicalizedOSSHeaders
              + CanonicalizedResource
Signature = urlencode(base64(hmac-sha1(AccessKeySecret, StringToSign)))

We recommend that you use OSS SDKs to access OSS. This eliminates the need to manually calculate the signature. For more information, see Overview.

Check whether the value of the StringToSign field in the response body is consistent with that in the request.
The StringToSign field specifies the string to be signed, which is the content that needs to be encrypted by using the AccessKey secret in the signature algorithm.
Examples:
```
PUT /bucket/abc?acl
Date: Wed, 24 May 2023 02:12:30 GMT
Authorization: OSS qn6q**************:77Dv****************
x-oss-abc: mymeta
```
The string to be signed calculated by using the preceding method:
```
PUT\n\n\nWed, 24 May 2023 02:12:30 GMT\nx-oss-abc:mymeta\n/bucket/abc?acl
```

After you identify the cause of the signature error, you can select a solution based on the actual scenario.

Scenario	Solution
OSS returns a signature error when you use a WeChat mini program to send a request, but no signature errors occur when you use a browser to send a request.	Refer to Step 3 to check whether the value of the `StringToSign` field in the response body is consistent with that in the request initiated by using the WeChat mini program. If the request initiated by using the WeChat mini program includes the Content-Type field in the StringToSign field, make sure that the Content-Type field is included in signature calculation.
The client proxy modifies the signed request.	Refer to Step 3 to check whether the value of the `StringToSign` field in the response body is consistent with that in the request that you initiated.
When a domain name that is accelerated by Alibaba Cloud CDN is used to initiate a HEAD request, the HEAD request is automatically converted to a GET request.	Use the default domain name to initiate a HEAD request. Specify custom headers for the back-to-origin request. By default, if the HEAD request that you initiated is redirected from a point of presence (POP) to the origin server, the HEAD request is automatically converted to a GET request. If you do not want the HEAD request to be converted to a GET request, you can specify custom headers for the back-to-origin request based on the following configuration. For more information, see Configure custom request headers (old). Custom header: Ali-Swift-Fwd-Head Value: on Important This configuration takes effect for all HEAD requests that are related to the domain name. Exercise caution when you specify a custom header.
The `x-oss-range-behavior: standard` header is added to the request by Alibaba Cloud CDN.	Add the `x-oss-range-behavior: standard` request header to the request for signature calculation when you initiate a request from the client.
A CNAME record is added to map a custom domain name to a specific bucket, but CNAME is disabled.	For example, if you want to use OSS SDK for Java to enable CNAME, set the setSupportCnam parameter to true. For more information about how to enable CNAME by using OSS SDKs for other programming languages, see Overview.
The calculated signature string in the signed URL contains a plus sign (+).	Encode the signature in the signed URL before you initiate a request. `GET /oss.jpg?OSSAccessKeyId=nz2p**********&Expires=1141889120&Signature=ab%2Bcd HTTP/1.1 Host: oss-example.oss-cn-hangzhou.aliyuncs.com Date: Fri, 24 Feb 2012 06:38:30 GMT`