All Products
Search

This Product

    Object Storage Service:0002-00000225

    Document Center

    Object Storage Service:0002-00000225

    Last Updated:Mar 28, 2025

    Problem description

    The signature that includes IP address restrictions in the request does not match the signature that is calculated by Object Storage Service (OSS).

    Causes

    You initiated a request that used the V4 signature and included IP address restrictions. However, the signature that was included in the request did not match the signature that was calculated by OSS.

    Examples

    The following code provides a URL-based request that uses the V4 signature and includes the x-oss-ac-subnet-mask field that specifies IP address restrictions. However, the signature in the request is incorrect. 

    GET /oss.jpg?x-oss-signature-verion=OSS4-HMAC-SHA256&x-oss-credential=***&x-oss-ac-subnet-mask=32&x-oss-additional-headers=host&x-oss-signature=InvalidSignature HTTP/1.1
Host: oss-example.oss-cn-hangzhou.aliyuncs.com
Date: Tue, 20 Dec 2022 08:48:18 GMT

    Solutions

    • If the request includes IP address restrictions, you must check whether the IP address of the request belongs to the specified IP addresses or CIDR blocks.

    • If you want to use Alibaba Cloud SDKs to initiate a request that uses the V4 signature, see Use Alibaba Cloud SDKs to initiate requests.

      If a signature mismatch is reported after you use Alibaba Cloud SDKs to initiate a request, perform the following steps to troubleshoot the issue.

      1. Check whether the format of the endpoint is valid.

        In this example, the endpoint of the China (Hangzhou) region is used. The valid endpoint is in the following format: http://oss-cn-hangzhou.aliyuncs.com. For more information about the endpoints of other regions, see Regions and endpoints.

      2. Check whether the AccessKey ID and AccessKey secret are valid.

        The AccessKey ID and AccessKey secret cannot start or end with a space.

      3. Make sure that the buckets and objects meet the following naming conventions:

        • Naming conventions for buckets:

          • The name must be unique in OSS.

          • The name can contain lowercase letters, digits, and hyphens (-).

          • The name must start and end with a lowercase letter or a digit.

          • The name must be 3 to 63 characters in length.

        • Naming conventions for objects:

          • The name must be encoded in UTF-8.

          • The name must be 1 to 1,023 bytes in length.

          • The name cannot start with a forward slash (/) or a backslash (\).

          • The name is case-sensitive.

      4. Check the signature method.

        • If you use the self-signed mode and your business environment supports OSS SDKs, use the signature method provided by OSS SDKs. For more information, see Use Alibaba Cloud SDKs to initiate requests.

        • If you use the self-signed mode and your business environment does not support OSS SDKs, you must write code to calculate signatures and add the signatures to RESTful API requests. For more information, see Initiating RESTful API requests.

      5. Check whether additional headers are added to the proxy server.

    • Use the self-signed mode.

      If you want to calculate the V4 signature, see Calculate V4 signature by using OSS SDK for Python.

      If the server returns a response that contains the StringToSign parameter, you can check whether the value of the StringToSign parameter on the server is the same as the string before calculation.