Signature expired: is now earlier than error : InvalidSignatureException

48
votes

I am trying a small example with AWS API Gateway and IAM authorization. The AWS API Gateway generated the below Endpoint : 

https://xyz1234.execute-api.us-east-2.amazonaws.com/Users/users

with POST action and no parameters.

Initially I had turned off the IAM for this POST Method and I verified results using Postman it works. Then I created a new IAM User and attached AmazonAPIGatewayInvokeFullAccess Policy to the user thereby giving permission to invoke any API's. Enabled the IAM for the POST Method.

I then went to Postman - and added Authorization with AccessKey, Secret Key, AWS Region as us-east-2 and Service Name as execute-api and tried to execute the Request but I got InvalidSignatureException Error with 403 as return code.

The body contains following message :

Signature expired: 20170517T062414Z is now earlier than 20170517T062840Z (20170517T063340Z - 5 min.)"

What am I missing ?

12
amazon-web-servicespostmanaws-api-gatewayamazon-iam
Did you set the clock and time zone properly on the machine where you generated the signature?Michael - sqlbot
Thank you @Michael-sqlbot - by mistake the time was set manually on the machine and was not set to the standard time.j10

12 Answers

49
votes

A request signed with AWS sigV4 includes a timestamp for when the signature was created. Signatures are only valid for a short amount of time after they are created. (This limits the amount of time that a replay attack can be attempted.)

When the signature is validated the timestamp is compared to the current time. If this indicates that the signature was not created recently, then signature validation fails with the error message you mentioned.

A common cause of this is when the local clock on the host generating the signature is off by more than a couple of minutes.

44
votes

You need to synchronize your machines local clock with NTP.

for eg. on an ubuntu machine:

sudo ntpdate pool.ntp.org

System time goes out of sync quite often. You need to keep them in sync periodically.

You can run a daily CRON job to keep your system time in sync as mentioned at this link: Periodically synchronize time in Linux

Create a bash script to sync time called ntpdate and put the below into it

#!/bin/sh
# sync server time
/usr/sbin/ntpdate pool.ntp.org >> /tmp/ntpdate.log

You can place this script anywhere you like and then set up a cron I will be putting it into the daily cron directory so that it runs once every day So my ntpdate script is now in /etc/cron.daily/ntpdate and it will run every day

Make this script executable

chmod +x /etc/cron.daily/ntpdate

Test it by running the script once and look for some output in /tmp/ntpdate.log

/etc/cron.daily/ntpdate

In your log file you should see something like

26 Aug 12:19:06 ntpdate[2191]: adjust time server 206.108.0.131 offset 0.272120 sec
14
votes

Faced similar issue when I use timedatectl command to change datetime of underlying machine... Explanation given by MikeD & others are really informative to fix the issue....

sudo apt install ntp
sudo apt install ntpdate
sudo ntpdate ntp.ubuntu.com

After synchronizing time with correct current datetime, this issue will be resolved

6
votes

This one command did the trick 

sudo ntpdate pool.ntp.org
4
votes

If you are in AWS Ec2 Ubuntu server and somehow not able to fix time with NTP thing.

sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"

Source:https://askubuntu.com/a/655528

3
votes

Make sure your PC's clock is set correctly. I faced the same issue and then realized my clock wasn't showing the right time due to some reason. As soon as I corrected the time, it started working fine again! Hope this helped.

2
votes

For me, the issue happened while using WSL. The date in WSL was out of sync. The solution was to run the command wsl --shutdown and restart docker.

1
votes

I was also facing this issue , added

correctClockSkew: true

and issue fixed for me 

const nodemailer = require('nodemailer');
const ses = require('nodemailer-ses-transport');



let transporter = nodemailer.createTransport(ses({
        correctClockSkew: true,
        accessKeyId: **,
        secretAccessKey: **,
        region: **
    }));
1
votes

For those who face this issue while running Lambda functions (that use other AWS services like DynamoDB) locally with sam local invoke: The time in docker container, used by sam, may not be in sync with host. Restarting your docker on host (Docker Desktop on Windows) should resolve this issue.

1
votes

I was making AWS API requests from a VM on my local machine. I checked the date was correct and was syncing, but I was still getting the error above. I halted and re-upped my VM and the error went away. I never figured out the exact cause, but "turning it off and back on again" fixed it.

0
votes

I have face this same problem while fetching video from Amazon Kinesis to my local website. So, in order to solve this problem i have install crony in my computer.This crony solved my problem.You can see the Amazon crony installation in this following link. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html

0
votes

Complementing what as @miked-at-aws post about AWS sigV4, There are at least 2 main possible root causes for the clock skew:

  1. your CPU is overloaded (reaching 99% usage or in EC2 instances with CPU limits that run out on CPU credits).

Why would this generate the time skew? because when the amazon SDK creates the time stamp to the moment the request is sent, normally there shouldn't be more than just a few nano or micro seconds, but if your CPU is overwhelmed it may take it several seconds or even minutes in some cases to process, so for this root cause you will experience not a 100% events lost but just some x% that may not be too big.

  1. for the second root cause which is that your machine clock isn't just adjusted, well probably 100% of your events are being lost and you just have to make sure that your machine clock is being set and adjusted correctly.