Signature expired: is now earlier than error : InvalidSignatureException

amazon-web-services postman aws-api-gateway amazon-iam

64,478

Solution 1

A request signed with AWS sigV4 includes a timestamp for when the signature was created. Signatures are only valid for a short amount of time after they are created. (This limits the amount of time that a replay attack can be attempted.)

When the signature is validated the timestamp is compared to the current time. If this indicates that the signature was not created recently, then signature validation fails with the error message you mentioned.

If you get this on in a Docker container on Windows that uses WSL, then it may help to fix the WSL time with by running wsl -d docker-desktop -e /sbin/hwclock -s in a Powershell. You can verify this is the case beforehand by logging into the container and typing date in the terminal and comparing it with your host machine time.

A common cause of this is when the local clock on the host generating the signature is off by more than a couple of minutes.

Solution 2

You need to synchronize your machines local clock with NTP.

for eg. on an ubuntu machine:

sudo ntpdate pool.ntp.org

System time goes out of sync quite often. You need to keep them in sync periodically.

You can run a daily CRON job to keep your system time in sync as mentioned at this link: Periodically synchronize time in Linux

Create a bash script to sync time called ntpdate and put the below into it

#!/bin/sh
# sync server time
/usr/sbin/ntpdate pool.ntp.org >> /tmp/ntpdate.log

You can place this script anywhere you like and then set up a cron I will be putting it into the daily cron directory so that it runs once every day So my ntpdate script is now in /etc/cron.daily/ntpdate and it will run every day

Make this script executable

chmod +x /etc/cron.daily/ntpdate

Test it by running the script once and look for some output in /tmp/ntpdate.log

/etc/cron.daily/ntpdate

In your log file you should see something like

26 Aug 12:19:06 ntpdate[2191]: adjust time server 206.108.0.131 offset 0.272120 sec

Solution 3

Faced similar issue when I use timedatectl command to change datetime of underlying machine... Explanation given by MikeD & others are really informative to fix the issue....

sudo apt install ntp
sudo apt install ntpdate
sudo ntpdate ntp.ubuntu.com

After synchronizing time with correct current datetime, this issue will be resolved

Solution 4

For me, the issue happened while using WSL. The date in WSL was out of sync. The solution was to run the command wsl --shutdown and restart docker.

Solution 5

Make sure your PC's clock is set correctly. I faced the same issue and then realized my clock wasn't showing the right time due to some reason. As soon as I corrected the time, it started working fine again! Hope this helped.

View more solutions

64,478

Author by

j10

Updated on July 16, 2022

Comments

j10 almost 2 years
I am trying a small example with AWS API Gateway and IAM authorization. The AWS API Gateway generated the below Endpoint :
```
https://xyz1234.execute-api.us-east-2.amazonaws.com/Users/users
```
with POST action and no parameters.

Initially I had turned off the IAM for this POST Method and I verified results using Postman it works. Then I created a new IAM User and attached AmazonAPIGatewayInvokeFullAccess Policy to the user thereby giving permission to invoke any API's. Enabled the IAM for the POST Method.

I then went to Postman - and added Authorization with AccessKey, Secret Key, AWS Region as us-east-2 and Service Name as execute-api and tried to execute the Request but I got InvalidSignatureException Error with 403 as return code.

The body contains following message :
```
Signature expired: 20170517T062414Z is now earlier than 20170517T062840Z (20170517T063340Z - 5 min.)" 
```
What am I missing ?
j10 almost 7 years

Thanks for sharing that @Yeshodhan. a guess - I have set my MacBook's time to Auto Set Date and Time - I believe this will take care of synchronization ?
Akshay Agarwal about 5 years

This is very likely to happen if you are on a VM, especially using Vagrant and if you leverage the suspend command frequently. Just a note from personal experience.
mikemaccana over 3 years

Thanks (and welcome to stack overflow!). In my case I was using a VM (WSL2) which had become out of sync with the host, fixing the time on the VM 9either manually or by just restarting it) resolved the error.
ThorSummoner over 3 years

is this tool just plain removed in ubuntu 20?
James almost 3 years

Nailed it! For clarification for anyone else who does this, run wsl --shutdown in Powershell and once it finishes shutting down then Docker will pop up a notification saying it needs to restart. WSL will automatically restart somehow during this process.
Luiz Gonçalves over 2 years

Saved my day! Thank you
Marcelo Guedes about 2 years

or your problem is date/time like me. Then: timedatectl set-timezone America/<your_zone> && timedatectl --adjust-system-clock. if dont work, try install chrony and enable the service.