6367 Unable to Sync .Cloudf - Please check your network connection

I’ve been using the desktop windows version of odrive for years and in the last month, I can’t sync anything to my Amazon Drive that’s in .cloudf. The error message is:

Unable to sync “file.cloudf.”
Please check your network connection or manage your proxy settings.

The IT department checked the firewall and said the odrive has been very chatty and things are getting through, so I’m not sure what the issue is. Please help?

Hi @jusg19,
Do you have other storage linked that is syncing properly, or is Amazon Drive the only storage you use?

Can you trigger the error again and then send a diagnostic from the odrive menu?

Do you have a proxy, local firewall, anti-virus, or any other actively scanning/blocking software that could be in the mix here?

I do not have any other storage linked. Only Amazon drive.
I made it do it and send the diagnostic.
The proxy, firewall, have not changed. The IT dept was just here and they said the data is getting to odrive. They looked for a log file too, but couldn’t find one.

Hi @jusg19,
The error I’m seeing in the log for every remote request is that odrive can’t validate the SSL certificate of the remote host is it trying to communicate with.

This isn’t a general problem with odrive or Amazon, so there must be something on the network there or that system that is interfering or manipulating the traffic in some way.

Did the IT department say they had changed anything on the network within the last several weeks that could be touching traffic? Something like a reverse proxy being in place could cause this type of an issue.

Can you tell me the host name or url for our IT department?

Our method is showing connect for odrive.com and bypassing SSL inspection for that host name.

Is there a way to see the log? If so, I’m sure our department could figure out the problem on our own.

Hi @jusg19,
These low-level SSL errors aren’t surfaced anywhere that users can see.

For Amazon Drive connections, there are a couple domains that are used:

So to confirm, you aren’t getting any errors? Are you seeing me transfer any data or even connect? Something is talking with odrive, we can see the connections. What is causing the errors. Can you give us a copy of the errors?

Hi @jusg19,
The odrive desktop client will connect with the odrive servers (odrive.com) for profile information and other operations dealing with account and service management. All communication to Amazon Drive, however, is direct from your client to Amazon, so we don’t see that traffic. This means all directory listings, downloads, uploads, etc are direct to Amazon via those domains I listed above.

The diagnostics show SSL Certificate verification failures when making a request to Amazon Drive.
This is a sample error after trying to make a request to Amazon:
NetworkException - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

You mentioned that the company is performing SSL inspection, so that is a likely cause of this.

From IT:
I’m seeing connections all over Amazon, too many to allow, and it’s not a small risk. Ask odrive if we can install a Trusted Root certificate somewhere that the odrive client will accept.

Thanks.

Hi @jusg19,
We don’t have a method for defining a Trusted Root certificate in the client, but I can try to narrow down the specific endpoints used. Hopefully that will reduce the risk enough for your IT team.

The fqdn’s for the connections odrive makes to Amazon should be the following:

  • www.amazon.com (needed for OAuth)

  • drive.amazon.com (Used to get the metadata and content uris)

  • api.amazon.com (Amazon Drive api calls)

  • content-[region].drive.amazonaws.com (This is used for dealing with Amazon Drive content, like uploading and downloading. The region is most-likely going to be na in your case, so content-na.drive.amazonaws.com)

  • cdws.[region].amazonaws.com (This is used for metadata calls to Amazon Drive. The region is likely us-east-1 in your case, so cdws.us-east-1.amazonaws.com, but it could be different.

  • odrive-deploy.s3.amazonaws.com - used for auto-updates to the odrive software

www.amazon.com and drive.amazon.com should only be needed while linking and authenticating. Since you have already done this you shouldn’t need those for sync.

For communication to the odrive servers it can be: