403 - Signature Does Not Match on HTTPS

[humbertowoody]

Hi!

Our current implementation for an upload profile picture feature works perfectly under our HTTP staging deployment. However, on production (with same keys just for testing) using HTTPS, the upload fails with 403 no matter what and gives the following error:

<?xml version="1.0" encoding="UTF-8"?>
<Error>
  <Code>SignatureDoesNotMatch</Code>
  <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message> 
  <AWSAccessKeyId>IWon'tPostNoKeysOnGitHub</AWSAccessKeyId>
 <StringToSign>eyJleHBpcmF0aW9uIjoiMjAxOS0xMS0xNFQwMDozMTo0My4wMTlaIiwiY29uZGl0aW9ucyI6W3siYWNsIjoicHVibGljLXJlYWQifSx7ImJ1Y2tldCI6InZhbHUtcHJvZmlsZXMifSxbInN0YXJ0cy13aXRoIiwiJGtleSIsInByb2ZpbGUtaW1hZ2VzLyJdLFsic3RhcnRzLXdpdGgiLCIkQ29udGVudC1UeXBlIiwiIl0sWyJzdGFydHMtd2l0aCIsIiR4LWFtei1tZXRhLXRhZyIsIiJdLHsieC1hbXotYWxnb3JpdGhtIjoiQVdTNC1ITUFDLVNIQTI1NiJ9LHsieC1hbXotY3JlZGVudGlhbCI6IkFLSUFWV1pIVVVEUkxXTUJCRjRVLzIwMTkxMTE0L3VzLWVhc3QtMS9zMy9hd3M0X3JlcXVlc3QifSx7IngtYW16LWRhdGUiOiIyMDE5MTExNFQwMDMxNDMwMTlaIn0seyJ4LWFtei1tZXRhLXV1aWQiOiIxNDM2NTEyMzY1MTI3NCJ9LHsieC1hbXotc2VydmVyLXNpZGUtZW5jcnlwdGlvbiI6IkFFUzI1NiJ9XX0=</StringToSign>
 <SignatureProvided>ed611b066e4abdcc606331798682fbd77e67c1aaab680c3cdde12a55d5a6d75d</SignatureProvided>
  <StringToSignBytes>65 79 4a 6c 65 48 42 70 63 6d 46 30 61 57 39 75 49 6a 6f 69 4d 6a 41 78 4f 53 30 78 4d 53 30 78 4e 46 51 77 4d 44 6f 7a 4d 54 6f 30 4d 79 34 77 4d 54 6c 61 49 69 77 69 59 32 39 75 5a 47 6c 30 61 57 39 75 63 79 49 36 57 33 73 69 59 57 4e 73 49 6a 6f 69 63 48 56 69 62 47 6c 6a 4c 58 4a 6c 59 57 51 69 66 53 78 37 49 6d 4a 31 59 32 74 6c 64 43 49 36 49 6e 5a 68 62 48 55 74 63 48 4a 76 5a 6d 6c 73 5a 58 4d 69 66 53 78 62 49 6e 4e 30 59 58 4a 30 63 79 31 33 61 58 52 6f 49 69 77 69 4a 47 74 6c 65 53 49 73 49 6e 42 79 62 32 5a 70 62 47 55 74 61 57 31 68 5a 32 56 7a 4c 79 4a 64 4c 46 73 69 63 33 52 68 63 6e 52 7a 4c 58 64 70 64 47 67 69 4c 43 49 6b 51 32 39 75 64 47 56 75 64 43 31 55 65 58 42 6c 49 69 77 69 49 6c 30 73 57 79 4a 7a 64 47 46 79 64 48 4d 74 64 32 6c 30 61 43 49 73 49 69 52 34 4c 57 46 74 65 69 31 74 5a 58 52 68 4c 58 52 68 5a 79 49 73 49 69 4a 64 4c 48 73 69 65 43 31 68 62 58 6f 74 59 57 78 6e 62 33 4a 70 64 47 68 74 49 6a 6f 69 51 56 64 54 4e 43 31 49 54 55 46 44 4c 56 4e 49 51 54 49 31 4e 69 4a 39 4c 48 73 69 65 43 31 68 62 58 6f 74 59 33 4a 6c 5a 47 56 75 64 47 6c 68 62 43 49 36 49 6b 46 4c 53 55 46 57 56 31 70 49 56 56 56 45 55 6b 78 58 54 55 4a 43 52 6a 52 56 4c 7a 49 77 4d 54 6b 78 4d 54 45 30 4c 33 56 7a 4c 57 56 68 63 33 51 74 4d 53 39 7a 4d 79 39 68 64 33 4d 30 58 33 4a 6c 63 58 56 6c 63 33 51 69 66 53 78 37 49 6e 67 74 59 57 31 36 4c 57 52 68 64 47 55 69 4f 69 49 79 4d 44 45 35 4d 54 45 78 4e 46 51 77 4d 44 4d 78 4e 44 4d 77 4d 54 6c 61 49 6e 30 73 65 79 4a 34 4c 57 46 74 65 69 31 74 5a 58 52 68 4c 58 56 31 61 57 51 69 4f 69 49 78 4e 44 4d 32 4e 54 45 79 4d 7a 59 31 4d 54 49 33 4e 43 4a 39 4c 48 73 69 65 43 31 68 62 58 6f 74 63 32 56 79 64 6d 56 79 4c 58 4e 70 5a 47 55 74 5a 57 35 6a 63 6e 6c 77 64 47 6c 76 62 69 49 36 49 6b 46 46 55 7a 49 31 4e 69 4a 39 58 58 30 3d</StringToSignBytes>
  <RequestId>CC576A45B4C5DCDC</RequestId>
<HostId>HztbAO2kJqpBU4k6yajg6oOF3O/nwzcl/D0UftbIuh8I+UDRuKTBxuMWtN29gNbbNrQC6N8m6wM=</HostId>
</Error>

My bucket policy (production-url.com is production and beta.production-url.com is staging):

{
    "Version": "2012-10-17",
    "Id": "http referer policy example",
    "Statement": [
        {
            "Sid": "Allow requests made from https://production-url.com and http://beta.production-url.com",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "https://production-url.com",
                        "http://production-url.com",
                        "https://beta.production-url.com",
                        "http://beta.production-url.com"
                    ]
                }
            }
        }
    ]
}

And the CORS configuration:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>http://beta.production-url.com</AllowedOrigin>
    <AllowedMethod>PUT</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedMethod>DELETE</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
<CORSRule>
    <AllowedOrigin>https://production-url.com</AllowedOrigin>
    <AllowedMethod>PUT</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedMethod>DELETE</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
</CORSRule>
</CORSConfiguration>

I've tried modifying the S3 policy, CORS configuration with no luck. Also, the same keys and configuration are working for plain HTTP access. It is the only (relevant) difference at this point and can't seem to find any clue! Any help will be greatly appreciated.

Thanks in advance!