Clock Skew Signature Failures

critical

securityUpdated Jan 28, 2026

S3 request signature verification fails when MinIO server clocks drift beyond AWS SigV4 tolerance (~15 minutes), causing intermittent 403 SignatureDoesNotMatch errors that appear as authentication failures.

Sources

How to Debug MinIO Access Issues - OneUptimeoneuptime.com

MinIO Cluster Benchmark Methods and Toolswww.intel.com

Technologies:

MinIOSymptoms of this issue are visible in MinIO metrics and logs

minio.api.errors.signature_mismatch.total

minio.system.clock_offset_seconds

How to detect:

Detect SignatureDoesNotMatch errors in MinIO logs or audit logs. Correlate with NTP sync failures or clock drift >5 minutes between MinIO nodes and clients. Check for time-based patterns (errors increasing with clock drift).

Recommended action:

Verify NTP service is running and syncing on all MinIO servers ('systemctl status chronyd'). Manually sync time with 'ntpdate pool.ntp.org' or 'systemctl restart chronyd'. Implement monitoring for clock skew >30 seconds. Use 'curl -s http://minio:9000 -I | grep Date' to compare server time with local time.