How to use rust-s3-sdk with https?

[guchengxi1994]

I was use minio without tls, it worked fine. But after i enable minio tls, there was an error and i dont know how to fix.
Here is my code.

use std::fs;

use aws_credential_types::{provider::SharedCredentialsProvider, Credentials};
use aws_sdk_s3 as s3;

use aws_types::{region::Region, SdkConfig};
use rustls::RootCertStore;
use s3::primitives::ByteStream;

#[tokio::main]
async fn main() -> anyhow::Result<()> {
    let contents = fs::read(r"D:\minio\public.crt")?;

    let mut root_store = RootCertStore::empty();
    root_store.add_parsable_certificates(&vec![contents]);
    let config = rustls::ClientConfig::builder()
        .with_safe_defaults()
        .with_root_certificates(root_store)
        .with_no_client_auth();
    let rustls_connector = hyper_rustls::HttpsConnectorBuilder::new()
        .with_tls_config(config)
        .https_only()
        .enable_http1()
        .enable_http2()
        .build();

    let hyper_client = aws_smithy_client::hyper_ext::Adapter::builder().build(rustls_connector);

    let shared_config = SdkConfig::builder()
        .credentials_provider(SharedCredentialsProvider::new(Credentials::new(
            "xxxxx",
            "xxxxx",
            None,
            None,
            "Static",
        )))
        .endpoint_url("https://127.0.0.1:9000")
        .http_connector(hyper_client)
        .region(Region::new("cn-shanghai"))
        .build();
    let s3_config_builder = aws_sdk_s3::config::Builder::from(&shared_config).build();

    let client = aws_sdk_s3::Client::from_conf(s3_config_builder);
    let obj_list = client.list_buckets();

    let list = obj_list.send().await?;
    let b = list.buckets().unwrap();
    println!("{:?}", b.len());
    println!("{:?}", b[0].name);

    let content = ByteStream::read_from()
        .path(r"C:\Users\xiaoshuyui\Desktop\demo.pdf")
        .buffer_size(2048)
        .build()
        .await?;

    let request = client
        .put_object()
        .bucket("xiaoshuyuilocaltest")
        .key("demo.pdf")
        .body(content);
    let customized = request.customize().await?;

    let out = customized.send().await;

    match out {
        Ok(_) => {}
        Err(e) => {
            println!("{:?}", e)
        }
    }

    anyhow::Ok(())
}

cargo.toml

[package]
name = "s3_demo"
version = "0.1.0"
edition = "2021"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
aws-config = {version="0.56.1"} 
aws-sdk-s3 = { version = "0.30"}
aws-types = {version="0.56.1"}
aws-credential-types = "0.56.1"
aws-smithy-types = {version="0.56.1"}
aws-smithy-client = {version="0.56.1"}
anyhow = "1"
tokio = { version = "1", features = ["full"] }
hyper-rustls = {version="0.24.1",features=["http2","webpki-roots",]} 
rustls = "0.21.6"

[jdisanti]

What was the error?

The following might be the issue unless your server certificate's common name is configured to include 127.0.0.1:

.endpoint_url("https://127.0.0.1:9000")

[guchengxi1994]

the error is

here is my openssl.conf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
 
[req_distinguished_name]
C = US
ST = VA
L = Somewhere
O = MyOrg
OU = MyOU
CN = MyServerName
 
[v3_req]
subjectAltName = @alt_names
 
[alt_names]
IP.1 = 192.168.50.28
DNS.1 = 192.168.50.28

I tried 127.0.0.1 or localhost , still cannot put object to minio. But I can visit minio on web.

I am not sure what the problem is.

[rcoh]

The issue is that your SSL certificate is unsigned—Hyper doesn't allow unsigned / self signed certs by default. https://algermissen.io/2017/09/hyper-client-and-self-signed-certs is one option. Perhaps @DavidSouther could add an example though?

[guchengxi1994]

@rcoh Thanks for help, and an example about how to use https will be helpful.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.

[mananshukla-inventyv]

Hey I also ran into this issue is there a way we can work with unsigned certificate, or using something else instead of issue?

[mananshukla-inventyv]

Hey so converting the pem file to der actually worked for me below is the sample code
// Load and parse the self-signed PEM certificate
let cert_file = File::open("/path-to-cert/ca.crt")
.map_err(|e| e.to_string())?;
let mut reader = BufReader::new(cert_file);

        // Parse PEM certificates into DER format
        let mut der_certs = Vec::new();
        for item in read_all(&mut reader) {
            if let Ok(rustls_pemfile::Item::X509Certificate(cert)) = item {
                der_certs.push(Certificate(cert.to_vec()));
            }
        }

        // Add certificates to root store
        let mut root_store = RootCertStore::empty();
        for cert in &der_certs {
            root_store.add(cert)
                .map_err(|e| format!("Failed to add cert to store: {:?}", e))?;
        }

        // Configure rustls
        let config = ClientConfig::builder()
            .with_safe_defaults()
            .with_root_certificates(root_store)
            .with_no_client_auth();

And try to use the force_path_style option when building the s3 config and use us-central in region otherwise it will give dns resoluton failer or malformed auth header error!