Elasticsearch mTLS connection to S3 (minio) to store snapshots

Hi All,

I want to store snapshots in s3 storage where it requires mutual auth (mTLS) ( Note : S3 is minio based)

I have client.crt, client.key, root.crt at client side.

I tried these steps,

1. openssl pkcs12 -export -inkey client.key -in  client.crt, -out $keystore_pkcs12 -password pass:$password &&  /usr/share/elasticsearch/jdk/bin/keytool -importkeystore -noprompt -srckeystore $keystore_pkcs12 -srcstoretype pkcs12 -destkeystore $keystore_jks -storepass $password -srcstorepass $password"

2. /usr/share/elasticsearch/jdk/bin/keytool -import -alias mycert -file root.crt -keystore $truststore_jks -deststorepass $password -noprompt  "

3. added access key and secret key to elastic Keystore
3. JVM settings
 -Djavax.net.ssl.trustStore=path to truststore.jks 
 -Djavax.net.ssl.keyStore=path to keystore.jks

when I tried to create a bucket

PUT _snapshot/my_s3_repository
  "type": "s3",
  "settings": {
    "bucket": "moss123",
    "endpoint": "s3.dev2.srv.prod.ksn-net.com"


  "error": {
    "root_cause": [
        "type": "repository_verification_exception",
        "reason": "[my_s3_repository] path  is not accessible on master node"
    "type": "repository_verification_exception",
    "reason": "[my_s3_repository] path  is not accessible on master node",
    "caused_by": {
      "type": "i_o_exception",
      "reason": "Unable to upload object [tests-mK_2xuEeTHeKLpxWJidD_g/master.dat] using a single upload",
      "caused_by": {
        "type": "amazon_s3_exception",
        "reason": "SSL Certificate Required (Service: Amazon S3; Status Code: 496; Error Code: 496 SSL Certificate Required; Request ID: null; S3 Extended Request ID: null)"
  "status": 500

I am not really knowing, what to do here. stuck here for days. can anyone please help me with this.

I also tried replacing Keystore creation to

cat client.crt root.crt >> import.pem && openssl pkcs12 -export -inkey $keyfile -in import.pem -out $keystore_pkcs12 -name shared -password pass:$password && /usr/share/elasticsearch/jdk/bin/keytool -importkeystore -noprompt -srckeystore $keystore_pkcs12 -srcstoretype pkcs12 -destkeystore $keystore_jks -storepass $password -srcstorepass $password -alias shared

No luck. same error.


one more doubt repository-s3 plugin will support mTLS?

any help here

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.