S3 backup of etcd to EMC/ECS

Attempting to configure the S3 backup of etcd to use on-prem EMC-ECS (with self-signed certs). After configuration setup in Rancher v2.3.2 receive error
Unable to validate S3 backup target configration: Head h t t p s / / <my-S3-servername.mydomain.com:9021/mybucket/: remote error: tls: handshake failure

Using curl command from host and inside tenant get valid responses.

curl -vvI -s -H “x-emc-namespace: mynamespace” h t t p s ://myecsserver.com:9021/mynamespace* Trying…

  • Connected to myecsserver.com ( port 9021 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/rancher/ssl
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):

SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384

< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Wed, 08 Jan 2020 20:39:32 GMT
Date: Wed, 08 Jan 2020 20:39:32 GMT
< Server: ViPR/1.0
Server: ViPR/1.0
< x-amz-request-id: 0ae0f33d:16f80dc62fc:1875:a4
x-amz-request-id: 0ae0f33d:16f80dc62fc:1875:a4
< x-amz-id-2: 59b7d4834839444c37c38b3565acfbb0c6ef61da9d7ef7f8ea4681c063ebdff2
x-amz-id-2: 59b7d4834839444c37c38b3565acfbb0c6ef61da9d7ef7f8ea4681c063ebdff2
< x-emc-retention-period: 0
x-emc-retention-period: 0
< Content-Length: 0
Content-Length: 0

In order for this to work. You need to update your cluster.yaml to include the following.

NOTE: You’ll need a the CA from your EMC array. You can grab this by using this doc. Link

    bucket_name: "mybucket"
    folder: "etcd-snapshots"
    access_key: "access_key"
    secret_key: "secret_key"
    endpoint: "minio.mydomain.com"
    custom_ca: |-
      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----