feat: add S3_REJECT_UNAUTHORIZED environment variable for self-signed certificate support

- Introduced the S3_REJECT_UNAUTHORIZED variable across multiple configuration files to allow users to disable strict SSL certificate validation for self-signed certificates. - Updated documentation to reflect the new variable and its usage in various contexts, including examples for MinIO and S3-compatible services. - Enhanced server configuration to handle the new variable appropriately, ensuring compatibility with self-hosted S3 solutions.
2025-10-23 06:11:58 +00:00 · 2025-08-18 16:03:50 -03:00
parent 22f34f6f81
commit ecaa6d0321
9 changed files with 55 additions and 10 deletions
--- a/apps/docs/content/docs/3.1-beta/quick-start.mdx
+++ b/apps/docs/content/docs/3.1-beta/quick-start.mdx
@@ -140,6 +140,7 @@ Customize Palmr's behavior with these environment variables:
 | Variable                        | Default | Description                                                                                  |
 | ------------------------------- | ------- | -------------------------------------------------------------------------------------------- |
 | `ENABLE_S3`                     | `false` | Enable S3-compatible storage backends                                                        |
+| `S3_REJECT_UNAUTHORIZED`        | `true`  | Enable strict SSL certificate validation for S3 (set to `false` for self-signed certificates) |
 | `ENCRYPTION_KEY`                | -       | **Required when encryption is enabled**: 32+ character key for file encryption               |
 | `DISABLE_FILESYSTEM_ENCRYPTION` | `true`  | Disable file encryption for better performance (set to `false` to enable encryption)         |
 | `SECURE_SITE`                   | `false` | Enable secure cookies for HTTPS/reverse proxy deployments                                    |
--- a/apps/docs/content/docs/3.1-beta/s3-providers.mdx
+++ b/apps/docs/content/docs/3.1-beta/s3-providers.mdx
@@ -21,16 +21,17 @@ Consider using S3-compatible storage when you need:

 To enable S3-compatible storage, set `ENABLE_S3=true` and configure the following environment variables:

-| Variable              | Description                   | Required | Default           |
-| --------------------- | ----------------------------- | -------- | ----------------- |
-| `S3_ENDPOINT`         | S3 provider endpoint URL      | Yes      | -                 |
-| `S3_PORT`             | Connection port               | No       | Based on protocol |
-| `S3_USE_SSL`          | Enable SSL/TLS encryption     | Yes      | `true`            |
-| `S3_ACCESS_KEY`       | Access key for authentication | Yes      | -                 |
-| `S3_SECRET_KEY`       | Secret key for authentication | Yes      | -                 |
-| `S3_REGION`           | Storage region                | Yes      | -                 |
-| `S3_BUCKET_NAME`      | Bucket/container name         | Yes      | -                 |
-| `S3_FORCE_PATH_STYLE` | Use path-style URLs           | No       | `false`           |
+| Variable                | Description                           | Required | Default           |
+| ----------------------- | ------------------------------------- | -------- | ----------------- |
+| `S3_ENDPOINT`           | S3 provider endpoint URL              | Yes      | -                 |
+| `S3_PORT`               | Connection port                       | No       | Based on protocol |
+| `S3_USE_SSL`            | Enable SSL/TLS encryption             | Yes      | `true`            |
+| `S3_ACCESS_KEY`         | Access key for authentication         | Yes      | -                 |
+| `S3_SECRET_KEY`         | Secret key for authentication         | Yes      | -                 |
+| `S3_REGION`             | Storage region                        | Yes      | -                 |
+| `S3_BUCKET_NAME`        | Bucket/container name                 | Yes      | -                 |
+| `S3_FORCE_PATH_STYLE`   | Use path-style URLs                   | No       | `false`           |
+| `S3_REJECT_UNAUTHORIZED`| Enable strict SSL certificate validation | No    | `true`            |

 ## Provider configurations

@@ -81,6 +82,21 @@ S3_FORCE_PATH_STYLE=true
 - Default MinIO port is 9000
 - SSL can be disabled for local development

+**For MinIO with self-signed SSL certificates:**
+
+```bash
+ENABLE_S3=true
+S3_ENDPOINT=your-minio-domain.com
+S3_PORT=9000
+S3_USE_SSL=true
+S3_ACCESS_KEY=your-minio-access-key
+S3_SECRET_KEY=your-minio-secret-key
+S3_REGION=us-east-1
+S3_BUCKET_NAME=your-bucket-name
+S3_FORCE_PATH_STYLE=true
+S3_REJECT_UNAUTHORIZED=false  # Allows self-signed certificates
+```
+
 ### Google Cloud Storage

 Google Cloud Storage offers competitive pricing and global infrastructure.
@@ -212,6 +228,19 @@ S3_FORCE_PATH_STYLE=false
 - Check firewall and network connectivity
 - Ensure SSL/TLS settings match provider requirements

+**SSL certificate errors (self-signed certificates):**
+
+If you encounter errors like `unable to verify the first certificate` or `UNABLE_TO_VERIFY_LEAF_SIGNATURE`, you're likely using self-signed SSL certificates. This is common with self-hosted MinIO or other S3-compatible services.
+
+**Solution:**
+Set `S3_REJECT_UNAUTHORIZED=false` in your environment variables to allow self-signed certificates:
+
+```bash
+S3_REJECT_UNAUTHORIZED=false
+```
+
+**Note:** SSL certificate validation is enabled by default (`true`) for security. Set it to `false` only when using self-hosted S3 services with self-signed certificates.
+
 **Authentication failures:**

 - Confirm access key and secret key are correct