Changing S3 protocol settings

After creating the S3 storage, you can change the protocol settings of the S3 endpoint.

Prerequisites

S3 clusters are created, as described in Creating the S3 cluster.

To change S3 protocol settings

Admin panel

Open the Storage services > S3 > Settings screen, and then click Protocol.
Select an S3 endpoint protocol: HTTP, HTTPS, or both.

It is recommended to use only HTTPS for production deployments.

If you selected the HTTPS protocol, do one of the following:
- Select Upload a certificate, specify the prepared SSL certificate, and then specify the SSL key or passphrase (for PKCS#12 files).
  
  You need to acquire a key and a trusted wildcard SSL certificate for endpoint’s bottom-level domain. For example, the endpoint s3storage.example.com would need a wildcard certificate for *.s3storage.example.com with the subject alternative name s3storage.example.com.
  If you acquired an SSL certificate from an intermediate certificate authority (CA)
  You should have an end-user certificate along with a CA bundle that contains the root and intermediate certificates. To be able to use these certificates, you need to merge them into a chain first. A certificate chain includes the end-user certificate, the certificates of intermediate CAs, and the certificate of a trusted root CA. In this case, an SSL certificate can only be trusted if every certificate in the chain is properly issued and valid.
  
  For example, if you have an end-user certificate, two intermediate CA certificates, and a root CA certificate, create a new certificate file and add all certificates to it in the following order:
```
# End-user certificate issued by the intermediate CA 1
-----BEGIN CERTIFICATE-----
MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1X<...>
-----END CERTIFICATE-----
# Intermediate CA 1 certificate issued by the intermediate CA 2
-----BEGIN CERTIFICATE-----
MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9ON9<...>
-----END CERTIFICATE-----
# Intermediate CA 2 certificate issued by the root CA
-----BEGIN CERTIFICATE-----
MIIC8jCCAdqgAwIBAgICZngwDQYJKoZIhvcN<...>
-----END CERTIFICATE-----
# Root CA certificate
-----BEGIN CERTIFICATE-----
MIIDODCCAiCgAwIBAgIGIAYFFnACMA0GCSqG<...>
-----END CERTIFICATE-----
```
- Select Generate a certificate, to get a self-signed certificate for HTTPS evaluation purposes.
  - S3 geo-replication requires a certificate from a trusted authority. It does not work with self-signed certificates.
  - To access the data in the S3 cluster via a browser, add the self-signed certificate to browser’s exceptions.
Click Save to apply your changes.

Command-line interface

Use the following command:

vinfra service s3 cluster change [--self-signed | --no-ssl | --cert-file <cert_file>]
                                 [--insecure] [--key-file <key_file>] [--password]

--self-signed: Generate a new self-signed certificate (default)
--no-ssl: Do not generate a self-signed certificate
--cert-file <cert_file>: Path to a file with the new certificate
--insecure: Allow insecure connections in addition to secure ones (only used with the --cert-file and --self-signed options)
--key-file <key_file>: Path to a file with the private key (only used with the --cert-file option)
--password: Read certificate password from stdin (only used with the --cert-file option)

For example, to use a self-signed certificate for the S3 storage, run:

# vinfra service s3 cluster change --self-signed