By polli104
There isn’t a supported zig implemntation so im going with a 3rdparty option it seems to work correct with miniio. I was just using it with http so i guess that expectation is different. It does look like digital ocean might be using a TLS exchange that isn’t supported.
[2025-07-28 14:47:36] AWS_ENDPOINT_URL: https://sfo3.digitaloceanspaces.com
[2025-07-28 14:47:36] debug(aws): call: prefix s3, sigv4 s3, version 2006-03-01, action GetObject
[2025-07-28 14:47:36] debug(aws): proto: smithy.AwsProtocol.rest_xml
[2025-07-28 14:47:36] debug(aws): Checking for headers to include for type s3.GetObjectRequest
[2025-07-28 14:47:36] debug(aws): Found 11 possible custom headers
[2025-07-28 14:47:36] debug(aws): Rest method: 'GET'
[2025-07-28 14:47:36] debug(aws): Rest success code: '200'
[2025-07-28 14:47:36] debug(aws): Rest raw uri: '/{Bucket}/{Key+}?x-id=GetObject'
[2025-07-28 14:47:36] debug(aws): Rest processed uri: '/crossword/crossword.map?x-id=GetObject'
[2025-07-28 14:47:36] debug(aws): Detected query in path. Adjusting
[2025-07-28 14:47:36] debug(aws): Rest query: '?x-id=GetObject'
[2025-07-28 14:47:36] debug(awshttp): host: sfo3.digitaloceanspaces.com, scheme: https, port: 443
[2025-07-28 14:47:36] debug(awshttp): Calling endpoint https://sfo3.digitaloceanspaces.com
[2025-07-28 14:47:36] debug(aws_credentials): Found credentials in environment. Access key: XX
[2025-07-28 14:47:36] debug(awshttp): Request Path: /crossword/crossword.map
[2025-07-28 14:47:36] debug(awshttp): Endpoint Path (actually used): /crossword/crossword.map
[2025-07-28 14:47:36] debug(awshttp): Query: ?x-id=GetObject
[2025-07-28 14:47:36] debug(awshttp): Request additional header count: 0
[2025-07-28 14:47:36] debug(awshttp): Method: GET
[2025-07-28 14:47:36] debug(awshttp): body length: 0
[2025-07-28 14:47:36] debug(awshttp): Body
[2025-07-28 14:47:36] ====
[2025-07-28 14:47:36]
[2025-07-28 14:47:36] ====
[2025-07-28 14:47:36] debug(aws_signing): Signing with access key: XX
[2025-07-28 14:47:36] debug(aws_signing): encoding path: /crossword/crossword.map
[2025-07-28 14:47:36] debug(aws_signing): encoded path (1): /crossword/crossword.map
[2025-07-28 14:47:36] debug(aws_signing): final uri: /crossword/crossword.map
[2025-07-28 14:47:36] debug(aws_signing): canonical query: x-id=GetObject
[2025-07-28 14:47:36] debug(aws_signing): Canonical_request (just calculated):
[2025-07-28 14:47:36] GET
[2025-07-28 14:47:36] /crossword/crossword.map
[2025-07-28 14:47:36] x-id=GetObject
[2025-07-28 14:47:36] accept:application/json
[2025-07-28 14:47:36] content-type:application/json
[2025-07-28 14:47:36] host:sfo3.digitaloceanspaces.com
[2025-07-28 14:47:36] x-amz-content-sha256:XX
[2025-07-28 14:47:36] x-amz-date:XX
[2025-07-28 14:47:36]
[2025-07-28 14:47:36] accept;content-type;host;x-amz-content-sha256;x-amz-date
[2025-07-28 14:47:36] XX
[2025-07-28 14:47:36] debug(aws_signing): Canonical request:
[2025-07-28 14:47:36] GET
[2025-07-28 14:47:36] /crossword/crossword.map
[2025-07-28 14:47:36] x-id=GetObject
[2025-07-28 14:47:36] accept:application/json
[2025-07-28 14:47:36] content-type:application/json
[2025-07-28 14:47:36] host:sfo3.digitaloceanspaces.com
[2025-07-28 14:47:36] x-amz-content-sha256:XX
[2025-07-28 14:47:36] x-amz-date:XX
[2025-07-28 14:47:36]
[2025-07-28 14:47:36] accept;content-type;host;x-amz-content-sha256;x-amz-date
[2025-07-28 14:47:36] XX
[2025-07-28 14:47:36] debug(aws_signing): Canonical request hash: XX
[2025-07-28 14:47:36] debug(aws_signing): Scope: 20250728/sfo3/s3/aws4_request
[2025-07-28 14:47:36] debug(aws_signing): String to sign:
[2025-07-28 14:47:36] AWS4-HMAC-SHA256
[2025-07-28 14:47:36] XX
[2025-07-28 14:47:36] 20250728/sfo3/s3/aws4_request
[2025-07-28 14:47:36] XX
[2025-07-28 14:47:36] debug(aws_signing): signing key params:
[2025-07-28 14:47:36] key: (you wish)
[2025-07-28 14:47:36] date: 20250728
[2025-07-28 14:47:36] region: sfo3
[2025-07-28 14:47:36] service: s3
[2025-07-28 14:47:36] debug(awshttp): All Request Headers:
[2025-07-28 14:47:36] debug(awshttp): Accept: application/json
[2025-07-28 14:47:36] debug(awshttp): Host: sfo3.digitaloceanspaces.com
[2025-07-28 14:47:36] debug(awshttp): User-Agent: zig-aws 1.0
[2025-07-28 14:47:36] debug(awshttp): Content-Type: application/json
[2025-07-28 14:47:36] debug(awshttp): X-Amz-Date: XX
[2025-07-28 14:47:36] debug(awshttp): x-amz-content-sha256: XX
[2025-07-28 14:47:36] debug(awshttp): Authorization: AWS4-HMAC-SHA256 Credential=XXX, SignedHeaders=accept;content-type;host;x-amz-content-sha256;x-amz-date, Signature=XXX
[2025-07-28 14:47:36] debug(awshttp): Request url: https://sfo3.digitaloceanspaces.com/crossword/crossword.map?x-id=GetObject
[2025-07-28 14:47:36] debug(awshttp): Deinit complete
[2025-07-28 14:47:36] error: TlsInitializationFailed
[2025-07-28 14:47:36] /usr/local/zig/lib/std/crypto/tls/Client.zig:774:45: 0x13afd70 in init__anon_40793 (app)
[2025-07-28 14:47:36] /usr/local/zig/lib/std/http/Client.zig:1378:18: 0x12d7246 in connectTcp (app)
[2025-07-28 14:47:36] /usr/local/zig/lib/std/http/Client.zig:1513:14: 0x1294e01 in connect (app)
[2025-07-28 14:47:36] /usr/local/zig/lib/std/http/Client.zig:1661:9: 0x1263902 in open (app)
[2025-07-28 14:47:36] /usr/local/zig/lib/std/http/Client.zig:1745:15: 0x126237b in fetch (app)
[2025-07-28 14:47:36] /root/.cache/zig/p/aws-0.0.1-SbsFcJDcCQBLsXKOoLLMSKGvmlFiosiGArxAbQPCQhKv/src/aws_http.zig:236:21: 0x126e931 in makeRequest (app)
[2025-07-28 14:47:36] /root/.cache/zig/p/aws-0.0.1-SbsFcJDcCQBLsXKOoLLMSKGvmlFiosiGArxAbQPCQhKv/src/aws_http.zig:168:16: 0x1273df7 in callApi (app)
[2025-07-28 14:47:36] /root/.cache/zig/p/aws-0.0.1-SbsFcJDcCQBLsXKOoLLMSKGvmlFiosiGArxAbQPCQhKv/src/aws.zig:391:30: 0x1279001 in callAws (app)
[2025-07-28 14:47:36] /root/.cache/zig/p/aws-0.0.1-SbsFcJDcCQBLsXKOoLLMSKGvmlFiosiGArxAbQPCQhKv/src/aws.zig:299:20: 0x128144f in callRest (app)
[2025-07-28 14:47:36] /root/.cache/zig/p/aws-0.0.1-SbsFcJDcCQBLsXKOoLLMSKGvmlFiosiGArxAbQPCQhKv/src/aws.zig:179:44: 0x1282373 in call (app)
[2025-07-28 14:47:36] /app/src/main.zig:298:26: 0x1289e75 in main (app)
[2025-07-28 14:47:36]
[2025-07-28 14:47:36] ERROR failed health checks after 4 attempts with error Readiness probe failed: dial tcp 10.244.103.114:8080: connect: connection refused
[2025-07-28 14:48:04] ERROR component terminated with non-zero exit code: 1,
[]
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Accepted Answer
I figured it out I didn’t install ca-certificates.
RUN apt-get install -y ca-certificates
Hey,
From the logs, everything else looks fine, signing, headers, path formatting etc. The problem is almost certainly the TLS layer in your Zig lib not supporting something DigitalOcean requires.
MinIO working over HTTP makes sense since it skips TLS entirely. When switching to DigitalOcean’s endpoint over HTTPS, you’re hitting stricter TLS requirements.
I’d suggest:
Try a Zig HTTP/TLS client that uses OpenSSL or mbedTLS instead of the built-in one
Use curl https://sfo3.digitaloceanspaces.com
to verify it’s not a cert or endpoint issue
As a quick workaround, consider proxying requests through a simple Go or Python service that handles the S3 call
If nothing works, you can also reach out to support: https://do.co/support, they can check if anything on the DigitalOcean side is blocking the handshake.
- Bobby
Heya, @polli104
You can also try s3cmd
or rclone
They work perfectly with Spaces and handles TLS, headers, signing, etc. The other option will be to proxy the requests.
Regards
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.