Report this

What is the reason for this report?

Trying to use Spaces with my zig application and its failing at TLS

Posted on July 28, 2025

There isn’t a supported zig implemntation so im going with a 3rdparty option it seems to work correct with miniio. I was just using it with http so i guess that expectation is different. It does look like digital ocean might be using a TLS exchange that isn’t supported.

[2025-07-28 14:47:36] AWS_ENDPOINT_URL: https://sfo3.digitaloceanspaces.com
[2025-07-28 14:47:36] debug(aws): call: prefix s3, sigv4 s3, version 2006-03-01, action GetObject
[2025-07-28 14:47:36] debug(aws): proto: smithy.AwsProtocol.rest_xml
[2025-07-28 14:47:36] debug(aws): Checking for headers to include for type s3.GetObjectRequest
[2025-07-28 14:47:36] debug(aws): Found 11 possible custom headers
[2025-07-28 14:47:36] debug(aws): Rest method: 'GET'
[2025-07-28 14:47:36] debug(aws): Rest success code: '200'
[2025-07-28 14:47:36] debug(aws): Rest raw uri: '/{Bucket}/{Key+}?x-id=GetObject'
[2025-07-28 14:47:36] debug(aws): Rest processed uri: '/crossword/crossword.map?x-id=GetObject'
[2025-07-28 14:47:36] debug(aws): Detected query in path. Adjusting
[2025-07-28 14:47:36] debug(aws): Rest query: '?x-id=GetObject'
[2025-07-28 14:47:36] debug(awshttp): host: sfo3.digitaloceanspaces.com, scheme: https, port: 443
[2025-07-28 14:47:36] debug(awshttp): Calling endpoint https://sfo3.digitaloceanspaces.com
[2025-07-28 14:47:36] debug(aws_credentials): Found credentials in environment. Access key: XX
[2025-07-28 14:47:36] debug(awshttp): Request Path: /crossword/crossword.map
[2025-07-28 14:47:36] debug(awshttp): Endpoint Path (actually used): /crossword/crossword.map
[2025-07-28 14:47:36] debug(awshttp): Query: ?x-id=GetObject
[2025-07-28 14:47:36] debug(awshttp): Request additional header count: 0
[2025-07-28 14:47:36] debug(awshttp): Method: GET
[2025-07-28 14:47:36] debug(awshttp): body length: 0
[2025-07-28 14:47:36] debug(awshttp): Body
[2025-07-28 14:47:36] ====
[2025-07-28 14:47:36] 
[2025-07-28 14:47:36] ====
[2025-07-28 14:47:36] debug(aws_signing): Signing with access key: XX
[2025-07-28 14:47:36] debug(aws_signing): encoding path: /crossword/crossword.map
[2025-07-28 14:47:36] debug(aws_signing): encoded path (1): /crossword/crossword.map
[2025-07-28 14:47:36] debug(aws_signing): final uri: /crossword/crossword.map
[2025-07-28 14:47:36] debug(aws_signing): canonical query: x-id=GetObject
[2025-07-28 14:47:36] debug(aws_signing): Canonical_request (just calculated):
[2025-07-28 14:47:36] GET
[2025-07-28 14:47:36] /crossword/crossword.map
[2025-07-28 14:47:36] x-id=GetObject
[2025-07-28 14:47:36] accept:application/json
[2025-07-28 14:47:36] content-type:application/json
[2025-07-28 14:47:36] host:sfo3.digitaloceanspaces.com
[2025-07-28 14:47:36] x-amz-content-sha256:XX
[2025-07-28 14:47:36] x-amz-date:XX
[2025-07-28 14:47:36] 
[2025-07-28 14:47:36] accept;content-type;host;x-amz-content-sha256;x-amz-date
[2025-07-28 14:47:36] XX
[2025-07-28 14:47:36] debug(aws_signing): Canonical request:
[2025-07-28 14:47:36] GET
[2025-07-28 14:47:36] /crossword/crossword.map
[2025-07-28 14:47:36] x-id=GetObject
[2025-07-28 14:47:36] accept:application/json
[2025-07-28 14:47:36] content-type:application/json
[2025-07-28 14:47:36] host:sfo3.digitaloceanspaces.com
[2025-07-28 14:47:36] x-amz-content-sha256:XX
[2025-07-28 14:47:36] x-amz-date:XX
[2025-07-28 14:47:36] 
[2025-07-28 14:47:36] accept;content-type;host;x-amz-content-sha256;x-amz-date
[2025-07-28 14:47:36] XX
[2025-07-28 14:47:36] debug(aws_signing): Canonical request hash: XX
[2025-07-28 14:47:36] debug(aws_signing): Scope: 20250728/sfo3/s3/aws4_request
[2025-07-28 14:47:36] debug(aws_signing): String to sign:
[2025-07-28 14:47:36] AWS4-HMAC-SHA256
[2025-07-28 14:47:36] XX
[2025-07-28 14:47:36] 20250728/sfo3/s3/aws4_request
[2025-07-28 14:47:36] XX
[2025-07-28 14:47:36] debug(aws_signing): signing key params:
[2025-07-28 14:47:36]   key: (you wish)
[2025-07-28 14:47:36]   date: 20250728
[2025-07-28 14:47:36]   region: sfo3
[2025-07-28 14:47:36]   service: s3
[2025-07-28 14:47:36] debug(awshttp): All Request Headers:
[2025-07-28 14:47:36] debug(awshttp):   Accept: application/json
[2025-07-28 14:47:36] debug(awshttp):   Host: sfo3.digitaloceanspaces.com
[2025-07-28 14:47:36] debug(awshttp):   User-Agent: zig-aws 1.0
[2025-07-28 14:47:36] debug(awshttp):   Content-Type: application/json
[2025-07-28 14:47:36] debug(awshttp):   X-Amz-Date: XX
[2025-07-28 14:47:36] debug(awshttp):   x-amz-content-sha256: XX
[2025-07-28 14:47:36] debug(awshttp):   Authorization: AWS4-HMAC-SHA256 Credential=XXX, SignedHeaders=accept;content-type;host;x-amz-content-sha256;x-amz-date, Signature=XXX
[2025-07-28 14:47:36] debug(awshttp): Request url: https://sfo3.digitaloceanspaces.com/crossword/crossword.map?x-id=GetObject
[2025-07-28 14:47:36] debug(awshttp): Deinit complete
[2025-07-28 14:47:36] error: TlsInitializationFailed
[2025-07-28 14:47:36] /usr/local/zig/lib/std/crypto/tls/Client.zig:774:45: 0x13afd70 in init__anon_40793 (app)
[2025-07-28 14:47:36] /usr/local/zig/lib/std/http/Client.zig:1378:18: 0x12d7246 in connectTcp (app)
[2025-07-28 14:47:36] /usr/local/zig/lib/std/http/Client.zig:1513:14: 0x1294e01 in connect (app)
[2025-07-28 14:47:36] /usr/local/zig/lib/std/http/Client.zig:1661:9: 0x1263902 in open (app)
[2025-07-28 14:47:36] /usr/local/zig/lib/std/http/Client.zig:1745:15: 0x126237b in fetch (app)
[2025-07-28 14:47:36] /root/.cache/zig/p/aws-0.0.1-SbsFcJDcCQBLsXKOoLLMSKGvmlFiosiGArxAbQPCQhKv/src/aws_http.zig:236:21: 0x126e931 in makeRequest (app)
[2025-07-28 14:47:36] /root/.cache/zig/p/aws-0.0.1-SbsFcJDcCQBLsXKOoLLMSKGvmlFiosiGArxAbQPCQhKv/src/aws_http.zig:168:16: 0x1273df7 in callApi (app)
[2025-07-28 14:47:36] /root/.cache/zig/p/aws-0.0.1-SbsFcJDcCQBLsXKOoLLMSKGvmlFiosiGArxAbQPCQhKv/src/aws.zig:391:30: 0x1279001 in callAws (app)
[2025-07-28 14:47:36] /root/.cache/zig/p/aws-0.0.1-SbsFcJDcCQBLsXKOoLLMSKGvmlFiosiGArxAbQPCQhKv/src/aws.zig:299:20: 0x128144f in callRest (app)
[2025-07-28 14:47:36] /root/.cache/zig/p/aws-0.0.1-SbsFcJDcCQBLsXKOoLLMSKGvmlFiosiGArxAbQPCQhKv/src/aws.zig:179:44: 0x1282373 in call (app)
[2025-07-28 14:47:36] /app/src/main.zig:298:26: 0x1289e75 in main (app)
[2025-07-28 14:47:36] 
[2025-07-28 14:47:36] ERROR failed health checks after 4 attempts with error Readiness probe failed: dial tcp 10.244.103.114:8080: connect: connection refused
[2025-07-28 14:48:04] ERROR component terminated with non-zero exit code: 1,
[]


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0

Accepted Answer

I figured it out I didn’t install ca-certificates.

RUN apt-get install -y ca-certificates

Hey,

From the logs, everything else looks fine, signing, headers, path formatting etc. The problem is almost certainly the TLS layer in your Zig lib not supporting something DigitalOcean requires.

MinIO working over HTTP makes sense since it skips TLS entirely. When switching to DigitalOcean’s endpoint over HTTPS, you’re hitting stricter TLS requirements.

I’d suggest:

  1. Try a Zig HTTP/TLS client that uses OpenSSL or mbedTLS instead of the built-in one

  2. Use curl https://sfo3.digitaloceanspaces.com to verify it’s not a cert or endpoint issue

  3. As a quick workaround, consider proxying requests through a simple Go or Python service that handles the S3 call

If nothing works, you can also reach out to support: https://do.co/support, they can check if anything on the DigitalOcean side is blocking the handshake.

- Bobby

Heya, @polli104

You can also try s3cmd or rclone

They work perfectly with Spaces and handles TLS, headers, signing, etc. The other option will be to proxy the requests.

Regards

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.