Internal S3 object store gets error: x509: certificate signed by unknown authority

I am using an internal S3 object store and getting error similar to below when creating credentials:

$ pxctl credentials create --provider s3 --s3-access-key REDACTED --s3-secret-key REDACTED --s3-region us-east-1 --s3-endpoint objectstore.mycompany.com:443 mycred 
createCred: error validating credential during create:
 RequestError: send request failed
 caused by: Get https://objectstore.mycompany.com:443/: x509: certificate signed by unknown authority

You can do the following to add yo S3 object store certificates to Portworx.

Please note that this requires restarting all PX nodes.

  1. On your Kubernetes master, copy your certificate, like for example mys3.pem to a folder called s3-certs/

  2. Create k8s secret

kubectl -n kube-system create secret generic px-s3-certs --from-file=s3-certs/

  1. Describe secret to confirm it was created correctly

kubectl -n kube-system describe secret generic px-s3-certs

  1. Edit the Portworx daemonset and modify it to add the mount secret and environment variable to read the certificate:

volumeMounts: section in the daemonset will have:

             - mountPath: /etc/pwx/s3certs
               name: px-s3-certs

volumes: section in the daemonset will have

        - name: px-s3-certs
            secret:
              secretName: px-s3-certs
              items:
              - key: mys3.pem
                path: mys3.pem

Add new environment variable

env:
- name: "AWS_CA_BUNDLE"
  value:  "/etc/pwx/s3certs/mys3.pem"

After saving the daemonset, Portworx will restart each pod, one by one in a rolling update.