From 057eb4ef90e6599b71754bbee845134f7c48f0ef Mon Sep 17 00:00:00 2001 From: Nick Tindall Date: Mon, 5 May 2025 17:07:07 +1000 Subject: [PATCH 01/10] Update s3-repository docs after upgrade These changes are to bring the docs into alignment with the changes made as part of the S3 upgrade https://github.com/elastic/elasticsearch/pull/126843 --- deploy-manage/tools/snapshot-and-restore/s3-repository.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/deploy-manage/tools/snapshot-and-restore/s3-repository.md b/deploy-manage/tools/snapshot-and-restore/s3-repository.md index 65ad90f207..f9642fd5b1 100644 --- a/deploy-manage/tools/snapshot-and-restore/s3-repository.md +++ b/deploy-manage/tools/snapshot-and-restore/s3-repository.md @@ -87,11 +87,13 @@ The following list contains the available client settings. Those that must be st : An S3 session token. If set, the `access_key` and `secret_key` settings must also be specified. `endpoint` -: The S3 service endpoint to connect to. This defaults to `s3.amazonaws.com` but the [AWS documentation](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) lists alternative S3 endpoints. If you are using an [S3-compatible service](#repository-s3-compatible-services) then you should set this to the service’s endpoint. +: The S3 service endpoint to connect to. This defaults to `https://s3.amazonaws.com` but the [AWS documentation](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) lists alternative S3 endpoints. If you are using an [S3-compatible service](#repository-s3-compatible-services) then you should set this to the service’s endpoint. The endpoint should specify the protocol and host name, e.g. `https://s3.ap-southeast-4.amazonaws.com`, `http://minio.local:9000`. `protocol` : The protocol to use to connect to S3. Valid values are either `http` or `https`. Defaults to `https`. When using HTTPS, this repository type validates the repository’s certificate chain using the JVM-wide truststore. Ensure that the root certificate authority is in this truststore using the JVM’s `keytool` tool. If you have a custom certificate authority for your S3 repository and you use the {{es}} [bundled JDK](../../deploy/self-managed/installing-elasticsearch.md#jvm-version), then you will need to reinstall your CA certificate every time you upgrade {{es}}. +Deprecated: This setting is ignored since version 8.19, specify the protocol in the `endpoint` setting instead. + `proxy.host` : The host name of a proxy to connect to S3 through. @@ -119,6 +121,8 @@ The following list contains the available client settings. Those that must be st `use_throttle_retries` : Whether retries should be throttled (i.e. should back off). Must be `true` or `false`. Defaults to `true`. +Deprecated: This setting is ignored since version 8.19, retries are always throttled. + `path_style_access` : Whether to force the use of the path style access pattern. If `true`, the path style access pattern will be used. If `false`, the access pattern will be automatically determined by the AWS Java SDK (See [AWS documentation](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/AmazonS3Builder.html#setPathStyleAccessEnabled-java.lang.Boolean-) for details). Defaults to `false`. @@ -133,7 +137,7 @@ In versions `7.0`, `7.1`, `7.2` and `7.3` all bucket operations used the [now-de : Whether chunked encoding should be disabled or not. If `false`, chunked encoding is enabled and will be used where appropriate. If `true`, chunked encoding is disabled and will not be used, which may mean that snapshot operations consume more resources and take longer to complete. It should only be set to `true` if you are using a storage service that does not support chunked encoding. See the [AWS Java SDK documentation](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/AmazonS3Builder.html#disableChunkedEncoding--) for details. Defaults to `false`. `region` -: Allows specifying the signing region to use. Specificing this setting manually should not be necessary for most use cases. Generally, the SDK will correctly guess the signing region to use. It should be considered an expert level setting to support S3-compatible APIs that require [v4 signatures](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) and use a region other than the default `us-east-1`. Defaults to empty string which means that the SDK will try to automatically determine the correct signing region. +: Specifies the signing region to use. If not specified, the SDK will attempt to guess the signing region to use, but it is recommended to configure this explicitly. Defaults to empty string which means that the SDK will try to automatically determine the correct signing region. `signer_override` : Allows specifying the name of the signature algorithm to use for signing requests by the S3 client. Specifying this setting should not be necessary for most use cases. It should be considered an expert level setting to support S3-compatible APIs that do not support the signing algorithm that the SDK automatically determines for them. See the [AWS Java SDK documentation](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ClientConfiguration.html#setSignerOverride-java.lang.String-) for details. Defaults to empty string which means that no signing algorithm override will be used. From e555217e0e9bb996e5564438a8203dd6a2323205 Mon Sep 17 00:00:00 2001 From: Nick Tindall Date: Thu, 22 May 2025 16:01:05 +1000 Subject: [PATCH 02/10] Update s3-repository.md Remove deprecated protocol setting, move certificate validation note to endpoint setting --- deploy-manage/tools/snapshot-and-restore/s3-repository.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/deploy-manage/tools/snapshot-and-restore/s3-repository.md b/deploy-manage/tools/snapshot-and-restore/s3-repository.md index f9642fd5b1..5609172dd5 100644 --- a/deploy-manage/tools/snapshot-and-restore/s3-repository.md +++ b/deploy-manage/tools/snapshot-and-restore/s3-repository.md @@ -87,12 +87,7 @@ The following list contains the available client settings. Those that must be st : An S3 session token. If set, the `access_key` and `secret_key` settings must also be specified. `endpoint` -: The S3 service endpoint to connect to. This defaults to `https://s3.amazonaws.com` but the [AWS documentation](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) lists alternative S3 endpoints. If you are using an [S3-compatible service](#repository-s3-compatible-services) then you should set this to the service’s endpoint. The endpoint should specify the protocol and host name, e.g. `https://s3.ap-southeast-4.amazonaws.com`, `http://minio.local:9000`. - -`protocol` -: The protocol to use to connect to S3. Valid values are either `http` or `https`. Defaults to `https`. When using HTTPS, this repository type validates the repository’s certificate chain using the JVM-wide truststore. Ensure that the root certificate authority is in this truststore using the JVM’s `keytool` tool. If you have a custom certificate authority for your S3 repository and you use the {{es}} [bundled JDK](../../deploy/self-managed/installing-elasticsearch.md#jvm-version), then you will need to reinstall your CA certificate every time you upgrade {{es}}. - -Deprecated: This setting is ignored since version 8.19, specify the protocol in the `endpoint` setting instead. +: The S3 service endpoint to connect to. This defaults to `https://s3.amazonaws.com` but the [AWS documentation](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) lists alternative S3 endpoints. If you are using an [S3-compatible service](#repository-s3-compatible-services) then you should set this to the service’s endpoint. The endpoint should specify the protocol and host name, e.g. `https://s3.ap-southeast-4.amazonaws.com`, `http://minio.local:9000`. When using HTTPS, this repository type validates the repository’s certificate chain using the JVM-wide truststore. Ensure that the root certificate authority is in this truststore using the JVM’s `keytool` tool. If you have a custom certificate authority for your S3 repository and you use the {{es}} [bundled JDK](../../deploy/self-managed/installing-elasticsearch.md#jvm-version), then you will need to reinstall your CA certificate every time you upgrade {{es}}. `proxy.host` : The host name of a proxy to connect to S3 through. From 3481a195d910477882b4c01f7144f5252b4ea721 Mon Sep 17 00:00:00 2001 From: Nick Tindall Date: Thu, 22 May 2025 16:02:40 +1000 Subject: [PATCH 03/10] Update s3-repository.md Remove deprecated use_throttle_retries setting --- deploy-manage/tools/snapshot-and-restore/s3-repository.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/deploy-manage/tools/snapshot-and-restore/s3-repository.md b/deploy-manage/tools/snapshot-and-restore/s3-repository.md index 5609172dd5..f305948491 100644 --- a/deploy-manage/tools/snapshot-and-restore/s3-repository.md +++ b/deploy-manage/tools/snapshot-and-restore/s3-repository.md @@ -113,11 +113,6 @@ The following list contains the available client settings. Those that must be st `max_retries` : The number of retries to use when an S3 request fails. The default value is `3`. -`use_throttle_retries` -: Whether retries should be throttled (i.e. should back off). Must be `true` or `false`. Defaults to `true`. - -Deprecated: This setting is ignored since version 8.19, retries are always throttled. - `path_style_access` : Whether to force the use of the path style access pattern. If `true`, the path style access pattern will be used. If `false`, the access pattern will be automatically determined by the AWS Java SDK (See [AWS documentation](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/AmazonS3Builder.html#setPathStyleAccessEnabled-java.lang.Boolean-) for details). Defaults to `false`. From e58411f32fd7bf4862446da51fa7777d36d0237d Mon Sep 17 00:00:00 2001 From: Nick Tindall Date: Thu, 22 May 2025 16:11:13 +1000 Subject: [PATCH 04/10] Update s3-repository.md --- deploy-manage/tools/snapshot-and-restore/s3-repository.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/deploy-manage/tools/snapshot-and-restore/s3-repository.md b/deploy-manage/tools/snapshot-and-restore/s3-repository.md index f305948491..769ad1ba98 100644 --- a/deploy-manage/tools/snapshot-and-restore/s3-repository.md +++ b/deploy-manage/tools/snapshot-and-restore/s3-repository.md @@ -129,10 +129,6 @@ In versions `7.0`, `7.1`, `7.2` and `7.3` all bucket operations used the [now-de `region` : Specifies the signing region to use. If not specified, the SDK will attempt to guess the signing region to use, but it is recommended to configure this explicitly. Defaults to empty string which means that the SDK will try to automatically determine the correct signing region. -`signer_override` -: Allows specifying the name of the signature algorithm to use for signing requests by the S3 client. Specifying this setting should not be necessary for most use cases. It should be considered an expert level setting to support S3-compatible APIs that do not support the signing algorithm that the SDK automatically determines for them. See the [AWS Java SDK documentation](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ClientConfiguration.html#setSignerOverride-java.lang.String-) for details. Defaults to empty string which means that no signing algorithm override will be used. - - ## Repository settings [repository-s3-repository] The `s3` repository type supports a number of settings to customize how data is stored in S3. These can be specified when creating the repository. For example: From 4a159fcf2341985f85f9a0ea578718f18b88cfa3 Mon Sep 17 00:00:00 2001 From: Nick Tindall Date: Thu, 22 May 2025 16:23:52 +1000 Subject: [PATCH 05/10] Region description --- deploy-manage/tools/snapshot-and-restore/s3-repository.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/deploy-manage/tools/snapshot-and-restore/s3-repository.md b/deploy-manage/tools/snapshot-and-restore/s3-repository.md index 769ad1ba98..d1a79991a3 100644 --- a/deploy-manage/tools/snapshot-and-restore/s3-repository.md +++ b/deploy-manage/tools/snapshot-and-restore/s3-repository.md @@ -77,6 +77,9 @@ Define the relevant secure settings in each node’s keystore before starting th The following list contains the available client settings. Those that must be stored in the keystore are marked as "secure" and are **reloadable**; the other settings belong in the [`elasticsearch.yml`](/deploy-manage/stack-settings.md) file. +`region` +: Specifies the region to use. When configured this value will determine the signing region and regional endpoint to use, unless the endpoint is overridden via the `endpoint` setting. If not specified, we will attempt to determine the region automatically using the SDK. + `access_key` ([Secure](/deploy-manage/security/secure-settings.md), [reloadable](../../security/secure-settings.md#reloadable-secure-settings)) : An S3 access key. If set, the `secret_key` setting must also be specified. If unset, the client will use the instance or container role instead. @@ -126,8 +129,6 @@ In versions `7.0`, `7.1`, `7.2` and `7.3` all bucket operations used the [now-de `disable_chunked_encoding` : Whether chunked encoding should be disabled or not. If `false`, chunked encoding is enabled and will be used where appropriate. If `true`, chunked encoding is disabled and will not be used, which may mean that snapshot operations consume more resources and take longer to complete. It should only be set to `true` if you are using a storage service that does not support chunked encoding. See the [AWS Java SDK documentation](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/AmazonS3Builder.html#disableChunkedEncoding--) for details. Defaults to `false`. -`region` -: Specifies the signing region to use. If not specified, the SDK will attempt to guess the signing region to use, but it is recommended to configure this explicitly. Defaults to empty string which means that the SDK will try to automatically determine the correct signing region. ## Repository settings [repository-s3-repository] From 21db89b57e7a4220b0690352d710d7d3dcd42016 Mon Sep 17 00:00:00 2001 From: Nick Tindall Date: Thu, 22 May 2025 16:29:52 +1000 Subject: [PATCH 06/10] Default for endpoint setting --- deploy-manage/tools/snapshot-and-restore/s3-repository.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/tools/snapshot-and-restore/s3-repository.md b/deploy-manage/tools/snapshot-and-restore/s3-repository.md index d1a79991a3..753d7070a1 100644 --- a/deploy-manage/tools/snapshot-and-restore/s3-repository.md +++ b/deploy-manage/tools/snapshot-and-restore/s3-repository.md @@ -90,7 +90,7 @@ The following list contains the available client settings. Those that must be st : An S3 session token. If set, the `access_key` and `secret_key` settings must also be specified. `endpoint` -: The S3 service endpoint to connect to. This defaults to `https://s3.amazonaws.com` but the [AWS documentation](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) lists alternative S3 endpoints. If you are using an [S3-compatible service](#repository-s3-compatible-services) then you should set this to the service’s endpoint. The endpoint should specify the protocol and host name, e.g. `https://s3.ap-southeast-4.amazonaws.com`, `http://minio.local:9000`. When using HTTPS, this repository type validates the repository’s certificate chain using the JVM-wide truststore. Ensure that the root certificate authority is in this truststore using the JVM’s `keytool` tool. If you have a custom certificate authority for your S3 repository and you use the {{es}} [bundled JDK](../../deploy/self-managed/installing-elasticsearch.md#jvm-version), then you will need to reinstall your CA certificate every time you upgrade {{es}}. +: The S3 service endpoint to connect to. This defaults to the regional endpoint corresponding to the configured `region`, but the [AWS documentation](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) lists alternative S3 endpoints. If you are using an [S3-compatible service](#repository-s3-compatible-services) then you should set this to the service’s endpoint. The endpoint should specify the protocol and host name, e.g. `https://s3.ap-southeast-4.amazonaws.com`, `http://minio.local:9000`. When using HTTPS, this repository type validates the repository’s certificate chain using the JVM-wide truststore. Ensure that the root certificate authority is in this truststore using the JVM’s `keytool` tool. If you have a custom certificate authority for your S3 repository and you use the {{es}} [bundled JDK](../../deploy/self-managed/installing-elasticsearch.md#jvm-version), then you will need to reinstall your CA certificate every time you upgrade {{es}}. `proxy.host` : The host name of a proxy to connect to S3 through. From 1c3b4ea5eb63465d49c2c2f350ec489ac26c3fe2 Mon Sep 17 00:00:00 2001 From: Nick Tindall Date: Thu, 22 May 2025 19:27:41 +1000 Subject: [PATCH 07/10] Update deploy-manage/tools/snapshot-and-restore/s3-repository.md Co-authored-by: David Turner --- deploy-manage/tools/snapshot-and-restore/s3-repository.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/tools/snapshot-and-restore/s3-repository.md b/deploy-manage/tools/snapshot-and-restore/s3-repository.md index 753d7070a1..83aa5786fd 100644 --- a/deploy-manage/tools/snapshot-and-restore/s3-repository.md +++ b/deploy-manage/tools/snapshot-and-restore/s3-repository.md @@ -78,7 +78,7 @@ Define the relevant secure settings in each node’s keystore before starting th The following list contains the available client settings. Those that must be stored in the keystore are marked as "secure" and are **reloadable**; the other settings belong in the [`elasticsearch.yml`](/deploy-manage/stack-settings.md) file. `region` -: Specifies the region to use. When configured this value will determine the signing region and regional endpoint to use, unless the endpoint is overridden via the `endpoint` setting. If not specified, we will attempt to determine the region automatically using the SDK. +: Specifies the region to use. When set, determines the signing region and regional endpoint to use, unless the endpoint is overridden via the `endpoint` setting. If not set, {{es}} will attempt to determine the region automatically using the AWS SDK. `access_key` ([Secure](/deploy-manage/security/secure-settings.md), [reloadable](../../security/secure-settings.md#reloadable-secure-settings)) : An S3 access key. If set, the `secret_key` setting must also be specified. If unset, the client will use the instance or container role instead. From b95c62c9921396170e5d8fc4548ded151591ee90 Mon Sep 17 00:00:00 2001 From: Nick Tindall Date: Thu, 22 May 2025 19:34:38 +1000 Subject: [PATCH 08/10] Reinstate protocol description --- deploy-manage/tools/snapshot-and-restore/s3-repository.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deploy-manage/tools/snapshot-and-restore/s3-repository.md b/deploy-manage/tools/snapshot-and-restore/s3-repository.md index 83aa5786fd..bd348a61ba 100644 --- a/deploy-manage/tools/snapshot-and-restore/s3-repository.md +++ b/deploy-manage/tools/snapshot-and-restore/s3-repository.md @@ -92,6 +92,9 @@ The following list contains the available client settings. Those that must be st `endpoint` : The S3 service endpoint to connect to. This defaults to the regional endpoint corresponding to the configured `region`, but the [AWS documentation](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) lists alternative S3 endpoints. If you are using an [S3-compatible service](#repository-s3-compatible-services) then you should set this to the service’s endpoint. The endpoint should specify the protocol and host name, e.g. `https://s3.ap-southeast-4.amazonaws.com`, `http://minio.local:9000`. When using HTTPS, this repository type validates the repository’s certificate chain using the JVM-wide truststore. Ensure that the root certificate authority is in this truststore using the JVM’s `keytool` tool. If you have a custom certificate authority for your S3 repository and you use the {{es}} [bundled JDK](../../deploy/self-managed/installing-elasticsearch.md#jvm-version), then you will need to reinstall your CA certificate every time you upgrade {{es}}. +`protocol` +: The protocol to use to connect to S3. Valid values are either `http` or `https`. Defaults to `https`. Note that this setting is deprecated since 8.19 and is only used if `endpoint` is set to a URL that does not include a scheme. Users should migrate to including the scheme in the `endpoint` setting. + `proxy.host` : The host name of a proxy to connect to S3 through. From 20a1688fce7e8e88fdd1133472aefde52ed88cbf Mon Sep 17 00:00:00 2001 From: Nick Tindall Date: Thu, 22 May 2025 19:35:04 +1000 Subject: [PATCH 09/10] Whitespace --- deploy-manage/tools/snapshot-and-restore/s3-repository.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/tools/snapshot-and-restore/s3-repository.md b/deploy-manage/tools/snapshot-and-restore/s3-repository.md index bd348a61ba..50e564be83 100644 --- a/deploy-manage/tools/snapshot-and-restore/s3-repository.md +++ b/deploy-manage/tools/snapshot-and-restore/s3-repository.md @@ -93,7 +93,7 @@ The following list contains the available client settings. Those that must be st : The S3 service endpoint to connect to. This defaults to the regional endpoint corresponding to the configured `region`, but the [AWS documentation](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) lists alternative S3 endpoints. If you are using an [S3-compatible service](#repository-s3-compatible-services) then you should set this to the service’s endpoint. The endpoint should specify the protocol and host name, e.g. `https://s3.ap-southeast-4.amazonaws.com`, `http://minio.local:9000`. When using HTTPS, this repository type validates the repository’s certificate chain using the JVM-wide truststore. Ensure that the root certificate authority is in this truststore using the JVM’s `keytool` tool. If you have a custom certificate authority for your S3 repository and you use the {{es}} [bundled JDK](../../deploy/self-managed/installing-elasticsearch.md#jvm-version), then you will need to reinstall your CA certificate every time you upgrade {{es}}. `protocol` -: The protocol to use to connect to S3. Valid values are either `http` or `https`. Defaults to `https`. Note that this setting is deprecated since 8.19 and is only used if `endpoint` is set to a URL that does not include a scheme. Users should migrate to including the scheme in the `endpoint` setting. +: The protocol to use to connect to S3. Valid values are either `http` or `https`. Defaults to `https`. Note that this setting is deprecated since 8.19 and is only used if `endpoint` is set to a URL that does not include a scheme. Users should migrate to including the scheme in the `endpoint` setting. `proxy.host` : The host name of a proxy to connect to S3 through. From f3016cb4b69268f6535d4946db24de0ae1b9b2e9 Mon Sep 17 00:00:00 2001 From: Nick Tindall Date: Thu, 22 May 2025 21:08:56 +1000 Subject: [PATCH 10/10] Update deploy-manage/tools/snapshot-and-restore/s3-repository.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edu González de la Herrán <25320357+eedugon@users.noreply.github.com> --- deploy-manage/tools/snapshot-and-restore/s3-repository.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deploy-manage/tools/snapshot-and-restore/s3-repository.md b/deploy-manage/tools/snapshot-and-restore/s3-repository.md index 50e564be83..410605d40a 100644 --- a/deploy-manage/tools/snapshot-and-restore/s3-repository.md +++ b/deploy-manage/tools/snapshot-and-restore/s3-repository.md @@ -90,7 +90,9 @@ The following list contains the available client settings. Those that must be st : An S3 session token. If set, the `access_key` and `secret_key` settings must also be specified. `endpoint` -: The S3 service endpoint to connect to. This defaults to the regional endpoint corresponding to the configured `region`, but the [AWS documentation](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) lists alternative S3 endpoints. If you are using an [S3-compatible service](#repository-s3-compatible-services) then you should set this to the service’s endpoint. The endpoint should specify the protocol and host name, e.g. `https://s3.ap-southeast-4.amazonaws.com`, `http://minio.local:9000`. When using HTTPS, this repository type validates the repository’s certificate chain using the JVM-wide truststore. Ensure that the root certificate authority is in this truststore using the JVM’s `keytool` tool. If you have a custom certificate authority for your S3 repository and you use the {{es}} [bundled JDK](../../deploy/self-managed/installing-elasticsearch.md#jvm-version), then you will need to reinstall your CA certificate every time you upgrade {{es}}. +: The S3 service endpoint to connect to. This defaults to the regional endpoint corresponding to the configured `region`, but the [AWS documentation](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) lists alternative S3 endpoints. If you are using an [S3-compatible service](#repository-s3-compatible-services) then you should set this to the service’s endpoint. The endpoint should specify the protocol and host name, e.g. `https://s3.ap-southeast-4.amazonaws.com`, `http://minio.local:9000`. + + When using HTTPS, this repository type validates the repository’s certificate chain using the JVM-wide truststore. Ensure that the root certificate authority is in this truststore using the JVM’s `keytool` tool. If you have a custom certificate authority for your S3 repository and you use the {{es}} [bundled JDK](../../deploy/self-managed/installing-elasticsearch.md#jvm-version), then you will need to reinstall your CA certificate every time you upgrade {{es}}. `protocol` : The protocol to use to connect to S3. Valid values are either `http` or `https`. Defaults to `https`. Note that this setting is deprecated since 8.19 and is only used if `endpoint` is set to a URL that does not include a scheme. Users should migrate to including the scheme in the `endpoint` setting.