LDAP TLS regression in RELEASE.2026-03-21T00-00-00Z breaks built-in Console and external Console LDAP login on Kubernetes Tenant

[vampywiz17]

Expected Behavior

When upgrading the MinIO server image in a Kubernetes Tenant from:

pgsty/minio:RELEASE.2026-02-14T12-00-00Z

to:

pgsty/minio:RELEASE.2026-03-21T00-00-00Z

the built-in Console should remain functional and the LDAP integration should continue to initialize successfully with the existing configuration.

The Tenant was previously working correctly with the older image, including:

• S3 API access
• built-in Console access
• LDAP-based authentication

Current Behavior

After upgrading to:

pgsty/minio:RELEASE.2026-03-21T00-00-00Z

the S3 API still responds, but the built-in Console becomes unavailable behind Ingress and returns 502 Bad Gateway.

Inside the MinIO server logs, LDAP initialization repeatedly fails with:

Error: Unable to load LDAP configuration (LDAP configuration will be disabled!): LDAP Server Connection Error: Could not connect to LDAP server: LDAP Result Code 200 "Network Error": tls: failed to verify certificate: x509: certificate signed by unknown authority
INFO: Waiting for LDAP to be initialized..

This happens even though the same LDAP configuration worked correctly with the previous image.

Rolling back to:

pgsty/minio:RELEASE.2026-02-14T12-00-00Z

immediately restores normal behavior, including the Console and LDAP.

Additionally:

• if I deploy an external Console separately, that Console itself starts successfully
• however, LDAP authentication through that external Console does not work correctly against the newer MinIO image
• this makes it look like the newer image may be ignoring or no longer honoring MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on

So from my perspective, the regression is not limited to the built-in Console UI path. It also appears to affect LDAP authentication behavior when using an externally deployed Console.

Possible Solution

This looks like a regression in LDAP TLS handling or certificate verification in the newer image.

Possibly one of the following changed:

• LDAP TLS verification behavior
• handling of MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
• trust store / CA loading behavior in the integrated Console / MinIO server path
• startup dependency between Console readiness and LDAP initialization

At least from observed behavior, it seems possible that the newer image is ignoring MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on, or handling it differently than previous versions.

It would be helpful to clarify whether the March 2026 image introduced stricter LDAP TLS validation or changed how CA trust / skip-verify behavior is handled.

Steps to Reproduce (for bugs)

1. Deploy a MinIO Kubernetes Tenant using image:
   pgsty/minio:RELEASE.2026-02-14T12-00-00Z
2. Configure LDAP via environment variables, including:
   • MINIO_IDENTITY_LDAP_ENABLE=on
   • MINIO_IDENTITY_LDAP_SERVER_ADDR=<ldap-server>:636
   • MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
   • other LDAP bind/search settings
3. Verify that:
   • S3 API works
   • built-in Console works
   • LDAP authentication initializes correctly
4. Upgrade only the image to:
   pgsty/minio:RELEASE.2026-03-21T00-00-00Z
5. Observe:
   • built-in Console becomes unavailable via Ingress (502 Bad Gateway)
   • MinIO logs repeatedly show LDAP initialization failures with x509: certificate signed by unknown authority
6. Optionally deploy an external Console and connect it to the MinIO server
7. Observe that:
   • the external Console starts
   • but LDAP authentication still does not work correctly
8. Roll back to:
   pgsty/minio:RELEASE.2026-02-14T12-00-00Z
9. Observe that the issue disappears and the previous behavior is restored.

Context

I migrated from a separate standalone Console deployment to the built-in Console bundled with the newer pgsty/minio image.

My LDAP setup had already been working correctly with the earlier image version in the same Kubernetes Tenant.

This issue blocks upgrading to newer images because the built-in Console becomes unusable and LDAP initialization appears stuck in a retry loop.

An additional important detail is that even when I work around the built-in Console problem by deploying Console separately, LDAP login still does not behave correctly against the newer image. That makes this look more like an LDAP TLS / IAM regression than a pure UI problem.

Regression

Yes.

Working version:
pgsty/minio:RELEASE.2026-02-14T12-00-00Z

Broken version:
pgsty/minio:RELEASE.2026-03-21T00-00-00Z

Your Environment

• Version used (minio --version):
  • Working: RELEASE.2026-02-14T12-00-00Z
  • Failing target: RELEASE.2026-03-21T00-00-00Z
• Server setup and configuration:
  • Kubernetes MinIO Tenant
  • Single pool / single server
  • Built-in Console enabled
  • Traefik Ingress
  • LDAP over LDAPS (:636)
  • MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
  • MINIO_BROWSER=on
  • MINIO_BROWSER_REDIRECT_URL set
  • MINIO_SERVER_URL set
• Operating System and version (uname -a):
  • Kubernetes environment, containerized deployment
  • Node OS details can be provided if needed

Relevant log excerpt

Error: Unable to load LDAP configuration (LDAP configuration will be disabled!): LDAP Server Connection Error: Could not connect to LDAP server: LDAP Result Code 200 "Network Error": tls: failed to verify certificate: x509: certificate signed by unknown authority
INFO: Waiting for LDAP to be initialized..

[Vonng]

will be fixed in the next release

[Vonng]

resolved, and released in 20260325000000.