Rclone doesn't support Garage S3

Help and Support
1

What is the problem you are having with rclone?

Unable to use rclone with Garage S3.

Run the command 'rclone version' and share the full output of the command.

$ rclone version
rclone v1.72.0

  • os/version: linuxmint 21 (64 bit)
  • os/kernel: 5.15.0-144-generic (x86_64)
  • os/type: linux
  • os/arch: amd64
  • go/version: go1.25.4
  • go/linking: static
  • go/tags: none

Which cloud storage system are you using? (eg Google Drive)

Garage S3 self-hosted

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone lsd garage:

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

[garage]
type = s3
provider = Other
access_key_id = XXXXXX
secret_access_key = XXXXXX
endpoint = https://garage.mydomain.com
location_constraint = garage
acl = private
region = garage

A log from the command that you were trying to run with the -vv flag

2025/12/07 11:24:31 DEBUG : rclone: Version "v1.72.0" starting with parameters ["rclone" "-vvv" "lsd" "garage:"]
2025/12/07 11:24:31 DEBUG : Creating backend with remote "garage:"
2025/12/07 11:24:31 DEBUG : Using config file from "/home/poochie/.config/rclone/rclone.conf"
2025/12/07 11:24:31 ERROR : error listing: operation error S3: ListBuckets, https response error StatusCode: 403, RequestID: , HostID: , api error AccessDenied: Forbidden: Invalid signature
2025/12/07 11:24:31 DEBUG : 5 go routines active
2025/12/07 11:24:31 NOTICE: Failed to lsd with 2 errors: last error was: operation error S3: ListBuckets, https response error StatusCode: 403, RequestID: , HostID: , api error AccessDenied: Forbidden: Invalid signature
2

Also I have tried many different variations with configuring this, researched online, and had both ChatGPT and Gemini try to assist but nothing works. Also note, that Cyberduck, Winscp, and multiple iPhone applications can connect PERFECTLY to my Garage S3 storage. I am using Cloudflare for my DNS/Domain/SSL certificates and everything I throw out it except for rlcone has ZERO problems working with my Garage S3

3

I just verified that restic also works fine if that makes any difference!

4

Not sure if you have a proxy in front of your garage instance, but if you do, this seems relevant: #895 - Rclone says AccessDenied: Forbidden: Invalid signature - Deuxfleurs/garage - Forge Deuxfleurs

And you would probably have a better chance of this being resolved in their issue tracker, because rclone can do very little about individual s3 providers and their idiosyncrasies.

As you may have seen from the S3 provider page for rclone ( Amazon S3 ), there are a lot of options and it often comes down to just finding the right set of them by trial and error to work with your provider.

5

The weird thing is every other application I use works perfectly :frowning:

6

Can say the same for rclone too, every other provider works fine … :sweat_smile:

I am not saying it’s impossible for an rclone bug to exist, but even so, you will probably have a better chance of figuring out whether it’s a rclone bug or rclone config issue in the Garage forums or issue tracker than here.

7

It’s definitely an rclone thing and they way it handles non AWS S3. If Cyberduck, Restic, and Winscp handle it, rclone should be able to do the same thing.

8

might try --s3-v2-auth

and for a deeper look at the API calls, use --dump=headers

9

I tried this as well: --s3-v2-auth

I used Gemini and ChatGPT and my own research and nothing works. The developers just need to follow what all the other apps do in regards to self hosting S3

10

you need to double-check your config versus the example config from garage s3

11

I’ve never seen a garage s3 example config before. It’s definitely a problem with rclone and how it handles a secure website. I have a real SSL certificate and domain via Cloudflare. For example, garage.example.com, when I put it that as my rclone endpoint or https://garage.example or http://garage.example. It always fails. If I change the rclone config endpoint to http://192.168.1.45:3900 then it works. So it’s NOT my garage config, because as I keep stating, iPhone apps, restic, cyberduck, Winscp, etc all work with the external real website of https://garage.example.com as the endpoint.

12

Hi! New forum user here, but use rclone for some time, and my garage server is on SSL after a caddy docker environment. I remember exactly that message when setting it up, but not what I did to solve it.

Garage listens only on loopback interface and caddy proxies to it. Maybe my conf works for you.

rclone.conf:

[garage]
type = s3
provider = Other
env_auth = false
access_key_id = XXX
secret_access_key = XXX
region = garage
endpoint = https://s3.example.com
force_path_style = true
acl = private
bucket_acl = private

Caddyfile:

s3.example.com {
log
encode zstd gzip
@healthPaths {
path /health /v1/health
}
handle @healthPaths {
reverse_proxy 127.0.0.1:3903
}
reverse_proxy 127.0.0.1:3900
}

Hope it helps,

1 Like
13

Thanks for the response but I use cloudflare and don’t use caddy.

14

Run this command again but add --dump bodies and post the output. That will make the problem clear.

Rclone uses the AWS S3 SDK which is quite strict.

15

2025/12/11 08:05:59 NOTICE: Automatically setting -vv as --dump is enabled
2025/12/11 08:05:59 DEBUG : rclone: Version "v1.72.0" starting with parameters ["rclone" "-vvv" "--dump" "bodies" "lsd" "garage:"]
2025/12/11 08:05:59 DEBUG : Creating backend with remote "garage:"
2025/12/11 08:05:59 DEBUG : Using config file from "/home/poochie/.config/rclone/rclone.conf"
2025/12/11 08:05:59 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and the response may not show Content-Encoding if the go standard libraries auto gzip encoding was in effect. In this case the body of the request will be gunzipped before showing it.
2025/12/11 08:05:59 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and the response may not show Content-Encoding if the go standard libraries auto gzip encoding was in effect. In this case the body of the request will be gunzipped before showing it.
2025/12/11 08:05:59 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2025/12/11 08:05:59 DEBUG : HTTP REQUEST (req 0xc00050c280)
2025/12/11 08:05:59 DEBUG : GET /?x-id=ListBuckets HTTP/1.1
Host: garage.mydomain.com
User-Agent: rclone/v1.72.0
Accept-Encoding: identity
Amz-Sdk-Invocation-Id: 0167957a-1d9b-49e4-ab3e-11b6e4fed33a
Amz-Sdk-Request: attempt=1; max=10
Authorization: XXXX
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20251211T130559Z

2025/12/11 08:05:59 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2025/12/11 08:05:59 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2025/12/11 08:05:59 DEBUG : HTTP RESPONSE (req 0xc00050c280)
2025/12/11 08:05:59 DEBUG : HTTP/2.0 403 Forbidden
Content-Length: 170
Access-Control-Allow-Origin: *
Alt-Svc: h3=":443"; ma=86400
Cf-Cache-Status: DYNAMIC
Cf-Ray: 9ac532597d533ae4-IAD
Content-Type: application/xml
Date: Thu, 11 Dec 2025 13:05:59 GMT
Nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=HU4s805z1bINDVVQk2E2%2BjDG7A%2Fr7T%2BooVbVx2dGU3opE52sbebDBvErVek4uBzPg1%2F3Wnci65wNFbZnoT84cOjzgSrYRpiZZZZBKlKx4ztEiZE%3D"}]}
Server: cloudflare
Server-Timing: cfCacheStatus;desc="DYNAMIC"
Server-Timing: cfEdge;dur=14,cfOrigin;dur=24

<?xml version="1.0" encoding="UTF-8"?>AccessDeniedForbidden: Invalid signature/garage

2025/12/11 08:05:59 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2025/12/11 08:05:59 ERROR : error listing: operation error S3: ListBuckets, https response error StatusCode: 403, RequestID: , HostID: , api error AccessDenied: Forbidden: Invalid signature
2025/12/11 08:05:59 DEBUG : 5 go routines active
2025/12/11 08:05:59 NOTICE: Failed to lsd with 2 errors: last error was: operation error S3: ListBuckets, https response error StatusCode: 403, RequestID: , HostID: , api error AccessDenied: Forbidden: Invalid signature

16

Also I understand you are completely different than Restic but I know you work with them a lot and for Restic I simply needed to export or specify my “AWS” key ID and secret and then literally only had to run this and it works perfectly: restic -r s3:https://garage.mydomain.com/mybucket init, so restic works flawlessly with my public domain name.

17

Sorry about that, I misremembered “solving” it.

What did solve this problem here was exactly disable cloudflare proxy on my garage DNS record. Just tested enabling it now and I can reproduce the error.

18

How do you disable cloudflare proxy?

19

On cloudflare DNS dashboard (https://dash.cloudflare.com/…/dns/records) you edit the entry from “proxied” to “DNS only”. But this way you may need a caddy reverse proxy to terminate TLS before your garage server after all :slight_smile:

Here’s how I run mine:

docker run --detach --restart=always --name caddy --network host --cap-add=NET_ADMIN --mount type=bind,src=$PWD/Caddyfile,dst=/etc/caddy/Caddyfile,ro caddy

20

Possibly also try adding sign_accept_encoding as false in the config. This was reported for Cloudflare proxies but for Ceph, so not sure whether it applies to Garage too.

2 Likes