SSL encryption with MinIO does not work, its only possible unencrypted

I run a sandboxed environment with 3 Virtual Servers on a 10.1.0.0/24 network.

Server_0: Windows 2019 as a Jumphost with a public and a 10.1.0.x IP
Server_1: Ubuntu 22.04 running Apache SOLR
Server_2: Ubuntu 22.04 Running Tomcat9 and MinIO

When accessing

https://Server_1:8983/solr      SOLR Admin Page is shown on Server_0  
https://Server_2:8443/          Tomcat9 page is shown on Server_0  
https://Server_2:9000 or 9001   MinIO-Console page is not shown on Server_0 (SSL_ERROR_RX_RECORD_TOO_LONG)
http://Server_2:9000 or 9001    MinIO-Console page is shown on Server_0

The Installation is default and exactly done like described here: [https://min.io/docs/minio/linux/index.html?ref=con]

systemctl status minio
minio.service - MinIO
Loaded: loaded (/etc/systemd/system/minio.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-02-23 11:21:32 UTC; 5s ago
Docs: https://docs.min.io
Process: 66959 ExecStartPre=/bin/bash -c if \[ -z "${MINIO_VOLUMES}" \]; then echo "Variable MINIO_VOLUMES not set in /etc/defau\>
Main PID: 66960 (minio)
Tasks: 7 (limit: 9492)
Memory: 83.6M
CPU: 339ms
CGroup: /system.slice/minio.service
└─66960 /usr/local/bin/minio server --certs-dir /var/minio/.minio/certs --address :9000 --console-address :9001

minio\[66960\]: Copyright: 2015-2023 MinIO, Inc.
minio\[66960\]: License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
minio\[66960\]: Version: RELEASE.2023-01-31T02-24-19Z (go1.19.4 linux/amd64)
minio\[66960\]: Status:         1 Online, 0 Offline.
minio\[66960\]: API: http://10.1.0.19:9000  http://127.0.0.1:9000
minio\[66960\]: Console: http://10.1.0.19:9001 http://127.0.0.1:9001
minio\[66960\]: Documentation: https://min.io/docs/minio/linux/index.html
minio\[66960\]: Warning: The standard parity is set to 0. This can lead to data loss.

• Installed RootCA and IntermediateCert with dpkg and updated with update-ca.certificates
• Created public.crt and public.key with openssl, compared checksums and verified all Certs and put them to the right cert-dir (yes, I stripped also the headers that it starts with -----BEGIN....)
• Port 9000/9001 is open , thus it works on the same port unencrypted.
• the /etc/default/minio file is correct (can be seen in the status)
• the /etc/systemd/minio.servive is default

...and yes, the Browser on Server_0 is configured with all the needed Certificates too.

Also checked here (e.g. https://stackoverflow.com/questions/66161424/minio-does-not-seem-to-recognize-tls-https-certificates,...)

I'm clueless what to check else, seems i forgot something stupid XD
I hope someone can help.
Thanks in advance

There no such thing as public.key this is the typo you need to make sure the filenames are

• public.crt (your public key for the ECDSA private key)
• private.key (your private key - ECDSA key preferably)

This is the mistake you did

tree /var/minio/.minio/certs/
/var/minio/.minio/certs/
├── CAs
├── private.key
└── public.crt

1 directory, 2 files

And you shouldn't be touching your certs

> (yes, I stripped also the headers that it starts with -----BEGIN....)

By modifying them.

Hell yes, you are right. 'Lazy Me' only changed the file extension when exporting the keys, but not the name.

openssl pkcs12 -in public.p12 -clcerts -nokeys -out public.crt
openssl pkcs12 -in public.p12 -clcerts -nocerts -nodes -out public.key
openssl rsa -in public.key -out public.key

I removed the optional Bag and Key Attributes from the file, which are generated when converting with openssl. Means that the certs contain only this:

-----BEGIN PRIVATE KEY-----
    ...a-bunge-of-letters-and-numbers...
-----END PRIVATE KEY-----

Works now after renaming to private.key

Thanks a lot and sorry for my laziness