fix: reading multiple TLS certificates when deployed in K8S (#10601)

Ignore all regular files, CAs directory and any 
directory that starts with `..` inside the
`.minio/certs` folder

cmd/common-main.go

@@ -334,14 +334,23 @@ func getTLSConfig() (x509Certs []*x509.Certificate, manager *certs.Manager, secu
 		return nil, nil, false, err
 	}
 	for _, file := range files {
-		// We exclude any regular file and the "CAs/" directory.
+		// Ignore all
-		// The "CAs/" directory contains (root) CA certificates
+		// - regular files
-		// that MinIO adds to its list of trusted roots (tls.Config.RootCAs).
+		// - "CAs" directory
-		// Therefore, "CAs/" does not contain X.509 certificates that
+		// - any directory which starts with ".."
-		// are meant to be served by MinIO.
+		if file.Mode().IsRegular() || file.Name() == "CAs" || strings.HasPrefix(file.Name(), "..") {
-		if !file.IsDir() || file.Name() == "CAs" {
 			continue
 		}
+		if file.Mode()&os.ModeSymlink == os.ModeSymlink {
+			file, err = os.Stat(filepath.Join(root.Name(), file.Name()))
+			if err != nil {
+				// not accessible ignore
+				continue
+			}
+			if !file.IsDir() {
+				continue
+			}
+		}
 
 		var (
 			certFile = filepath.Join(root.Name(), file.Name(), publicCertFile)
@@ -350,8 +359,8 @@ func getTLSConfig() (x509Certs []*x509.Certificate, manager *certs.Manager, secu
 		if !isFile(certFile) || !isFile(keyFile) {
 			continue
 		}
-		if err := manager.AddCertificate(certFile, keyFile); err != nil {
+		if err = manager.AddCertificate(certFile, keyFile); err != nil {
-			err = fmt.Errorf("Failed to load TLS certificate '%s': %v", certFile, err)
+			err = fmt.Errorf("Unable to load TLS certificate '%s,%s': %w", certFile, keyFile, err)
 			logger.LogIf(GlobalContext, err, logger.Minio)
 		}
 	}