diff --git a/CHANGES b/CHANGES
index e0b257481..3dbfa24fd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3048,3 +3048,8 @@
 * Use full URLs for page preview icons and favicon
 * email: fix masquerade toggle
 
+[9.0.9]
+* minio: fix issue with accepting selfsigned certs
+* applink: fix button text in edit mode
+* password reset: show error message if any
+
diff --git a/src/storage/s3.js b/src/storage/s3.js
index 44839ff15..908d57c5f 100644
--- a/src/storage/s3.js
+++ b/src/storage/s3.js
@@ -96,9 +96,14 @@ function createS3Client(apiConfig, options) {
         secretAccessKey: apiConfig.secretAccessKey
     };
 
+    const isHttps = apiConfig.endpoint?.startsWith('https://') || apiConfig._provider === 's3';
+    const needsSelfSignedAgent = isHttps && (apiConfig.acceptSelfSignedCerts || apiConfig.bucket.includes('.'));
+
     const requestHandler = new NodeHttpHandler({
         connectionTimeout: 60000,
-        socketTimeout: 20 * 60 * 1000
+        socketTimeout: 20 * 60 * 1000,
+        ...(needsSelfSignedAgent && { httpsAgent: new https.Agent({ rejectUnauthorized: false }) }),
+        ...(!isHttps && { httpAgent: new http.Agent({}) }) // http agent is required for http endpoints
     });
 
     // sdk v3 only has signature support v4
@@ -107,22 +112,11 @@ function createS3Client(apiConfig, options) {
         region: apiConfig.region || 'us-east-1',
         credentials,
         requestHandler,
+        ...(options.retryStrategy && { retryStrategy: options.retryStrategy }),
+        ...(apiConfig.endpoint && { endpoint: apiConfig.endpoint }),
         // logger: console
     };
 
-    if (options.retryStrategy) clientConfig.retryStrategy = options.retryStrategy;
-    if (apiConfig.endpoint) clientConfig.endpoint = apiConfig.endpoint;
-
-    // s3 endpoint names come from the SDK
-    const isHttps = clientConfig.endpoint?.startsWith('https://') || apiConfig._provider === 's3';
-    if (isHttps) {
-        if (apiConfig.acceptSelfSignedCerts || apiConfig.bucket.includes('.')) {
-            requestHandler.agent = new https.Agent({ rejectUnauthorized: false });
-        }
-    } else { // http agent is required for http endpoints
-        requestHandler.agent = new http.Agent({});
-    }
-
     const client = constants.TEST ? new globalThis.S3Mock(clientConfig) : new S3(clientConfig);
     // https://github.com/aws/aws-sdk-js-v3/issues/6761#issuecomment-2574480834
     // client.middlewareStack.add((next, context) => async (args) => {