Question 37744 in Ubuntu Question posted in
The official Ubuntu documentation can be found here.

SSL encryption with MinIO does not work, its only possible unencrypted – Ubuntu

I run a sandboxed environment with 3 Virtual Servers on a 10.1.0.0/24 network.

Server_0: Windows 2019 as a Jumphost with a public and a 10.1.0.x IP
Server_1: Ubuntu 22.04 running Apache SOLR
Server_2: Ubuntu 22.04 Running Tomcat9 and MinIO

When accessing

https://Server_1:8983/solr      SOLR Admin Page is shown on Server_0  
https://Server_2:8443/          Tomcat9 page is shown on Server_0  
https://Server_2:9000 or 9001   MinIO-Console page is not shown on Server_0 (SSL_ERROR_RX_RECORD_TOO_LONG)
http://Server_2:9000 or 9001    MinIO-Console page is shown on Server_0

The Installation is default and exactly done like described here: [https://min.io/docs/minio/linux/index.html?ref=con] 

systemctl status minio
minio.service - MinIO
Loaded: loaded (/etc/systemd/system/minio.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-02-23 11:21:32 UTC; 5s ago
Docs: https://docs.min.io
Process: 66959 ExecStartPre=/bin/bash -c if [ -z "${MINIO_VOLUMES}" ]; then echo "Variable MINIO_VOLUMES not set in /etc/defau>
Main PID: 66960 (minio)
Tasks: 7 (limit: 9492)
Memory: 83.6M
CPU: 339ms
CGroup: /system.slice/minio.service
└─66960 /usr/local/bin/minio server --certs-dir /var/minio/.minio/certs --address :9000 --console-address :9001

minio[66960]: Copyright: 2015-2023 MinIO, Inc.
minio[66960]: License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
minio[66960]: Version: RELEASE.2023-01-31T02-24-19Z (go1.19.4 linux/amd64)
minio[66960]: Status:         1 Online, 0 Offline.
minio[66960]: API: http://10.1.0.19:9000  http://127.0.0.1:9000
minio[66960]: Console: http://10.1.0.19:9001 http://127.0.0.1:9001
minio[66960]: Documentation: https://min.io/docs/minio/linux/index.html
minio[66960]: Warning: The standard parity is set to 0. This can lead to data loss.
  • Installed RootCA and IntermediateCert with dpkg and updated with update-ca.certificates
  • Created public.crt and public.key with openssl, compared checksums and verified all Certs and put them to the right cert-dir (yes, I stripped also the headers that it starts with —–BEGIN….)
  • Port 9000/9001 is open , thus it works on the same port unencrypted.
  • the /etc/default/minio file is correct (can be seen in the status)
  • the /etc/systemd/minio.servive is default

…and yes, the Browser on Server_0 is configured with all the needed Certificates too.

Also checked here (e.g. Minio does not seem to recognize TLS/https certificates)

I’m clueless what to check else, seems i forgot something stupid XD
I hope someone can help.
Thanks in advance

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Hell yes, you are right. 'Lazy Me' only changed the file extension when exporting the keys, but not the name.

    openssl pkcs12 -in public.p12 -clcerts -nokeys -out public.crt
openssl pkcs12 -in public.p12 -clcerts -nocerts -nodes -out public.key
openssl rsa -in public.key -out public.key

    I removed the optional Bag and Key Attributes from the file, which are generated when converting with openssl. Means that the certs contain only this:

    -----BEGIN PRIVATE KEY-----
    ...a-bunge-of-letters-and-numbers...
-----END PRIVATE KEY-----

    Works now after renaming to private.key

    Thanks a lot and sorry for my laziness ;)


  2. 0

    There no such thing as public.key this is the typo you need to make sure the filenames are

    • public.crt (your public key for the ECDSA private key)
    • private.key (your private key – ECDSA key preferably)

    This is the mistake you did

    tree /var/minio/.minio/certs/
/var/minio/.minio/certs/
├── CAs
├── private.key
└── public.crt

1 directory, 2 files

    And you shouldn’t be touching your certs

    (yes, I stripped also the headers that it starts with —–BEGIN….)

    By modifying them.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search