Search code examples
sslcertificateminioubuntu-22.04

SSL encryption with MinIO does not work, its only possible unencrypted

I run a sandboxed environment with 3 Virtual Servers on a 10.1.0.0/24 network.

Server_0: Windows 2019 as a Jumphost with a public and a 10.1.0.x IP
Server_1: Ubuntu 22.04 running Apache SOLR
Server_2: Ubuntu 22.04 Running Tomcat9 and MinIO

When accessing

https://Server_1:8983/solr      SOLR Admin Page is shown on Server_0  
https://Server_2:8443/          Tomcat9 page is shown on Server_0  
https://Server_2:9000 or 9001   MinIO-Console page is not shown on Server_0 (SSL_ERROR_RX_RECORD_TOO_LONG)
http://Server_2:9000 or 9001    MinIO-Console page is shown on Server_0

The Installation is default and exactly done like described here: [https://min.io/docs/minio/linux/index.html?ref=con]

systemctl status minio
minio.service - MinIO
Loaded: loaded (/etc/systemd/system/minio.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-02-23 11:21:32 UTC; 5s ago
Docs: https://docs.min.io
Process: 66959 ExecStartPre=/bin/bash -c if \[ -z "${MINIO_VOLUMES}" \]; then echo "Variable MINIO_VOLUMES not set in /etc/defau\>
Main PID: 66960 (minio)
Tasks: 7 (limit: 9492)
Memory: 83.6M
CPU: 339ms
CGroup: /system.slice/minio.service
└─66960 /usr/local/bin/minio server --certs-dir /var/minio/.minio/certs --address :9000 --console-address :9001

minio\[66960\]: Copyright: 2015-2023 MinIO, Inc.
minio\[66960\]: License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
minio\[66960\]: Version: RELEASE.2023-01-31T02-24-19Z (go1.19.4 linux/amd64)
minio\[66960\]: Status:         1 Online, 0 Offline.
minio\[66960\]: API: http://10.1.0.19:9000  http://127.0.0.1:9000
minio\[66960\]: Console: http://10.1.0.19:9001 http://127.0.0.1:9001
minio\[66960\]: Documentation: https://min.io/docs/minio/linux/index.html
minio\[66960\]: Warning: The standard parity is set to 0. This can lead to data loss.
  • Installed RootCA and IntermediateCert with dpkg and updated with update-ca.certificates
  • Created public.crt and public.key with openssl, compared checksums and verified all Certs and put them to the right cert-dir (yes, I stripped also the headers that it starts with -----BEGIN....)
  • Port 9000/9001 is open , thus it works on the same port unencrypted.
  • the /etc/default/minio file is correct (can be seen in the status)
  • the /etc/systemd/minio.servive is default

...and yes, the Browser on Server_0 is configured with all the needed Certificates too.

Also checked here (e.g. Minio does not seem to recognize TLS/https certificates)

I'm clueless what to check else, seems i forgot something stupid XD I hope someone can help. Thanks in advance

Solution

  • There no such thing as public.key this is the typo you need to make sure the filenames are

    • public.crt (your public key for the ECDSA private key)
    • private.key (your private key - ECDSA key preferably)

    This is the mistake you did

    tree /var/minio/.minio/certs/
/var/minio/.minio/certs/
├── CAs
├── private.key
└── public.crt

1 directory, 2 files

    And you shouldn't be touching your certs

    (yes, I stripped also the headers that it starts with -----BEGIN....)

    By modifying them.