SOLVED Generate Self-Sign Certificate for MINIO Plugin

[xlameee]

Hello

I have been looking for few instructions how to generate SSL Certificate to run minio plugin with HTTPS and seems none of them are working for me.

Can someone provide me with step by step how to generate self-sign certificate for minio plugin


Thank you

 

[xlameee]

anyone

 

[vidx]

Why not use Let's Encrypt?

I suppose you can export the freenas_default certificate in the GUI to the minio jail. That should work.

 

[xlameee]

it is my local server and I will never use Let's Encrypt

I know how to do that but where to put it and how to configure minio to use it ?

 

[Samuel Tai]

Network Encryption (TLS) — MinIO Object Storage for Linux

docs.min.io

 

[xlameee]

I understand but this is not working with jails I tried it

 

[Samuel Tai]

Within the jail, try /usr/local/etc/minio/certs.

 

[Redcoat]

it is my local server and I will never use Let's Encrypt

Why is that?

 

[danb35]

Why is that?

Well, you need to own a domain, and regularly validate domain control, to get (and keep) a Let's Encrypt cert--that could certainly be a drawback. If OP would give any indication of what the problem actually is (since "it doesn't work" is about the most useless problem report possible), it might be possible to track down the problem.

 

[Redcoat]

Well, you need to own a domain, and regularly validate domain control, to get (and keep) a Let's Encrypt cert--that could certainly be a drawback. If OP would give any indication of what the problem actually is (since "it doesn't work" is about the most useless problem report possible), it might be possible to track down the problem.

Like you, I’m hoping for an explanation on a new-to-me perspective.

 

[xlameee]

Why is that?

Because as you know there is no FREE BREAKFAST :) And please start reading the policy of what you are using before you through questions like "Why is that ?" Let's Encrypt Certificate is all about securing your data (by the way is not your data is our personal information, that you collect ) from people like me, but people like me are not you should worried about and by doing so you are handling my private data to people you should really worried about.
But this is just my opinion. Your live is yours alone to have !!!... or might be not !!! I will leave that to you to find out :)

Within the jail, try /usr/local/etc/minio/certs.

Thank you I will try, but it there some configuration of MINIO I have to make in order to get it working?

 

[Samuel Tai]

Look at /usr/local/etc/rc.d/minio, which is the start script. I believe it's already set up for certificates.

 

[danb35]

Like you, I’m hoping for an explanation on a new-to-me perspective.

Well, I'd thought of a reasonable explanation, but it appears that paranoid delusions are the actual reason. Go figure.

@xlameee, the docs seem pretty clear--put the cert and private key in the certs directory, which is /usr/local/etc/minio/certs/. The private key needs to be named private.key, and the cert (including any intermediate certs, which are unlikely to be relevant if you're using a self-signed cert) needs to be named public.crt. But you say you've tried that (I guess; you weren't nearly that clear about what you did), and it didn't work. What exactly happened when you tried that? How did you determine that it wasn't working? Feel free--encouraged, even--to use complete sentences, or even paragraphs, to describe what's going on.

 

[Redcoat]

But this is just my opinion. Your live is yours alone to have !!!... or might be not !!! I will leave that to you to find out :)

Thank you for taking the time to acknowledge my question, though you didn't broaden my perspective on the use of Let's Encrypt...

 

[danb35]

I'd written a pretty lengthy explanation of an apparent issue with the config directory, but that turned out to be a red herring. If I generate a self-signed cert, and put the files in /usr/local/etc/minio/certs/, and make sure they're readable by minio (which was the actual source of the problems I was seeing, and which minio sucks at logging), minio will restart and run just fine. The web console will now only be accessible via HTTPS (not via HTTP, and there's no redirect). If you've created the cert correctly, you'll be able to log in and go about your business.

One critical point is that the self-signed cert must contain the address you're using to access minio. I generated a cert for minio, and the service started and I was able to reach the web console by the IP address just fine. However, I wasn't able to log in, because the IP address wasn't listed on the cert as a SAN. Once I corrected that, I was able to log in and see this:

Here are the steps I took:

• iocage console minio
• mkdir -p /usr/local/etc/minio/certs
• cd /usr/local/etc/minio/certs
• openssl genrsa -out private.key 2048
• ee minio.conf

Its contents should be (assuming minio as the hostname, and 192.168.1.221 as the IP address):

Code:

[req]
distinguished_name=req
[SAN]
subjectAltName=@alt_names

[alt_names]
DNS.1 = minio
IP.1 = 192.168.1.221

• openssl req -new -x509 -key private.key -out public.crt -days 3650 -subj /CN=minio -extensions SAN -config 'minio.conf'
• chown minio:minio private.key
• service minio restart
• Browse to https://192.168.1.221:9000 and log in with the credentials TrueNAS gave you when you installed the plugin.

And that's all there was to it. Configuring any client devices or applications to trust the self-signed cert is left as an exercise for the reader.

 

[rvassar]

Thank you for taking the time to acknowledge my question, though you didn't broaden my perspective on the use of Let's Encrypt...

In the OP's defense:
1. You have to have a domain, with a public facing stub at the very least. Not everyone has this.
2. Encryption laws vary by country rather significantly.
3. Not all Paranoia is unjustified. While I rather doubt there is some magic back door in the LetsEncrypt CA, you can be denied access to it quite easily. Re #2 - Getting cut off from renewing your Cert is a nuisance. But more importantly, in some places just the act of setting up SSL draws attention.

 

[Redcoat]

In the OP's defense:
1. You have to have a domain, with a public facing stub at the very least. Not everyone has this.
2. Encryption laws vary by country rather significantly.
3. Not all Paranoia is unjustified. While I rather doubt there is some magic back door in the LetsEncrypt CA, you can be denied access to it quite easily. Re #2 - Getting cut off from renewing your Cert is a nuisance. But more importantly, in some places just the act of setting up SSL draws attention.

Thanks for #3 - food for thought.

 

[danb35]

in some places just the act of setting up SSL draws attention.

But Chicago (OP's stated location) isn't one of those places.

While I rather doubt there is some magic back door in the LetsEncrypt CA

And supposing there were, what could it do? It could result in mis-issuance of a cert, but that's equally possible whether you've previously obtained a cert from them or not, and such a thing could happen to any CA. But you generate your own keys, and LE never gets the private key, so it's pretty much impossible for any compromise on their end to result in an attacker being able to decrypt your communications. It's always possible that a cipher could be compromised, but once again that's a risk that applies equally to any certificate (including self-signed).

you can be denied access to it quite easily

In .us? Again, OP's stated location is Chicago. While Let's Encrypt does have occasional downtime (like any CA), and while they have rate limits (so test using the testing environment, and don't configure your renewals stupidly), who in .us is blocking access to Let's Encrypt? It'd be suicide for an ISP to try it.

But I'll add to your reasons that if users are accessing the Minio instance by IP address, a Let's Encrypt cert won't work, as they don't provide them for IP addresses.

Really, though, this is a side issue--regardless of where the cert comes from, you need to tell Minio to use it, and that's described above.

 

[rvassar]

But Chicago (OP's stated location) isn't one of those places.

Is it? I live near Austin, Texas. Back in July I was working from home, and configured servers in Dubai, Singapore, Tokyo, and Sao Paulo all in the span of roughly 15 minutes. Was I on the hook for legal compliance? No. But the company I worked for was. They want to use self-signed certs, its their business. They may even move to a self hosted CA at some point, and I believe you and I have discussed those before here.

 

[danb35]

Back in July I was working from home, and configured servers in Dubai, Singapore, Tokyo, and Sao Paulo all in the span of roughly 15 minutes.

Fair enough.

They may even move to a self hosted CA at some point

Likely a better solution. Trust of self-signed certs tends to be very spotty, but if there's a CA cert you can trust across the organization, it gets much easier.