-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Help me to config S3 on TrueNAS
- Thread starter loinn1001
- Start date
- Joined
- Apr 24, 2020
- Messages
- 5,399
This appears due to changes in MinIO that haven't been incorporated yet into the TrueNAS middleware. According to the MinIO Quickstart Guide, the service launcher at /usr/local/etc/rc.d/minio needs to set the environment variable MINIO_SERVER_URL equal to "https://" + certificate's CN + "${minio_address}".
Please submit a bug report, because the S3 browser used to work without this IP SAN check. Unfortunately, upstream changes aren't always relayed to the TrueNAS developers in a timely fashion. Hopefully, this will be an easy fix for 12.0-U7.1.
Please submit a bug report, because the S3 browser used to work without this IP SAN check. Unfortunately, upstream changes aren't always relayed to the TrueNAS developers in a timely fashion. Hopefully, this will be an easy fix for 12.0-U7.1.
- Joined
- Apr 24, 2020
- Messages
- 5,399
I opened bug report https://jira.ixsystems.com/browse/NAS-113776 on your behalf.
- Joined
- Apr 24, 2020
- Messages
- 5,399
I managed to get it working, but there've been a log of changes in MinIO, so no guarantees this will continue working. First, stop the S3 service. Starting at line 54 of /usr/local/etc/rc.d/minio, add the following lines:
Save the start script, and restart the S3 service.
Code:
: ${minio_server_cn:=`/usr/local/bin/midclt call certificate.query | /usr/local/bin/jq | grep common | cut -d'"' -f4`}
: ${minio_server_url:="https://${minio_server_cn}:`echo ${minio_address} | cut -d ':' -f2`"}
: ${minio_root_user:=`/usr/local/bin/midclt call s3.config | /usr/local/bin/jq | grep access_key | cut -d'"' -f4`}
: ${minio_root_password:=`/usr/local/bin/midclt call s3.config | /usr/local/bin/jq | grep secret_key | cut -d'"' -f4`}
export MINIO_SERVER_URL="${minio_server_url}"
export MINIO_ROOT_USER="${minio_root_user}"
export MINIO_ROOT_PASSWORD="${minio_root_password}"Save the start script, and restart the S3 service.
Many thanks Samuel for the tweak. It works with a little culprit (we love IT don"t we...)
When like me you have several certificates in your store, the line :
: ${minio_server_cn:=`/usr/local/bin/midclt call certificate.query | /usr/local/bin/jq | grep common | cut -d'"' -f4`}
works, but returns a multi line value for instance :
localhost
[Certificate 1 CN value]
[Certificate 2 CN value]
In case like me you have activated a Letsencrypt auto renewed certificate, this is probably systematic, as you end up with multiple expired certificates in the store.
When this happens, the second line cannot build a proper value and you and up with carriage return characters in the middle of the CN name, which is carried on to the second variable and the service then fails to start.
So I have purged all my unused certificates (which is probably a best practice anyway), and then it works like a charm. I am able to login with my S3 credentials (not the TrueNAS login).
Maybe this will help to adapt the command for the "minio_server_cn" variable to something more robust in case your mod is pushed to the main distro.
When like me you have several certificates in your store, the line :
: ${minio_server_cn:=`/usr/local/bin/midclt call certificate.query | /usr/local/bin/jq | grep common | cut -d'"' -f4`}
works, but returns a multi line value for instance :
localhost
[Certificate 1 CN value]
[Certificate 2 CN value]
In case like me you have activated a Letsencrypt auto renewed certificate, this is probably systematic, as you end up with multiple expired certificates in the store.
When this happens, the second line cannot build a proper value and you and up with carriage return characters in the middle of the CN name, which is carried on to the second variable and the service then fails to start.
So I have purged all my unused certificates (which is probably a best practice anyway), and then it works like a charm. I am able to login with my S3 credentials (not the TrueNAS login).
Maybe this will help to adapt the command for the "minio_server_cn" variable to something more robust in case your mod is pushed to the main distro.
