SSL加密在MinIO中不起作用,只能在未加密的情况下使用。

huangapple go评论64阅读模式
英文:

SSL encryption with MinIO does not work, its only possible unencrypted

问题

我在一个带有3个虚拟服务器的沙箱环境中运行,这些服务器位于10.1.0.0/24网络上。

Server_0:作为Jumphost的Windows 2019,具有公共和10.1.0.x IP
Server_1:运行Apache SOLR的Ubuntu 22.04
Server_2:运行Tomcat9和MinIO的Ubuntu 22.04

访问以下网址时:

https://Server_1:8983/solr      在Server_0上显示SOLR管理页面
https://Server_2:8443/          在Server_0上显示Tomcat9页面
https://Server_2:9000或9001   在Server_0上未显示MinIO-Console页面(SSL_ERROR_RX_RECORD_TOO_LONG)
http://Server_2:9000或9001    在Server_0上显示MinIO-Console页面

安装是默认的,完全按照这里描述的方式进行:[https://min.io/docs/minio/linux/index.html?ref=con]

systemctl status minio
minio.service - MinIO
Loaded: loaded (/etc/systemd/system/minio.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-02-23 11:21:32 UTC; 5s ago
Docs: https://docs.min.io
Process: 66959 ExecStartPre=/bin/bash -c if \[ -z "${MINIO_VOLUMES}" \]; then echo "Variable MINIO_VOLUMES not set in /etc/defau\>
Main PID: 66960 (minio)
Tasks: 7 (limit: 9492)
Memory: 83.6M
CPU: 339ms
CGroup: /system.slice/minio.service
└─66960 /usr/local/bin/minio server --certs-dir /var/minio/.minio/certs --address :9000 --console-address :9001

minio\[66960\]: Copyright: 2015-2023 MinIO, Inc.
minio\[66960\]: License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
minio\[66960\]: Version: RELEASE.2023-01-31T02-24-19Z (go1.19.4 linux/amd64)
minio\[66960\]: Status:         1 Online, 0 Offline.
minio\[66960\]: API: http://10.1.0.19:9000  http://127.0.0.1:9000
minio\[66960\]: Console: http://10.1.0.19:9001 http://127.0.0.1:9001
minio\[66960\]: Documentation: https://min.io/docs/minio/linux/index.html
minio\[66960\]: Warning: The standard parity is set to 0. This can lead to data loss.
  • 使用dpkg安装了RootCA和IntermediateCert,并使用update-ca.certificates进行了更新。
  • 使用openssl创建了public.crt和public.key,比对了校验和并验证了所有证书,然后将它们放在正确的cert-dir目录中(是的,我还去掉了以-----BEGIN....开头的头部)。
  • 端口9000/9001已打开,因此它可以在相同的未加密端口上工作。
  • /etc/default/minio文件是正确的(可以在状态中看到)。
  • /etc/systemd/minio.servive是默认的。

...是的,Server_0上的浏览器也配置了所有所需的证书。

还在这里检查过(例如https://stackoverflow.com/questions/66161424/minio-does-not-seem-to-recognize-tls-https-certificates,...)

我不知道还要检查什么,似乎我忘记了一些愚蠢的东西 XD
希望有人能帮忙。
提前感谢。

英文:

I run a sandboxed environment with 3 Virtual Servers on a 10.1.0.0/24 network.

Server_0: Windows 2019 as a Jumphost with a public and a 10.1.0.x IP
Server_1: Ubuntu 22.04 running Apache SOLR
Server_2: Ubuntu 22.04 Running Tomcat9 and MinIO

When accessing

https://Server_1:8983/solr      SOLR Admin Page is shown on Server_0  
https://Server_2:8443/          Tomcat9 page is shown on Server_0  
https://Server_2:9000 or 9001   MinIO-Console page is not shown on Server_0 (SSL_ERROR_RX_RECORD_TOO_LONG)
http://Server_2:9000 or 9001    MinIO-Console page is shown on Server_0

The Installation is default and exactly done like described here: [https://min.io/docs/minio/linux/index.html?ref=con]

systemctl status minio
minio.service - MinIO
Loaded: loaded (/etc/systemd/system/minio.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-02-23 11:21:32 UTC; 5s ago
Docs: https://docs.min.io
Process: 66959 ExecStartPre=/bin/bash -c if \[ -z "${MINIO_VOLUMES}" \]; then echo "Variable MINIO_VOLUMES not set in /etc/defau\>
Main PID: 66960 (minio)
Tasks: 7 (limit: 9492)
Memory: 83.6M
CPU: 339ms
CGroup: /system.slice/minio.service
└─66960 /usr/local/bin/minio server --certs-dir /var/minio/.minio/certs --address :9000 --console-address :9001

minio\[66960\]: Copyright: 2015-2023 MinIO, Inc.
minio\[66960\]: License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
minio\[66960\]: Version: RELEASE.2023-01-31T02-24-19Z (go1.19.4 linux/amd64)
minio\[66960\]: Status:         1 Online, 0 Offline.
minio\[66960\]: API: http://10.1.0.19:9000  http://127.0.0.1:9000
minio\[66960\]: Console: http://10.1.0.19:9001 http://127.0.0.1:9001
minio\[66960\]: Documentation: https://min.io/docs/minio/linux/index.html
minio\[66960\]: Warning: The standard parity is set to 0. This can lead to data loss.
  • Installed RootCA and IntermediateCert with dpkg and updated with update-ca.certificates
  • Created public.crt and public.key with openssl, compared checksums and verified all Certs and put them to the right cert-dir (yes, I stripped also the headers that it starts with -----BEGIN....)
  • Port 9000/9001 is open , thus it works on the same port unencrypted.
  • the /etc/default/minio file is correct (can be seen in the status)
  • the /etc/systemd/minio.servive is default

...and yes, the Browser on Server_0 is configured with all the needed Certificates too.

Also checked here (e.g. https://stackoverflow.com/questions/66161424/minio-does-not-seem-to-recognize-tls-https-certificates,...)

I'm clueless what to check else, seems i forgot something stupid XD
I hope someone can help.
Thanks in advance

答案1

得分: 5

没有public.key这个东西,这是你需要确保文件名为的拼写错误:

  • public.crt(ECDSA私钥的公钥)
  • private.key(私钥 - 最好使用ECDSA密钥)

这是你犯的错误:

tree /var/minio/.minio/certs/
/var/minio/.minio/certs/
├── CAs
├── private.key
└── public.crt

1个目录,2个文件

而且你不应该修改你的证书。

(是的,我也剥离了以-----BEGIN....开头的头部信息)

通过修改它们。

英文:

There no such thing as public.key this is the typo you need to make sure the filenames are

  • public.crt (your public key for the ECDSA private key)
  • private.key (your private key - ECDSA key preferably)

This is the mistake you did

tree /var/minio/.minio/certs/
/var/minio/.minio/certs/
├── CAs
├── private.key
└── public.crt

1 directory, 2 files

And you shouldn't be touching your certs

> (yes, I stripped also the headers that it starts with -----BEGIN....)

By modifying them.

答案2

得分: 0

'是的,你说得对。'懒惰的我'只是在导出密钥时更改了文件扩展名,但没有更改名称。

openssl pkcs12 -in public.p12 -clcerts -nokeys -out public.crt
openssl pkcs12 -in public.p12 -clcerts -nocerts -nodes -out public.key
openssl rsa -in public.key -out public.key

我从文件中删除了与openssl转换时生成的可选Bag和Key属性。这意味着证书只包含:

-----BEGIN PRIVATE KEY-----
    ...一堆字母和数字...
-----END PRIVATE KEY-----

更名为private.key后现在可以正常工作。

非常感谢,抱歉我懒惰了 SSL加密在MinIO中不起作用,只能在未加密的情况下使用。

英文:

Hell yes, you are right. 'Lazy Me' only changed the file extension when exporting the keys, but not the name.

openssl pkcs12 -in public.p12 -clcerts -nokeys -out public.crt
openssl pkcs12 -in public.p12 -clcerts -nocerts -nodes -out public.key
openssl rsa -in public.key -out public.key

I removed the optional Bag and Key Attributes from the file, which are generated when converting with openssl. Means that the certs contain only this:

-----BEGIN PRIVATE KEY-----
    ...a-bunge-of-letters-and-numbers...
-----END PRIVATE KEY-----

Works now after renaming to private.key

Thanks a lot and sorry for my laziness SSL加密在MinIO中不起作用,只能在未加密的情况下使用。

huangapple
  • 本文由 发表于 2023年2月23日 20:39:33
  • 转载请务必保留本文链接:https://go.coder-hub.com/75544959.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定