3

I'm running MinIO under docker. I've been using a version that was released before the integration of the MinIO console (circa July 2021). This was setup with an SSL certificate purchased from a third party, bound to my external web address (https://minio.example.com for instance).

After running the new version of Minio RELEASE.2021-09-24T00-24-24Z via Docker, I needed to update my config (the env variables for MINIO_ACCESS_KEY / MINIO_SECRET_KEY change for example. I've also added --console-address=":9001" to my config, MinIO is running on port 9000 for the main service.

The service runs fine for storing data, but accessing the web address gives the error:

x509: cannot validate certificate for 172.19.0.2 because it doesn't contain any IP SANs

I believe this is to do with MinIO looking at the internal Docker IP addresses, and not finding them in the SSL (there are no IPs in the SSL at all). I'm unable to find documentation explaining how to resolve this. Ideally, I don't want to get a new SSL that contains the IP address (external or internal!).

Can I change some of the Docker config such that MinIO will not try to check the IP addresses in the SSL?

fistameeny
  • 1,048
  • 2
  • 14
  • 27
  • From the error it appears like the certificate is not getting verified because the certificate is not having the IP in the subject alternate names section,You can try creating new certificate with the IP in the SAN section – Pras Sep 27 '21 at 11:21
  • Thanks. I'm hoping to avoid doing that if possible, as the SSL has a while to run. Also, I assume I'd need to use the internal (Docker) IP, as opposed to the external WAN IP for it. I wondered if there's a config setting in the newer MinIO somewhere to side-step the issue (e.g. --insecure) – fistameeny Sep 27 '21 at 12:34

1 Answers1

3

To answer my own question, I re-read the quickstart guide more carefully (https://docs.min.io/docs/minio-quickstart-guide.html), noting the following:

Similarly, if your TLS certificates do not have the IP SAN for the MinIO server host, the MinIO Console may fail to validate the connection to the server. Use the MINIO_SERVER_URL environment variable and specify the proxy-accessible hostname of the MinIO server to allow the Console to use the MinIO server API using the TLS certificate.

For example: export MINIO_SERVER_URL="https://minio.example.net"

For me, this meant I needed to update my docker-compose.yml file, adding the MINIO_SERVER_URL env variable. It had to point to the data URL for MinIO, not the console URL (otherwise you get an error about "Expected element type <AssumeRoleResponse> but have <html>").

It now works fine.

fistameeny
  • 1,048
  • 2
  • 14
  • 27
  • I'm using the RHEL Linux binary and wasn't able to log in to the console. Following the documentation, I set MINIO_SERVER_URL in the config file. All logins failed with the error message ""https://minio.example.com/": x509: certificate is not valid for any names, but wanted to match minio.example.com". After reading this, I unset MINIO_SERVER_URL, and voila the console login worked. – Uwe Dec 07 '22 at 15:57