Score:2

configure minio in docker to use https

sa flag

This is my docker-compose.yml:

version: '3.7'

services:
  minio:
    image: minio/minio
    command: server -C /etc/minio --address ":9000" --console-address ":9001" /data
    ports:
      - "9000:9000"
      - "9001:9001"
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: minioadmin
    volumes:
      - minio:/data
      - /etc/minio:/root/.minio/
      - /etc/minio:/etc/minio/
      
volumes:
  minio:

ls -l /etc/minio/:

drwx------ 2 root root 4096 May 20 11:43 CAs
lrwxrwxrwx 1 root root   59 May 20 11:45 private.key -> /etc/letsencrypt/live/mydomain.com/privkey.pem
lrwxrwxrwx 1 root root   61 May 20 11:44 public.crt -> /etc/letsencrypt/live/mydomain.com/fullchain.pem

accessing via http works but https does not. I have no clue, what is wrong. Sadly the logs don't show anything and the docs are also not helping.

Score:4
in flag

The symlinks private.key and public.crt can't be resolved because the targets don't exist inside the container.

The easiest way would be to mount /etc/letsencrypt inside the container as well.

Keep in mind that you need to restart the container (or at least reload the minio process inside the container) after every certificate renewal.

sa flag
great, that seems to have been the issue. now i gotta figure this out: `Unable to load the TLS configuration: Could not read PEM block from file /etc/minio/certs/public.crt`. any idea :( ?
in flag
That would be a topic for a new question.
in flag
My first guess would be a wrong path in the minio config (`/etc/minio/certs/public.crt` vs `/etc/minio/public.crt`)
sa flag
figured it out. it did not like that i linked the `fullchain.pem` and rather expected `/etc/letsencrypt/live/mydomain.com/cert.pem`
Score:0
au flag

docker_compose.yml


networks:
  app-tier:
    driver: bridge


services:
  minio:
    image: minio/minio
    ports:
      - "9000:9000"
      - "9001:9001"
    networks:
      - app-tier
    volumes:
      - /data/minio:/data
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: minioadmin
    command: server --console-address ":9001" /data
  nginx:
    image: nginx:latest
    container_name: 'nginx'
    hostname: 'nginx'
    ports:
      - "8443:8443" 
      - "8444:8444" 
    environment:
      - "VIRTUAL_HOST=minio.example.com"
      - "VIRTUAL_PORT=8443"
    networks:
      - app-tier
    volumes:
      - ./conf/app.conf:/etc/nginx/conf.d/default.conf:ro"
      - '/etc/letsencrypt/live/:/etc/letsencrypt/live/'
      - '/etc/letsencrypt/archive/:/etc/letsencrypt/archive/'
volumes:
  minio_storage: {}

app.conf should be placed in conf folder

upstream minio {
  server minio:9001;
  keepalive 15;
}
upstream minio_api {
  server minio:9000;
  keepalive 15;
}
server {
  listen 8443 ssl;
  server_name minio.example.com;
  ssl_certificate /etc/letsencrypt/live/minio.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/minio.example.com/privkey.pem;
  resolver 8.8.8.8;
  location / {
    proxy_pass http://minio;
    proxy_redirect off;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Connection "Keep-Alive";
    proxy_set_header Proxy-Connection "Keep-Alive";
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    chunked_transfer_encoding off;

    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

  }
}
server {
  listen 8444 ssl;
  server_name minio.example.com;
  ssl_certificate /etc/letsencrypt/live/minio.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/minio.example.com/privkey.pem;
  resolver 8.8.8.8;
  location / {
    proxy_pass http://minio_api;
    proxy_redirect off;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Connection "Keep-Alive";
    proxy_set_header Proxy-Connection "Keep-Alive";
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    chunked_transfer_encoding off;

    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

  }

}

Check the permissions for /etc/letsencrypt folder because the containers are running under non privileged user

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.