[bitnami/minio] MINIO SelfSigned Cert causes Minio Client to exit the whole container

[busyboy77]

Name and Version

bitnami/minio:2023

What architecture are you using?

None

What steps will reproduce the bug?

1. generate the SSL certificate using certgen

certgen --host "localhost,minio"

2. Changed the ownership of the certs folder to 1001:1001

3 start the minio container using

docker run --name minio     --publish 9000:9000     --publish 9001:9001     --volume ./certs:/certs    --env MINIO_ROOT_USER=minioadmin --env MINIO_ROOT_PASSWORD=minioadmin   --env MINIO_SCHEME=https  --env BITNAMI_DEBUG=true  bitnami/minio:2023

giving the below given output and the container exits

 10:21:29.65
 10:21:29.65 Welcome to the Bitnami minio container
 10:21:29.66 Subscribe to project updates by watching https://github.com/bitnami/containers
 10:21:29.66 Submit issues and feature requests at https://github.com/bitnami/containers/issues
 10:21:29.66
 10:21:29.66 INFO  ==> ** Starting MinIO setup **
minio 10:21:29.68 DEBUG ==> Validating settings in MINIO_* env vars..
minio 10:21:29.71 INFO  ==> Starting MinIO in background...
Formatting 1st pool, 1 set(s), 1 drives per set.
WARNING: Host local has more than 0 drives of set. A host failure will result in data becoming unavailable.
WARNING: Detected default credentials 'minioadmin:minioadmin', we recommend that you change these values with 'MINIO_ROOT_USER' and 'MINIO_ROOT_PASSWORD' environment variables
MinIO Object Storage Server
Copyright: 2015-2023 MinIO, Inc.
License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
Version: DEVELOPMENT.2023-03-24T21-41-23Z (go1.19.7 linux/amd64)

Status:         1 Online, 0 Offline.
API: https://localhost:9000
Console: http://172.17.0.2:9001 http://127.0.0.1:9001

Documentation: https://min.io/docs/minio/linux/index.html
Warning: The standard parity is set to 0. This can lead to data loss.
minio 10:21:39.81 INFO  ==> Adding local Minio host to 'mc' configuration...
minio 10:21:45.01 INFO  ==> Adding local Minio host to 'mc' configuration...
minio 10:21:50.23 INFO  ==> Adding local Minio host to 'mc' configuration...
minio 10:21:55.49 INFO  ==> Adding local Minio host to 'mc' configuration...
minio 10:22:00.67 INFO  ==> Adding local Minio host to 'mc' configuration...
minio 10:22:05.91 INFO  ==> Adding local Minio host to 'mc' configuration...
minio 10:22:11.13 INFO  ==> Adding local Minio host to 'mc' configuration...
minio 10:22:16.31 INFO  ==> Adding local Minio host to 'mc' configuration...
minio 10:22:21.51 INFO  ==> Adding local Minio host to 'mc' configuration...
minio 10:22:26.76 INFO  ==> Adding local Minio host to 'mc' configuration...
minio 10:22:32.00 INFO  ==> Adding local Minio host to 'mc' configuration...
minio 10:22:37.19 INFO  ==> Adding local Minio host to 'mc' configuration...
Failed to add temporary MinIO server
minio 10:22:42.53 INFO  ==> MinIO is already stopped...

Now this is stopped because of the CA is unknown and the ceritifcate is self-signed.

What I did to isolate the issue:

1. Re-built the image by editing the containers/bitnami/minio/2023/debian-11/rootfs/opt/bitnami/scripts/libminioclient.sh at line # 82 removed the /dev/null redirection and started the container using locally built image like below

docker run --name minio     --publish 9000:9000     --publish 9001:9001     --volume ./certs:/certs    --env MINIO_ROOT_USER=minioadmin --env MINIO_ROOT_PASSWORD=minioadmin   --env MINIO_SCHEME=https  --env BITNAMI_DEBUG=true  localminio:2023.1

With below given output

 10:33:28.52
 10:33:28.53 Welcome to the Bitnami minio container
 10:33:28.53 Subscribe to project updates by watching https://github.com/bitnami/containers
 10:33:28.53 Submit issues and feature requests at https://github.com/bitnami/containers/issues
 10:33:28.54
 10:33:28.54 INFO  ==> ** Starting MinIO setup **
minio 10:33:28.56 DEBUG ==> Validating settings in MINIO_* env vars..
minio 10:33:28.59 INFO  ==> Starting MinIO in background...
Formatting 1st pool, 1 set(s), 1 drives per set.
WARNING: Host local has more than 0 drives of set. A host failure will result in data becoming unavailable.
WARNING: Detected default credentials 'minioadmin:minioadmin', we recommend that you change these values with 'MINIO_ROOT_USER' and 'MINIO_ROOT_PASSWORD' environment variables
MinIO Object Storage Server
Copyright: 2015-2023 MinIO, Inc.
License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
Version: DEVELOPMENT.2023-03-24T21-41-23Z (go1.19.7 linux/amd64)

Status:         1 Online, 0 Offline.
API: https://localhost:9000
Console: https://172.17.0.2:9001 https://127.0.0.1:9001

Documentation: https://min.io/docs/minio/linux/index.html
Warning: The standard parity is set to 0. This can lead to data loss.
minio 10:33:38.69 INFO  ==> Adding local Minio host to 'mc' configuration...
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "https://localhost:9000/probe-bucket-sign-93rbvvrqtgso/?location=": x509: certificate signed by unknown authority.
minio 10:33:43.86 INFO  ==> Adding local Minio host to 'mc' configuration...
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "https://localhost:9000/probe-bucket-sign-1edjp4m5gkor/?location=": x509: certificate signed by unknown authority.
minio 10:33:49.05 INFO  ==> Adding local Minio host to 'mc' configuration...
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "https://localhost:9000/probe-bucket-sign-66sx4jqahxey/?location=": x509: certificate signed by unknown authority.
minio 10:33:54.22 INFO  ==> Adding local Minio host to 'mc' configuration...
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "https://localhost:9000/probe-bucket-sign-yupcqitnjjyc/?location=": x509: certificate signed by unknown authority.
minio 10:33:59.46 INFO  ==> Adding local Minio host to 'mc' configuration...
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "https://localhost:9000/probe-bucket-sign-rxijru31l3fu/?location=": x509: certificate signed by unknown authority.
minio 10:34:04.66 INFO  ==> Adding local Minio host to 'mc' configuration...
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "https://localhost:9000/probe-bucket-sign-6ahtl0ojwgah/?location=": x509: certificate signed by unknown authority.
minio 10:34:09.87 INFO  ==> Adding local Minio host to 'mc' configuration...
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "https://localhost:9000/probe-bucket-sign-nan2pr9g6jvv/?location=": x509: certificate signed by unknown authority.
minio 10:34:15.05 INFO  ==> Adding local Minio host to 'mc' configuration...
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "https://localhost:9000/probe-bucket-sign-zbwfaxvvq431/?location=": x509: certificate signed by unknown authority.
minio 10:34:20.25 INFO  ==> Adding local Minio host to 'mc' configuration...
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "https://localhost:9000/probe-bucket-sign-91cl2h1vb64c/?location=": x509: certificate signed by unknown authority.
minio 10:34:25.47 INFO  ==> Adding local Minio host to 'mc' configuration...
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "https://localhost:9000/probe-bucket-sign-fa6gnephvfi9/?location=": x509: certificate signed by unknown authority.
minio 10:34:30.72 INFO  ==> Adding local Minio host to 'mc' configuration...
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "https://localhost:9000/probe-bucket-sign-xvd2vjh4kizy/?location=": x509: certificate signed by unknown authority.
minio 10:34:35.94 INFO  ==> Adding local Minio host to 'mc' configuration...
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "https://localhost:9000/probe-bucket-sign-qml1kqldxdvr/?location=": x509: certificate signed by unknown authority.
Failed to add temporary MinIO server
minio 10:34:41.37 INFO  ==> MinIO is already stopped...

However, this behaviour can only be changed by setting the MINIO_SKIP_CLIENT=yes

I think this is a bug with self-signed certificates and should be catered, because in most of the deployments I have used the minio with locally sefl-signed SSL certs.

Regards,
NMR

What is the expected behavior?

Self-signed Certs issue

What do you see instead?

self-signed certs causing issue for containers

Additional information

provided.

[migruiz4]

Hi @busyboy77,

I think you are missing the CAs folder inside your certificates directory.

In order to run, MinIO requires the following files mounted at the /certs directory:

/certs/private.key
/certs/public.crt
/certs/CAs/public.crt

certgen only generates the files private.key and public.crt, so you need to create the folder CAs manually and copy inside of it the public.crt file.

[busyboy77]

Thanks a lot .

this has to be documented somewhere as well.
Including the option MINIO_SKIP_CLIENT=yes does not make sense with MINIO_DEFAULT_BUCKETS. they are mutually exclusive?

Regards,

[migruiz4]

Hi @busyboy77,

In the README.md for minio, we include a section for TLS configuration including a link to the upstream MinIO documentation: https://min.io/docs/minio/linux/operations/network-encryption.html?ref=docs-redirect#third-party-certificate-authorities

Including the option MINIO_SKIP_CLIENT=yes does not make sense with MINIO_DEFAULT_BUCKETS. they are mutually exclusive?

Yes, the MINIO_SKIP_CLIENT is mutually exclusive with MINIO_DEFAULT_BUCKETS, as the minio-client is required to create the buckets:

containers/bitnami/minio/2023/debian-11/rootfs/opt/bitnami/scripts/minio/setup.sh

Lines 33 to 63 in 8f13e2e

	if is_boolean_yes "$MINIO_SKIP_CLIENT"; then
	debug "Skipping MinIO client configuration..."
	else
	if [[ "$MINIO_SERVER_SCHEME" == "https" ]]; then
	[[ ! -d "${MINIO_CLIENT_CONF_DIR}/certs" ]] && mkdir -p "${MINIO_CLIENT_CONF_DIR}/certs"
	[[ -d "${MINIO_CERTS_DIR}/CAs" ]] && cp -r "${MINIO_CERTS_DIR}/CAs/" "${MINIO_CLIENT_CONF_DIR}/certs/CAs"
	fi
	# Start MinIO server in background
	minio_start_bg
	# Ensure MinIO Client is stopped when this script ends.
	trap "minio_stop" EXIT
	if is_boolean_yes "$MINIO_DISTRIBUTED_MODE_ENABLED" && is_distributed_ellipses_syntax; then
	read -r -a drives <<<"$(minio_distributed_drives)"
	data_drive="${drives[0]}"
	fi
	# Trying to add a server within a minute.
	if ! retry_while "minio_client_configure_local ${data_drive:-MINIO_DATA_DIR}/.minio.sys/config/config.json"; then
	echo "Failed to add temporary MinIO server"
	exit 1
	fi
	if is_boolean_yes "$MINIO_DISTRIBUTED_MODE_ENABLED"; then
	# Wait for other clients (distribute mode)
	sleep 5
	fi
	# Create default buckets
	minio_create_default_buckets
	fi

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.