Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

MinIO + Docker - cannot use SSL certificate with new version (x509 doesn't contain any IP sans)

Tags:

docker

ssl

minio

I'm running MinIO under docker. I've been using a version that was released before the integration of the MinIO console (circa July 2021). This was setup with an SSL certificate purchased from a third party, bound to my external web address (https://minio.example.com for instance).

After running the new version of Minio RELEASE.2021-09-24T00-24-24Z via Docker, I needed to update my config (the env variables for MINIO_ACCESS_KEY / MINIO_SECRET_KEY change for example. I've also added --console-address=":9001" to my config, MinIO is running on port 9000 for the main service.

The service runs fine for storing data, but accessing the web address gives the error:

x509: cannot validate certificate for 172.19.0.2 because it doesn't contain any IP SANs

I believe this is to do with MinIO looking at the internal Docker IP addresses, and not finding them in the SSL (there are no IPs in the SSL at all). I'm unable to find documentation explaining how to resolve this. Ideally, I don't want to get a new SSL that contains the IP address (external or internal!).

Can I change some of the Docker config such that MinIO will not try to check the IP addresses in the SSL?

like image 412
fistameeny Avatar asked Sep 18 '25 16:09

fistameeny

1 Answers

To answer my own question, I re-read the quickstart guide more carefully (https://docs.min.io/docs/minio-quickstart-guide.html), noting the following:

Similarly, if your TLS certificates do not have the IP SAN for the MinIO server host, the MinIO Console may fail to validate the connection to the server. Use the MINIO_SERVER_URL environment variable and specify the proxy-accessible hostname of the MinIO server to allow the Console to use the MinIO server API using the TLS certificate.

For example: export MINIO_SERVER_URL="https://minio.example.net"

For me, this meant I needed to update my docker-compose.yml file, adding the MINIO_SERVER_URL env variable. It had to point to the data URL for MinIO, not the console URL (otherwise you get an error about "Expected element type <AssumeRoleResponse> but have <html>").

It now works fine.

like image 87
fistameeny Avatar answered Sep 21 '25 09:09

fistameeny
Sign in to Comment

Related questions

Traefik gateway timeout for service with multiple networks
How can I run multiple versions of the same build in docker-compose?
What's the difference between 'docker save' and 'docker image save'?
Using Redis-CLI on Redis container
Docker IPAddress Empty: Cannot Access Container
Docker-Compose: how to mapping volume from host into container?
How to set HTTPS as default on GKE Ingress-gce

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!