minio is a well-known S3 compatible object storage platform that supports high availability features.
For FreeBSD a port is available that has already been described in 2018 on the vermaden blog.
That means the certificate setup below might be interesting even if you plan to run
minio on another platform and not FreeBSD.
In the offical TLS documentation linked to above, self signed certificates are described but not how a Root CA certificate is created which is needed when
minio is to be run not only on a single host.
The setup in this document assumes two hosts with two drives each, the minimum setup for enabling Erasure Code. This setup can easily be scaled to more nodes and also managed by tools like
Both hosts in this example use the IP addresses
10.10.10.11 and each mounts its two drives at
Installing The Packages
Install the following packages on both hosts to run
$ pkg install minio ... $ pkg install openssl ...
Certificate Set Up
On both hosts, create
On one of the hosts, run the following commands in the
openssl genrsa -out rootca.key 8192 openssl req -sha256 -new -x509 -days 3650 -key rootca.key -out rootca.crt
Copy these root certificates into the
/usr/local/etc/ssl/CAs directory of the other system.
On both systems, create
/usr/local/etc/ssl/openssl.conf. Replace the example IP address
10.10.10.10 below with the IP address of the host on which you create this file:
basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] IP.1 = 10.10.10.10
This alt name is important as
minio will check the certificate. Please note that the document Use OpenSSL (with IP address) to Generate a Certificate also lists a similar configuration file which does not correctly add the alt names to the certificate though.
Afterwards, in the same directory, run
$ openssl genrsa -out private.key 4096 ... $ openssl req -new -key private.key -out public.csr ... $ openssl x509 -req -in public.csr -CA CAs/rootca.crt -CAkey CAs/rootca.key -CAcreateserial -out public.crt -days 3650 -sha256 -extfile openssl.conf
Feel free to use appropriate values for each of the certificate attributes when asked by
You can check if the correct alt name IP address entry is contained in the certificate with
openssl x509 -noout -text -in public.crt - if you don’t see it in the output, check your configuration file above.
Configure minio Service
Add the following to the
/etc/rc.conf file on both systems:
minio_enable=“YES“ minio_disks=“https://10.10.10.10:9000/mnt/minio-data1 https://10.10.10.10:9000/mnt/minio-data2 https://10.10.10.11:9000/mnt/minio-data1 https://10.10.10.11:9000/mnt/minio-data2“ minio_certs="/usr/local/etc/ssl" minio_env="MINIO_ACCESS_KEY=myaccesskey MINIO_SECRET_KEY=mysecretkey"
Prepare Drives and Start minio
On both systems, run
$ chown minio /mnt/minio-data1 && chmod u+rxw /mnt/minio-data1 $ chown minio /mnt/minio-data2 && chmod u+rxw /mnt/minio-data2
To test your configuration, you can run
minio from the shell so you see the output:
su -m minio -c 'env \\ MINIO_ACCESS_KEY=myaccesskey \\ MINIO_SECRET_KEY=mysecretkey \\ minio server \\ -S /usr/local/etc/ssl \\ https://10.10.10.10:9000/mnt/minio-data1 \\ https://10.10.10.10:9000/mnt/minio-data2 \\ https://10.10.10.11:9000/mnt/minio-data1 \\ https://10.10.10.11:9000/mnt/minio-data2'
Please note that the –config-dir parameter shown in old documentation is obsolete as
minio stores the configuration within the data directories meanwhile.
When everything works, you should be able to connect by using the access key and the secret key from above as credentials to both systems with your browser on https://10.10.10.10:9000 and https://10.10.10.11:9000 and both hosts should replicate all the data that you load into each of them.
If everything works, stop both
minio server processes with
kill -9 and start them as service with