XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    s3 backups with minio using https and various CAs

    Scheduled Pinned Locked Moved Xen Orchestra
    5 Posts 4 Posters 707 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • sidsandersS Offline
      sidsanders
      last edited by

      we were able to get backups to work with the s3 beta to minio over http. we have minio deployed with a cert from godaddy which seems to fail when we enabled it.

      5e00b64b-6613-4e8d-9ce3-c21fba56066d-image.png

      i tried to import the godaddy certs in case they were not installed as part of ca-certificates package. they import ok, however it is not clear how or if those are used for the s3 access. awscli and mc (minio client) can bypass or has ways to set where to find the proper CA certs. have i missed something?

      julien-fJ nraynaudN 2 Replies Last reply Reply Quote 0
      • olivierlambertO Offline
        olivierlambert Vates 🪐 Co-Founder CEO
        last edited by

        Pinging @nraynaud and/or @julien-f

        1 Reply Last reply Reply Quote 0
        • julien-fJ Offline
          julien-f Vates 🪐 Co-Founder XO Team @sidsanders
          last edited by

          @sidsanders Hi, invalid certificats (self-signed or unkown CAs) are not supported at the moment but we are working on implementing this very soon.

          sidsandersS 1 Reply Last reply Reply Quote 0
          • sidsandersS Offline
            sidsanders @julien-f
            last edited by

            greetings @julien-f . the one we have an issue with is not self signed. it is from godaddy. i would not have thought godaddy would fall into the lesser/unknown CAs.

            1 Reply Last reply Reply Quote 0
            • nraynaudN Offline
              nraynaud XCP-ng Team @sidsanders
              last edited by

              @sidsanders Hi, I gave a look at your issue, it seems that it is often associated with the ssl certificate missing the middle of the Merkle chain.

              here are a couple of explanations:

              • https://serverfault.com/questions/693033/unable-to-use-builtin-ca-bundle-to-verify-godaddy-sha2-ssl-certificate
              • https://www.npmjs.com/package/ssl-root-cas

              I suspect that the certificate you gave to minio was incomplete. Note that the chain of certificate should not include the root certificate, only all the certificates in the chain minus the root.

              Nico.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post