invalid login to minio console behind haproxy
raulkmbl opened this issue · comments
minio config file details -
`MINIO_VOLUMES="https://minio{1...4}:9000/mnt/disk{1...4}/minio"
MINIO_OPTS="--console-address :9001"
MINIO_ROOT_USER=
MINIO_ROOT_PASSWORD=
MINIO_SERVER_URL="https://172.16.0.99:9000"
MINIO_ERASURE_SET_DRIVE_COUNT=16
MINIO_STORAGE_CLASS_STANDARD=EC:2
MINIO_BROWSER_REDIRECT_URL="https://172.16.0.99:9001"
`
haproxy config -
`backend minio_back
mode http
balance leastconn
server minio1 172.16.0.87:9000 ssl check verify none
server minio2 172.16.0.89:9000 ssl check verify none
server minio3 172.16.0.90:9000 ssl check verify none
server minio4 172.16.0.88:9000 ssl check verify none
frontend web_console
mode http
bind *:9001 ssl crt /etc/haproxy/certs/hapxy.pem
default_backend minio_console
backend minio_console
mode http
balance leastconn
server minio1 172.16.0.87:9001 ssl check verify none
server minio2 172.16.0.89:9001 ssl check verify none
server minio3 172.16.0.90:9001 ssl check verify none
server minio4 172.16.0.88:9001 ssl check verify none
opsg@minio4:~$ /usr/local/bin/minio -v
minio version RELEASE.2024-04-18T19-09-19Z (commit-id=98f7821eb3f60a6ece3125348a121a1238d02159)
Runtime: go1.21.9 linux/amd64
License: GNU AGPLv3 https://www.gnu.org/licenses/agpl-3.0.html
Copyright: 2015-2024 MinIO, Inc.
`
- 9000 - port for api
- 9001 - port for console
can anyone help to fix the invalid login issue?
Please trust your TLS for MinIO server URL in trusted CAs folder.
.minio/certs/CAs
@harshavardhana - all the certs are already trusted and available in the path
`opsg@minio1:~$ ll /home/minio-user/.minio/certs/CAs/
-rw------- 1 minio-user minio-user 241 Apr 27 07:26 private.key
-rw-r--r-- 1 minio-user minio-user 782 Apr 27 07:26 public.crt
there must be no private.key in the CAs folder.
@harshavardhana - I have removed the private key but i am afraid to say the issue is still same. these keys were generated using certgen from https://github.com/minio/certgen.
@raulkmbl the issue is related to TLS i.e your TLS cert must match the SERVER_URL are you saying that the IP that you added in the SERVER_URL is part of the certs?
correct @harshavardhana. i did certgen -host <ip>,<hostname>
and generated these certs.