invalid login to minio console behind haproxy

Question

invalid login to minio console behind haproxy

raulkmbl opened this issue a month ago · comments

Seeing error

minio config file details -

`MINIO_VOLUMES="https://minio{1...4}:9000/mnt/disk{1...4}/minio"

MINIO_OPTS="--console-address :9001"
MINIO_ROOT_USER=
MINIO_ROOT_PASSWORD=
MINIO_SERVER_URL="https://172.16.0.99:9000"
MINIO_ERASURE_SET_DRIVE_COUNT=16
MINIO_STORAGE_CLASS_STANDARD=EC:2
MINIO_BROWSER_REDIRECT_URL="https://172.16.0.99:9001"
`

haproxy config -

`backend minio_back
mode http
balance leastconn
server minio1 172.16.0.87:9000 ssl check verify none
server minio2 172.16.0.89:9000 ssl check verify none
server minio3 172.16.0.90:9000 ssl check verify none
server minio4 172.16.0.88:9000 ssl check verify none

frontend web_console
mode http
bind *:9001 ssl crt /etc/haproxy/certs/hapxy.pem
default_backend minio_console

backend minio_console
mode http
balance leastconn
server minio1 172.16.0.87:9001 ssl check verify none
server minio2 172.16.0.89:9001 ssl check verify none
server minio3 172.16.0.90:9001 ssl check verify none
server minio4 172.16.0.88:9001 ssl check verify none
opsg@minio4:~$ /usr/local/bin/minio -v
minio version RELEASE.2024-04-18T19-09-19Z (commit-id=98f7821eb3f60a6ece3125348a121a1238d02159)
Runtime: go1.21.9 linux/amd64
License: GNU AGPLv3 https://www.gnu.org/licenses/agpl-3.0.html
Copyright: 2015-2024 MinIO, Inc.
`

9000 - port for api
9001 - port for console

can anyone help to fix the invalid login issue?

Harshavardhana · Answer 1 · Tue Apr 30 2024 23:42:41 GMT+0800 (China Standard Time)

Please trust your TLS for MinIO server URL in trusted CAs folder.

.minio/certs/CAs

raulkmbl · Answer 2 · Tue Apr 30 2024 23:46:58 GMT+0800 (China Standard Time)

@harshavardhana - all the certs are already trusted and available in the path

`opsg@minio1:~$ ll /home/minio-user/.minio/certs/CAs/

-rw------- 1 minio-user minio-user 241 Apr 27 07:26 private.key
-rw-r--r-- 1 minio-user minio-user 782 Apr 27 07:26 public.crt

Harshavardhana · Answer 3 · Wed May 01 2024 01:14:38 GMT+0800 (China Standard Time)

there must be no private.key in the CAs folder.

raulkmbl · Answer 4 · Wed May 01 2024 09:55:45 GMT+0800 (China Standard Time)

@harshavardhana - I have removed the private key but i am afraid to say the issue is still same. these keys were generated using certgen from https://github.com/minio/certgen.

Harshavardhana · Answer 5 · Wed May 01 2024 10:12:00 GMT+0800 (China Standard Time)

@raulkmbl the issue is related to TLS i.e your TLS cert must match the SERVER_URL are you saying that the IP that you added in the SERVER_URL is part of the certs?

raulkmbl · Answer 6 · Wed May 01 2024 10:15:23 GMT+0800 (China Standard Time)

correct @harshavardhana. i did certgen -host <ip>,<hostname> and generated these certs.