Problem with Minio SSL

Problem

When trying to establish SSL/TLS connection between Minio Server and CloudBerry Backup agent on a client machine (most probably Windows 7, Windows Server 2008). But it’s failing: “Could not create SSL/TLS secure channel”.

Suggestions and Resolution

The problem is usually caused by mismatch of cipher suites on Linux machine and Windows client machines. The same version of cipher suite should be allowed/available on both (Server with Minio and client machine) sides otherwise TLS(SSL) channel will not be established.

There is one universal cipher suite which is supported by Windows 7/Server 2008 and newer editions as well, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. The idea is generating self-signed certificate using Elliptic Curve Digital Signature Algorithm (ECDSA).

To generate a certificate using ECDSA need to do next steps (in this example Minio installed on CentOS 7):

1. Go to ${HOME}/.minio/certs

2. Generate private key

openssl ecparam -genkey -name prime256v1 | openssl ec -out private.key

3. Create a file with the name openssl.conf and paste the text. Type necessary information as country, location, organization. Add to the end IP.2 = address of the server with Minio

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
​
[req_distinguished_name]
C = US
ST = VA
L = Somewhere
O = MyOrg
OU = MyOU
CN = MyServerName
​
[v3_req]
subjectAltName = @alt_names
​
[alt_names]
IP.1 = 127.0.0.1
IP.2 = 192.168.2.38

4. Generate self-signed certificate

openssl req -new -x509 -days 3650 -key private.key -out public.crt -config openssl.conf

5. Restart Minio server

The certificate is now generated but it's untrusted. You can just click allow and it will continue working.

To enable trust, you need to import this certificate into the Trusted Root Certification Authorities store.

Detailed information such as an additional protection of the private key with a password you can find in official documentation of Minio.