Using object storage as a backup target
balma01
Certified Trainer
Posts: 91
Liked: 5 times
Joined: Jan 01, 2006 1:01 am
Contact:

2 problems adding minio

Post by balma01 »

I'm trying minio for windows as object storage.
Started minio server using: minio server E:\minio\minio-storage\ --console-address :2222
I'm able to connect to the console using minioadmin and created a bucket
stopped minio server
Generated the certificate using certgen and placed in C:\Users\myuser\.minio\certs
started minio server using: minio server E:\minio\minio-storage\ --console-address :2222
if I try to connect to console using minioadmin I get {"code":401,"detailedMessage":"invalid Login","message":"invalid Login"
and if I try to add an S3 compatible repository, after have 'acceptd' to use untruysted certificate, I get :
failed to load Amazon S3 compatible configuration

any idea?

sfirmes
Veeam Software
Posts: 132
Liked: 79 times
Joined: Jul 24, 2018 8:38 pm
Full Name: Stephen Firmes
Contact:

Re: 2 problems adding minio

Post by sfirmes »

@balma01 I haven't seen this exact error before. MinIO has some great instructions here https://docs.min.io/docs/using-minio-with-veeam.html which may help you. Additionally, one of my colleagues @jorgedlcruz wrote a great blog which walks you through the steps to setup MinIO + Veeam https://jorgedelacruz.uk/2020/07/22/vee ... s-encrypt/.
Thanks,

Steve

balma01
Certified Trainer
Posts: 91
Liked: 5 times
Joined: Jan 01, 2006 1:01 am
Contact:

Re: 2 problems adding minio

Post by balma01 »

Hi and thanks.
I've readed the guides provided then I fregenerad my certificate using
Generated the certificate using certgen -ca -host "192.168.x.y"
placed public and private in C:\Users\myuser\.minio\certs
started minio server using: minio server E:\minio\minio-storage\ --console-address :2222
Now I'm able to connect to the minioconsole console using minioadmin
But if I try to add an S3 compatible repository, using https://192.168.x.y:9000
I get :
failed to load Amazon S3 compatible configuration
failed to estabilish connection to Amazon S3 compatible endpoint

balma01
Certified Trainer
Posts: 91
Liked: 5 times
Joined: Jan 01, 2006 1:01 am
Contact:

Re: 2 problems adding minio

Post by balma01 »

in the log Agent.PublicCloud.Satellite.1.log I see: WinHttpSendRequest: 12175: A security error occurred

soncscy
Veeam Legend
Posts: 632
Liked: 303 times
Joined: Aug 04, 2019 2:57 pm
Full Name: Harvey Carel
Contact:

Re: 2 problems adding minio

Post by soncscy »

12175 would be an SSL error: https://docs.microsoft.com/en-us/window ... r-messages

So something is still wrong with your cert. I've never tried Minio with a Windows server before, but are you sure it's in the right location for the certs? When you launch the Minio server, it's definitely loading over https, yes? And is the WebUI accessible?

Keep in mind if you're using older operating systems, they don't have support for modern SSL ciphers/protocols by default.

veremin
Product Manager
Posts: 19542
Liked: 2056 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: 2 problems adding minio

Post by veremin »

Agree with Harvey here, it seems like certificate-releated issue. You can verify this assumption by opening a support ticket and asking our engineers for additional assistance. Thanks!

balma01
Certified Trainer
Posts: 91
Liked: 5 times
Joined: Jan 01, 2006 1:01 am
Contact:

Re: 2 problems adding minio

Post by balma01 »

Hi,
it seems the KB https://www.veeam.com/kb3215
is releated to the same problem
I'll check it...
Thanks

veremin
Product Manager
Posts: 19542
Liked: 2056 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: 2 problems adding minio

Post by veremin »

The referenced article talks about validating certificate status by checking CA revocation list. This only applies to CA certificates. For self-signed certificates (that you are using) there is no such thing as revocation list: to revoke a self-signed certificate one just need to remove it from the whitelist of trusted certificates.

So while the resulting error is the same, the cases causing it seem to be different. That's why we recommend reaching our support team.

Thanks!

balma01
Certified Trainer
Posts: 91
Liked: 5 times
Joined: Jan 01, 2006 1:01 am
Contact:

Re: 2 problems adding minio

Post by balma01 » 1 person likes this post

Opened case 05034538.
Thanks

veremin
Product Manager
Posts: 19542
Liked: 2056 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: 2 problems adding minio

Post by veremin »

Thank you, now let's wait and see what support team say about the experienced issue.

init-s
Influencer
Posts: 11
Liked: 1 time
Joined: Dec 09, 2014 11:42 am
Full Name: Andrea Cerrito
Contact:

Re: 2 problems adding minio

Post by init-s »

Hello,

were you able to solve the problem?
Thank you

rennerstefan
Veeam Software
Posts: 427
Liked: 101 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: 2 problems adding minio

Post by rennerstefan »

Hi Init-s,

can you please describe what issue you see in your environment?
As stated above most of them are certificate related.

Thanks
Veeam PMA

init-s
Influencer
Posts: 11
Liked: 1 time
Joined: Dec 09, 2014 11:42 am
Full Name: Andrea Cerrito
Contact:

Re: 2 problems adding minio

Post by init-s »

Hello,

the problem is the same - error 12175 adding a S3 repository on Minio.
Minio is using lets'encrypt certificate: if I publish minio through a reverse proxy (ie: haproxy, nginx) no problem.

Thank you

veremin
Product Manager
Posts: 19542
Liked: 2056 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: 2 problems adding minio

Post by veremin »

Any chance you have a ticket for this issue opened, so we can check how the investigation went? Thanks!

rennerstefan
Veeam Software
Posts: 427
Liked: 101 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: 2 problems adding minio

Post by rennerstefan »

init-s wrote: May 04, 2022 11:04 am Minio is using lets'encrypt certificate: if I publish minio through a reverse proxy (ie: haproxy, nginx) no problem.
Just out of interest, did you try to use other certificates as described here: https://docs.min.io/docs/how-to-secure- ... h-tls.html
In all installations I did it worked well so a ticket on both ends, MiniO as well as Veeam would be needed if none of the certificate ways work for you.

Let us know.

Thanks
Veeam PMA

bc-109
Service Provider
Posts: 74
Liked: 8 times
Joined: Jun 06, 2019 2:10 pm
Full Name: Toussaint OTTAVI
Contact:

Re: 2 problems adding minio

Post by bc-109 »

Hi all,

I just got the same error 12175 when trying to add the Minio repository.

Full story :
- My Veeam server is 11.0.0.837
- I was previously using an old version of Minio (2020-09-26) installed as a docker container on a Synology NAS. The certificate was the default self-signed certificate of the NAS, and it worked perfectly.
- Yesterday, I made a fresh new install with the latest version of Minio (still as a docker container). This new version seems to change lots of things about certificates :
- Minio console refused login with my old certificate. I had to generare a new one including IP of the nas as "SAN" IP. I generated a new self-signed certificate with OpenSSL (see the exact command below). After doing that, I managed to login to the Minio admin console with that cert.
- In VBR, when trying to add Minio as "S3 compatible" repository, at the "Browse Bucket" step, I get the error :
Failed to load S3 configuration
HTTP Exception
WinHTTP SendRequest 12175 : a security error has occurred
Here's the exact command used to generate the certificate :

Code: Select all

export HOST="my-minio"
export IP="<IP of the Minio server"
openssl req -newkey rsa:4096 -nodes -keyout ${HOST}.key -x509 -days 3650 -out ${HOST}.crt -addext "subjectAltName = IP:${IP}" -subj "/C=US/ST=CA/L=Test/O=TEST/OU=TEST/CN=${HOST}/"
Moreover, I tried the workaround exposed here :
https://www.veeam.com/kb3215
but it had no effect.

Thank you in advance. Kind regards.

jorgedlcruz
Veeam Software
Posts: 721
Liked: 377 times
Joined: Jul 17, 2015 6:54 pm
Full Name: Jorge de la Cruz
Contact:

Re: 2 problems adding minio

Post by jorgedlcruz »

Hello,
Just as a quick test, would you mind testing the same but with a subjectaltname, meaning minio.yourdomain.com, and be sure that can be resolved internally by minio and Veeam. You can use dnsmasq on the minio environment, and the hosts file on Veeam, or better just to use a valid DNS server.

As far as I know, SSL certificates are not valid, or an internal IP is not valid for a SSL, so Veeam might fail reading that SSL with an IP as subjectAltName.

I can give it a try later on, but every time I have deployed minio, or many other services, using a valid FQDN, I am using jorgedelacruz.es which is a valid TLD, plus I use it internally, never had any problem.

Please give it a try.
Jorge de la Cruz
Senior Analyst, Product Management | Veeam ONE @ Veeam Software

@jorgedlcruz
https://www.jorgedelacruz.es / https://jorgedelacruz.uk
vExpert 2014-2021 / Nutanix Technology Champion 2018-2019 / InfluxAce

bc-109
Service Provider
Posts: 74
Liked: 8 times
Joined: Jun 06, 2019 2:10 pm
Full Name: Toussaint OTTAVI
Contact:

Re: 2 problems adding minio

Post by bc-109 »

Hi,

I tried creating a new certificate using instructions here :
https://docs.min.io/docs/how-to-secure- ... -tls.html

Here's the exact openssl.conf :

Code: Select all

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = FR
ST = CO
L = Ajaccio
O = MEDI
OU = MEDI
CN = minio-medi

[v3_req]
subjectAltName = @alt_names

[alt_names]
IP.1 = 127.0.0.1
IP.2 = <ip of the Docker host>
IP.3 = <IP of the docker container>
DNS.1 = minio-medi
and the exact command to create the certificate :

Code: Select all

openssl req -new -x509 -nodes -days 1825 -keyout private.key -out public.crt -config openssl.conf
The Minio server is on a different firewall zone, and has no connection to Internet. There's no direct DNS resolution between Minio server and VBR server. Then, I added the name of the minio-server ("minio-medi") to the hosts file on the VBR server.

-> This does not change anything. Still getting 12175 error...

jorgedlcruz
Veeam Software
Posts: 721
Liked: 377 times
Joined: Jul 17, 2015 6:54 pm
Full Name: Jorge de la Cruz
Contact:

Re: 2 problems adding minio

Post by jorgedlcruz »

Hello,
Would you mind opening Edge, or something better than IE, on the Veeam Server, and opening the https://minio-medi ? Don't you have any fully qualified domain to be like minio-medi.domain.com?

Well, open the site, and show us the SSL, how it can be seen on the browser, details, etc. We are close to fix this, I can feel it.
Jorge de la Cruz
Senior Analyst, Product Management | Veeam ONE @ Veeam Software

@jorgedlcruz
https://www.jorgedelacruz.es / https://jorgedelacruz.uk
vExpert 2014-2021 / Nutanix Technology Champion 2018-2019 / InfluxAce

bc-109
Service Provider
Posts: 74
Liked: 8 times
Joined: Jun 06, 2019 2:10 pm
Full Name: Toussaint OTTAVI
Contact:

Re: 2 problems adding minio

Post by bc-109 »

Ahem... Things are a little bit more complicated :
- The VBR server is on a site A
- The Minio server is on a site B
- There's a Veeam Proxy on site B, near the Minio server. VBR operations are configured to use that proxy.
- The VBR server currently has no direct access to the Minio server
- DNS resolution for the host name "minio-medi" works both on the VBR server and on the proxy (for single hostname, not fqdn)

Question :
In such a setup, with a proxy : What direct communication ports are needed between the VBR server and the Minio server ?

bc-109
Service Provider
Posts: 74
Liked: 8 times
Joined: Jun 06, 2019 2:10 pm
Full Name: Toussaint OTTAVI
Contact:

Re: 2 problems adding minio

Post by bc-109 »

I added direct full communication between the VBR server and the Minio server on the other site. This does not change anything.
Then, the problem may not be related to proxy.

jorgedlcruz
Veeam Software
Posts: 721
Liked: 377 times
Joined: Jul 17, 2015 6:54 pm
Full Name: Jorge de la Cruz
Contact:

Re: 2 problems adding minio

Post by jorgedlcruz »

Can you open a web browser in vbr and navigate to the https://name the same you use on the wizard?

Thanks
Jorge de la Cruz
Senior Analyst, Product Management | Veeam ONE @ Veeam Software

@jorgedlcruz
https://www.jorgedelacruz.es / https://jorgedelacruz.uk
vExpert 2014-2021 / Nutanix Technology Champion 2018-2019 / InfluxAce

bc-109
Service Provider
Posts: 74
Liked: 8 times
Joined: Jun 06, 2019 2:10 pm
Full Name: Toussaint OTTAVI
Contact:

Re: 2 problems adding minio

Post by bc-109 »

Yes, both https://name and https://name:9000 (the Minio service port) are working from the VBR server.
Firefox displays the usual "self-signed certificate" warning, and displays the login page correctly
The certificate info is exactly what I entered in the previous openssl.conf.

--
I'll try to generate a new cert with a FQDN...

bc-109
Service Provider
Posts: 74
Liked: 8 times
Joined: Jun 06, 2019 2:10 pm
Full Name: Toussaint OTTAVI
Contact:

Re: 2 problems adding minio

Post by bc-109 »

I generated a new cert with the previous command, but with a FQDN (minio.domain.local) instead of a single hostname.
Full DNS resolution works with that FQDN on VBR server.
In Firefox, https://minio.domain.local works (with the usual self-signed warning / override)

... but VBR still shows me the 12175 error when clicking on "Browse bucket" !

jorgedlcruz
Veeam Software
Posts: 721
Liked: 377 times
Joined: Jul 17, 2015 6:54 pm
Full Name: Jorge de la Cruz
Contact:

Re: 2 problems adding minio

Post by jorgedlcruz »

Alright, great steps and work so far. Mind to try with cyberduck on the vbr server to see if you can see the buckets, upload some files, etc?

Thanks!
Jorge de la Cruz
Senior Analyst, Product Management | Veeam ONE @ Veeam Software

@jorgedlcruz
https://www.jorgedelacruz.es / https://jorgedelacruz.uk
vExpert 2014-2021 / Nutanix Technology Champion 2018-2019 / InfluxAce

bc-109
Service Provider
Posts: 74
Liked: 8 times
Joined: Jun 06, 2019 2:10 pm
Full Name: Toussaint OTTAVI
Contact:

Re: 2 problems adding minio

Post by bc-109 » 1 person likes this post

I did not know Cyberduck. I'll have a try.

Moreover, I checked my Minio version : Latest Version: minio/minio:RELEASE.2022-06-02T02-11-04Z

-> It seems to be a nightly. Not sure it's a stable release version !

bc-109
Service Provider
Posts: 74
Liked: 8 times
Joined: Jun 06, 2019 2:10 pm
Full Name: Toussaint OTTAVI
Contact:

Re: 2 problems adding minio

Post by bc-109 »

Hi,

Does anybody have news about that problem ?

Connecting to Minio S3 from Cyberduck works (after the usual warning about self-signed certificate).
Trying to add a repo in VBR still fails :
- The login step is OK
- When clicking on "Bucket / Browse", it fails with 12175 error code

Kind regards,

bc-109
Service Provider
Posts: 74
Liked: 8 times
Joined: Jun 06, 2019 2:10 pm
Full Name: Toussaint OTTAVI
Contact:

Re: 2 problems adding minio

Post by bc-109 »

I also found that :
object-storage-f52/unofficial-compatibi ... 56976.html

It's about default TLS version on old Windows 2012 R2. My VBR is 2019, but indeed the Veeam Proxy is 2012 R2. I tried to add the registry key to force TLS1.2 by default, but it does not change anything.

In what log file can I find information about SSL/TLS exchanges between VBR and Minio ?

Kind regards

veremin
Product Manager
Posts: 19542
Liked: 2056 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: 2 problems adding minio

Post by veremin »

I think at this stage we'd better proceed with support ticket. It still looks like an issue with two different sites and verification of self-signed certificate that travelling between those locations, but upport engineer will be able to spot the exact problem in the provided debug logs.

Thanks!

bc-109
Service Provider
Posts: 74
Liked: 8 times
Joined: Jun 06, 2019 2:10 pm
Full Name: Toussaint OTTAVI
Contact:

Re: 2 problems adding minio

Post by bc-109 »

Hi,

Thank you for your answers. I am sorry, but opening a support case is not an option for me at this time. It's far too much time-consuming. I've currently been talking with level-1 support for three days about another critical problem that :
- needs 3 minutes to be solved
- would break one of our production servers in a few days
It's still not solved, and I'm still writing prose to people who clearly does not seem to understand where the problem is.

This forum is valuable, but level-1 support (and particularly licensing support) can really be wearying :(

Kind regards

Post Reply

Who is online

Users browsing this forum: No registered users and 12 guests