Configure TLS Network Encryption
This procedure explains how to specify the TLS certificates your AIStor deployment requires and configure your deployment to work with the certificates. See also Enable Network Encryption for explanations of how AIStor requires TLS and which cipher suites AIStor supports.
Prerequisites
-
The appropriate X.509 certificates for your environment.
-
Read and write permissions to the appropriate directories for the user to add certificates.
Procedure
-
Create the certificates and Certificate Authorities (CAs) your environment requires.
-
Create the appropriate directories for your certificates and CAs.
# example certificates path /opt/minio/certs # example CAs path /opt/minio/certs/CAs
-
Set the ownership of these directories to
minio-user
:sudo chown -R minio-user:minio-user /opt/minio/certs
-
Add the default certificates to the
/certs
directory. At least oneprivate.key
andpublic.crt
must be placed at the root of thecerts
directory, to provide the default certificate./certs private.key public.crt
-
(optional) Add more certificates per domain as your environment requires. Create a sub-directory in the
/certs
directory for each hostname or group a certificate supports with its DNS or IPSAN
list. See Multiple TLS Certificates./certs private.key public.cert # default certificate /object-store.example.net private.key public.cert # wildcard certificate for *.object-store.example.net /s3.example.net private.key public.cert # wildcard certificate for *.s3.example.net
-
(optional) Add CAs for trusting remote hosts. Place the CA files in the
/certs/CAs
directory. See Certificate Authorities. -
Modify the environment file at
/etc/default/minio
. Open the file and modify theMINIO_OPTS
andMINIO_VOLUMES
values as follows:-
MINIO_OPTS
- add thecerts-dir
parameter pointing at the directory you created for storing certificates. -
MINIO_VOLUMES
- change thehttp://
protocol tohttps://
.
MINIO_OPTS="--certs-dir /opt/minio/certs" # specify https for all nodes MINIO_VOLUMES="https://..."
-
-
Restart AIStor and monitor the server logs to make sure that all nodes restart and resume operations. You must update your clients to connect to AIStor with the TLS protocol.
mc admin service restart # update the alias with the new hostname mc alias set https://minio.example.net:9000 USERNAME PASSWORD mc admin info --debug
The
--debug
output should show a successful TLS handshake between the client and AIStor server.