Configure TLS Network Encryption

This procedure explains how to specify the TLS certificates your AIStor deployment requires and configure your deployment to work with the certificates. See also Enable Network Encryption for explanations of how AIStor requires TLS and which cipher suites AIStor supports.

Prerequisites

The appropriate X.509 certificates for your environment.
Read and write permissions to the appropriate directories for the user to add certificates.

Procedure

Create the certificates and Certificate Authorities (CAs) your environment requires.

Create the appropriate directories for your certificates and CAs.

# example certificates path
/opt/minio/certs

# example CAs path
/opt/minio/certs/CAs

Set the ownership of these directories to minio-user:

sudo chown -R minio-user:minio-user /opt/minio/certs

Add the default certificates to the /certs directory. At least one private.key and public.crt must be placed at the root of the certs directory, to provide the default certificate.
```
/certs
  private.key
  public.crt
```
(Optional) Add more certificates per domain as your environment requires.

Create a subdirectory in the /certs directory for the hostname(s) a certificate supports with its DNS or IP Subject Alternative Name (SAN) list. AIStor ignores subdirectory names in certificate selection, relying solely on SNI matching against the certificate’s SAN list. See Multiple TLS Certificates.

AIStor uses the certificate at the root level (/certs/private.key and /certs/public.crt) as the default certificate. AIStor returns this certificate when the hostname specified by the client does not match any other configured certificates.

The following directory structure example supports multiple TLS certificates, with a distinct default and hostname-specific certificate directories.
```
/certs
  private.key
  public.crt # default certificate for public clients (SANs: *.example.com, example.com)
  /internode # use descriptive subdirectory names; AIStor relies on the SAN list for selection
    private.key
    public.crt # internal certificate for internode traffic (SANs: node1.internal.com, node2.internal.com, or *.cluster.local)
  /s3.example.net
    private.key
    public.crt # optional additional public certificate for different domain (SANs: *.s3.example.net)
```
Certificate Placement and Security

Place your public-facing certificate (for S3 clients) at the top level to prevent exposing internal certificate details. Putting certificates that expose internal hostnames in the default root certificate directory allows any requesting client to view those hostnames.
(Optional) Add CAs for trusting remote hosts. Place the CA files in the /certs/CAs directory. See Certificate Authorities.
Modify the environment file at /etc/default/minio. Open the file and modify the MINIO_OPTS and MINIO_VOLUMES values as follows:
- MINIO_OPTS - add the certs-dir parameter pointing at the directory you created for storing certificates.
- MINIO_VOLUMES - change the http:// protocol to https://.
```
MINIO_OPTS="--certs-dir /opt/minio/certs"

# specify https for all nodes
MINIO_VOLUMES="https://..."
```
Restart AIStor and monitor the server logs to make sure that all nodes restart and resume operations. You must update your clients to connect to AIStor with the TLS protocol.
```
mc admin service restart

# update the alias with the new hostname
mc alias set https://minio.example.net:9000 USERNAME PASSWORD

mc admin info --debug
```
The --debug output should show a successful TLS handshake between the client and AIStor server.

Troubleshooting

If clients receive the wrong certificate or TLS handshakes fail:

Verify the certificate’s Subject Alternative Names (SANs) match the hostname clients are using.
Check that certificates are readable by the minio-user.
Do not rename directories, as directory names do not affect which certificate AIStor returns.