Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/minio] Unable to bypass TLS certificate verification in MINIO #32221

Open
ChinthapalliNikhithaChandana opened this issue Feb 28, 2025 · 3 comments
Open

[bitnami/minio] Unable to bypass TLS certificate verification in MINIO #32221

ChinthapalliNikhithaChandana opened this issue Feb 28, 2025 · 3 comments
Assignees
@javsalgar
Labels
minio tech-issues The user has a technical issue about an application triage Triage is needed

Comments

@ChinthapalliNikhithaChandana
Copy link

Name and Version

bitnami/minio

What architecture are you using?

None

What steps will reproduce the bug?

  1. Deploy Minio using bitnami helm chart
  2. Used reverse proxy using traefik ingress
  3. Implemented OpenID using Authentik
  4. Turn off TLS verification

Are you using any custom parameters or values?

Minio Helm chart configuration to implement OIDC:

extraEnvVars:
  - name: MINIO_LOG_LEVEL
    value: DEBUG
  - name: MINIO_IDENTITY_OPENID_CONFIG_URL
    value: "https://authentik.righive.local/application/o/minio/.well-known/openid-configuration"
  - name: MINIO_IDENTITY_OPENID_CLIENT_ID
    value: "xxx"
  - name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
    value: "xxxxxxxx"
  - name: MINIO_IDENTITY_OPENID_REDIRECT_URI
    value: "https://minio-ui.righive.local/oauth_callback"
  - name: MINIO_IDENTITY_OPENID_SCOPES
    value: "openid,profile,email,minio"
  - name: MINIO_BROWSER_REDIRECT_URL
    value: "https://minio-ui.righive.local"
  - name: MINIO_SERVER_URL
    value: "https://minio.righive.local"
  - name: MINIO_IDENTITY_TLS_SKIP_VERIFY
    value: "on"
  - name: MINIO_IDENTITY_OPENID_DISPLAY_NAME
    value: "Authentik"
  - name: MINIO_TLS_SKIP_VERIFY
    value: "on"

What is the expected behavior?

Expecting a login screen with a button that allows SSO using Authentik

What do you see instead?

pod logs

 19:29:50.77 INFO  ==> 
 19:29:50.77 INFO  ==> Welcome to the Bitnami minio container
 19:29:50.77 INFO  ==> Subscribe to project updates by watching https://github.com/bitnami/containers
 19:29:50.77 INFO  ==> Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami/ for more information.
 19:29:50.77 INFO  ==> 
 19:29:50.77 INFO  ==> ** Starting MinIO setup **
minio 19:29:50.83 INFO  ==> Starting MinIO in background...
minio 19:29:55.84 INFO  ==> Adding local Minio host to 'mc' configuration...
minio 19:29:55.86 INFO  ==> Creating default buckets...
minio 19:29:55.94 INFO  ==> Bucket local/righive-demo already exists, skipping creation.
minio 19:29:56.04 INFO  ==> Stopping MinIO...
 19:29:56.23 INFO  ==> ** MinIO setup finished! **

minio 19:29:56.24 INFO  ==> ** Starting MinIO **

API: SYSTEM.iam
Time: 19:29:56 UTC 02/28/2025
DeploymentID: 8d8f9d00-b6d1-4acc-a907-2e62fe855290
Error: Unable to initialize OpenID: Get "https://authentik.righive.local/application/o/minio/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority (*fmt.wrapError)
       6: internal/logger/logger.go:268:logger.LogIf()
       5: cmd/logging.go:29:cmd.iamLogIf()
       4: cmd/iam.go:255:cmd.(*IAMSys).Init()
       3: cmd/server-main.go:984:cmd.serverMain.func14.1()
       2: cmd/server-main.go:563:cmd.bootstrapTrace()
       1: cmd/server-main.go:983:cmd.serverMain.func14()
MinIO Object Storage Server
Copyright: 2015-2025 MinIO, Inc.
License: GNU AGPLv3 - https://www.gnu.org/licenses/agpl-3.0.html
Version: DEVELOPMENT.2025-02-03T21-03-04Z (go1.23.5 linux/amd64)

API: https://minio.righive.local 
WebUI: https://minio-ui.righive.local 

Docs: https://docs.min.io
INFO: 
 You are running an older version of MinIO released 3 weeks before the latest release 
 Update: Run `mc admin update ALIAS`

Additional information

No response
@ChinthapalliNikhithaChandana ChinthapalliNikhithaChandana added the tech-issues The user has a technical issue about an application label Feb 28, 2025
@github-actions github-actions bot added the triage Triage is needed label Feb 28, 2025
@javsalgar javsalgar changed the title Unable to bypass TLS certificate verification in MINIO [bitnami/minio] Unable to bypass TLS certificate verification in MINIO Mar 3, 2025
@javsalgar javsalgar added the minio label Mar 3, 2025
@javsalgar
Copy link
Contributor

Hi,

It seems to me that this issue is not related with the Bitnami packaging of MinIO but of MinIO itself. My advice would be to check with the upstream MinIO devs to see how this can be achieved.

@ChinthapalliNikhithaChandana
Copy link
Author

ChinthapalliNikhithaChandana commented Mar 3, 2025
edited
Loading

Hey @javsalgar , thank you for your quick response. I have one more question.
If I want to use my own self signed certificate which does not have a CA certificate, is it possible? Because I see that whenever I configure to use my certificate, it complaints that ca.crt is not provided.

@javsalgar
Copy link
Contributor

Hi,

In principle, what we set is this variable

            - name: MINIO_CERTS_DIR
              value: {{ .Values.tls.mountPath | quote }}

So we are not forcing in the chart using a CA, so it seems something that must be configured at MinIO side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@javsalgar javsalgar

Labels
minio tech-issues The user has a technical issue about an application triage Triage is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@javsalgar @ChinthapalliNikhithaChandana