configure minio in docker to use https

Question

This is my docker-compose.yml:

version: '3.7'
services:
  minio:
    image: minio/minio
    command: server -C /etc/minio --address ":9000" --console-address ":9001" /data
    ports:
      - "9000:9000"
      - "9001:9001"
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: minioadmin
    volumes:
      - minio:/data
      - /etc/minio:/root/.minio/
      - /etc/minio:/etc/minio/
volumes:
  minio:

ls -l /etc/minio/:

drwx------ 2 root root 4096 May 20 11:43 CAs
lrwxrwxrwx 1 root root   59 May 20 11:45 private.key -> /etc/letsencrypt/live/mydomain.com/privkey.pem
lrwxrwxrwx 1 root root   61 May 20 11:44 public.crt -> /etc/letsencrypt/live/mydomain.com/fullchain.pem

accessing via http works but https does not. I have no clue, what is wrong. Sadly the logs don't show anything and the docs are also not helping.

score 5 · Accepted Answer · answered May 20 '22 at 12:25

The symlinks private.key and public.crt can't be resolved because the targets don't exist inside the container.

The easiest way would be to mount /etc/letsencrypt inside the container as well.

Keep in mind that you need to restart the container (or at least reload the minio process inside the container) after every certificate renewal.

hernino · Answer 2 · 2022-06-07T12:58:21.980

0

Actually looking at the error, I agree it might be because it can't read the certificates, however I believe it's a permission issue, not a wrong path issue..so I would say use chown to change permissions of the directory and the file

edited Jun 07 '22 at 12:58

answered Jun 07 '22 at 12:57

hernino

1
1

score 0 · Answer 3 · answered Oct 28 '24 at 20:48

Once you have a public.crt and private.key file (I used Tailscale, so I ran tailscale cert), they need to be present in the minio server under ~/.minio/certs, which will likely be /root/.minio/certs. For me, using Docker Compose, I had to add the following line to my volumes list:

- ~/docker/minio/certs:/root/.minio/certs

Artak Khachatryan · Answer 4 · 2023-06-04T13:45:53.270

docker_compose.yml


networks:
  app-tier:
    driver: bridge
services:
  minio:
    image: minio/minio
    ports:
      - "9000:9000"
      - "9001:9001"
    networks:
      - app-tier
    volumes:
      - /data/minio:/data
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: minioadmin
    command: server --console-address ":9001" /data
  nginx:
    image: nginx:latest
    container_name: 'nginx'
    hostname: 'nginx'
    ports:
      - "8443:8443" 
      - "8444:8444" 
    environment:
      - "VIRTUAL_HOST=minio.example.com"
      - "VIRTUAL_PORT=8443"
    networks:
      - app-tier
    volumes:
      - ./conf/app.conf:/etc/nginx/conf.d/default.conf:ro"
      - '/etc/letsencrypt/live/:/etc/letsencrypt/live/'
      - '/etc/letsencrypt/archive/:/etc/letsencrypt/archive/'
volumes:
  minio_storage: {}

app.conf should be placed in conf folder

upstream minio {
  server minio:9001;
  keepalive 15;
}
upstream minio_api {
  server minio:9000;
  keepalive 15;
}
server {
  listen 8443 ssl;
  server_name minio.example.com;
  ssl_certificate /etc/letsencrypt/live/minio.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/minio.example.com/privkey.pem;
  resolver 8.8.8.8;
  location / {
    proxy_pass http://minio;
    proxy_redirect off;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Connection "Keep-Alive";
    proxy_set_header Proxy-Connection "Keep-Alive";
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
chunked_transfer_encoding off;

proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;


}
}
server {
  listen 8444 ssl;
  server_name minio.example.com;
  ssl_certificate /etc/letsencrypt/live/minio.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/minio.example.com/privkey.pem;
  resolver 8.8.8.8;
  location / {
    proxy_pass http://minio_api;
    proxy_redirect off;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Connection "Keep-Alive";
    proxy_set_header Proxy-Connection "Keep-Alive";
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
chunked_transfer_encoding off;

proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;


}
}

Check the permissions for /etc/letsencrypt folder because the containers are running under non privileged user

configure minio in docker to use https

4 Answers4