思路有两个:
- 方式一:通过nginx反向代理,将https配置在nginx,内部的MinIO还是使用HTTP;
- 方式二:MinIO服务端直接配置成HTTPS;
注意:
私钥需要命名为:private.key
公钥需要命名为:public.crt (如果公钥是以pem格式结尾,可直接改为crt格式)
一、制作证书(方式二)
(一)、之前对外暴露接口地址为https://ymzn.com
(二)、home目录下新建new_cert目录用于存放证书以及相关文件
[root@localhost home]# mkdir new_cert
(三)、使用openssl分别生成服务端和客户端的公钥及私钥
1、生成服务端私钥
(base) [root@localhost ~]# mkdir new_cert
(base) [root@localhost ~]# cd new_cert/
(base) [root@localhost new_cert]# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.......................+++++
............+++++
e is 65537 (0x010001)
2、生成服务端公钥
(base) [root@localhost new_cert]# openssl rsa -in server.key -pubout -out server.pem
writing RSA key
(base) [root@localhost new_cert]# openssl genrsa -out client.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.........................+++++
..........+++++
e is 65537 (0x010001)
3、生成客户端私钥
(base) [root@localhost new_cert]# openssl rsa -in client.key -pubout -out client.pem
writing RSA key
4、生成客户端公钥
(base) [root@localhost new_cert]# ll
total 16
-rw------- 1 root root 887 Apr 6 14:44 client.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 client.pem
-rw------- 1 root root 887 Apr 6 14:43 server.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 server.pem
(base) [root@localhost new_cert]#
(四)、生成CA证书
1、生成CA私钥
(base) [root@localhost new_cert]# openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
..........+++++
.........................+++++
e is 65537 (0x010001)
(base) [root@localhost new_cert]#
2、生成CA证书签名请求文件CSR
(base) [root@localhost new_cert]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ymzn_ca
Organizational Unit Name (eg, section) []:ymzn_sms_ca
Common Name (e.g. server FQDN or YOUR name) []:ymzn.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
(base) [root@localhost new_cert]#
3、使用私钥KEY文件和CSR文件签名生成CRT证书
(base) [root@localhost new_cert]# openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_ca, OU = hlhk_sms_ca, CN = ymzn.com
Getting Private key
(base) [root@localhost new_cert]#
(五)、生成服务器端和客户端CRT证书
1、生成服务端签名请求CSR文件
(base) [root@localhost new_cert]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ymzn_serve
Organizational Unit Name (eg, section) []:ymzn_sms_serve
Common Name (e.g. server FQDN or YOUR name) []:ymzn.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
(base) [root@localhost new_cert]#
2、生成客户端签名请求CSR文件
(base) [root@localhost new_cert]# openssl req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ymzn_client
Organizational Unit Name (eg, section) []:ymzn_sms_client
Common Name (e.g. server FQDN or YOUR name) []:ymzn.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
(base) [root@localhost new_cert]#
这里服务端和客户端的Organization Name (eg, company)以及Organizational Unit Name都必须要和CA的不一样才可以
3、向刚才生成的自己的CA机构申请签名CRT证书(服务端和客户端)
(base) [root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_serve, OU = hlhk_sms_serve, CN = ymzn.com
Getting CA Private Key
(base) [root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_client, OU = hlhk_sms_client, CN = ymzn.com
Getting CA Private Key
(base) [root@localhost new_cert]#
(base) [root@localhost new_cert]# ll
total 48
-rw-r--r-- 1 root root 891 Apr 6 14:46 ca.crt
-rw-r--r-- 1 root root 737 Apr 6 14:46 ca.csr
-rw------- 1 root root 891 Apr 6 14:44 ca.key
-rw-r--r-- 1 root root 41 Apr 6 14:50 ca.srl
-rw-r--r-- 1 root root 904 Apr 6 14:50 client.crt
-rw-r--r-- 1 root root 749 Apr 6 14:49 client.csr
-rw------- 1 root root 887 Apr 6 14:44 client.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 client.pem
-rw-r--r-- 1 root root 899 Apr 6 14:49 server.crt
-rw-r--r-- 1 root root 712 Apr 6 14:47 server.csr
-rw------- 1 root root 887 Apr 6 14:43 server.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 server.pem
(base) [root@localhost new_cert]#
(六)、最后生成需要的key和crt文件
(base) [root@localhost new_cert]# openssl rsa -in server.key -out private.key
writing RSA key
(base) [root@localhost new_cert]# openssl x509 -req -days 3650 -in server.csr -signkey private.key -out public.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_serve, OU = hlhk_sms_serve, CN = ymzn.com
Getting Private key
(base) [root@localhost new_cert]#
报错:
1. x509: certificate relies on legacy Common Name field, use SANs instead
- 检查并删除旧的证书和私钥
在重新生成证书之前,确保删除旧的证书和私钥文件,以避免混淆。
# 删除旧的证书和私钥
rm -f server.key server.csr server.crt
- 创建新的证书配置文件
确保新的配置文件中包含正确的Common Name和Subject Alternative Name。
创建一个名为openssl.cnf的新文件,内容如下:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = cn
ST = beijing
L = chaoyang
O = ymzn_client
OU = ymzn_sms_client
CN = ymzn.com # 确保填写的是域名
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = ymzn.com # 声明支持的域名
- 重新生成私钥、证书请求(CSR)和证书
# 生成新的私钥和证书请求
openssl req -new -nodes -newkey rsa:2048 \
-keyout server.key -out server.csr \
-config openssl.cnf
# 生成新的自签名证书
openssl x509 -req -days 3650 -in server.csr \
-signkey server.key -out server.crt \
-extensions v3_req -extfile openssl.cnf
- 验证证书内容
确认新生成的证书中包含正确的域名。
openssl x509 -in public.crt -text -noout | grep -E "Subject:|DNS:"
输出应包含:
Subject: C=cn, ST=beijing, L=chaoyang, O=ymzn_client, OU=ymzn_sms_client, CN=ymzn.com DNS:ymzn.com
二、docker-compose中minio配置
minio:
image: minio/minio:RELEASE.2022-05-26T05-48-41Z
container_name: minio
restart: unless-stopped
ports:
# api 端口
- "9000:9000"
# 控制台端口
- "9001:9001"
environment:
# 时区上海
TZ: Asia/Shanghai
# 管理后台用户名
MINIO_ACCESS_KEY: admin
#MINIO_ROOT_USER: admin
# 管理后台密码,最小8个字符
MINIO_SECRET_KEY: MiNio@tp&eWz
#MINIO_ROOT_PASSWORD: MiNio@tp&eWz
# https需要指定域名
MINIO_SERVER_URL: "https://ymzn.com:9000"
MINIO_BROWSER_REDIRECT_URL: "https://ymzn.com:9001"
# 添加以下两行
#MINIO_SSL_CERT_FILE: /root/.minio/certs/public.crt
#MINIO_SSL_KEY_FILE: /root/.minio/certs/private.key
# 开启压缩 on 开启 off 关闭
MINIO_COMPRESS: "off"
# 扩展名 .pdf,.doc 为空 所有类型均压缩
MINIO_COMPRESS_EXTENSIONS: ""
# mime 类型 application/pdf 为空 所有类型均压缩
MINIO_COMPRESS_MIME_TYPES: ""
volumes:
# 映射当前目录下的data目录至容器内/data目录
- /home/emp_cloud/minio/data:/data
# 映射配置目录
- /home/emp_cloud/minio/config:/root/.minio/
command: server --address 'ymzn.com:9000' --console-address 'ymzn.com:9001' /data # 指定容器中的目录 /data
privileged: true
network_mode: "host"
三、linux上配置
1.将文件private.key和public.crt文件拷贝到/home/emp_cloud/minio/config/certs中
2.制作minio镜像并启动容器
docker-compose up -d --build --force-recreate minio
三、浏览器https://ymzn.com:9001登录
四、导入SSL证书到Java信任库
1. 问题:minio修改成https后, 系统上传照片报错
com.cvit.common.oss.exception.OssException: 创建Bucket失败, 请核对配置信息:[Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.cvit.common.oss.core.OssClient.createBucket(OssClient.java:87)
at com.cvit.common.oss.core.OssClient.<init>(OssClient.java:67)
at com.cvit.common.oss.factory.OssFactory.refresh(OssFactory.java:72)
at com.cvit.common.oss.factory.OssFactory.instance(OssFactory.java:60)
at com.cvit.master.empReport.utils.PictureUploadUtils.UploadToFile(PictureUploadUtils.java:92)
at com.cvit.master.evaluation.service.impl.AppCommonServiceImpl.upload(AppCommonServiceImpl.java:214)
at com.cvit.master.evaluation.controller.app.AppCommonController.upload(AppCommonController.java:45)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:117)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1071)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:964)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)
操作步骤
1. 导出Minio服务器证书
openssl s_client -connect your-minio-domain:9000 </dev/null | openssl x509 -outform PEM > minio.crt
如商洛局系统:
openssl s_client -connect ymzn.com:9000 </dev/null | openssl x509 -outform PEM > minio.crt
2. 导入到JRE信任库(注意替换JAVA_HOME路径)
方式一:放在当前目录下
直接将 minio.crt 放在执行 keytool 命令时的当前目录,命令中直接使用文件名:
keytool -import -alias minio -keystore $JAVA_HOME/jre/lib/security/cacerts -file minio.crt
方式二:放在其他目录
如果 minio.crt 在其他目录,需指定完整路径:
- 默认密码:changeit
# Linux/macOS 示例
keytool -import -alias minio -keystore $JAVA_HOME/jre/lib/security/cacerts -file /home/user/certs/minio.crt
# Windows 示例
keytool -import -alias minio -keystore %JAVA_HOME%\jre\lib\security\cacerts -file C:\certs\minio.crt
如商洛局系统(win本地):
keytool -import -alias minio -keystore E:\soft_development\Java\jdk1.8.0_231\jre\lib\security\cacerts -file E:\项目\资信报备平台\商洛局\商洛局上线\minio.crt