HAproxy1 version 8 configures the MinIO TLS error solution

Mondo Technology Updated on 2024-01-29

Since a customer is using haproxy 1 on minioversion 8, the operating system uses rhcl8Version 6. Issues are occurring on the operating system kernel, SSL certificate bits, and HAPROXY 1024-bit certificates.

In response to this problem, a test of up to 7 working days was carried out to produce this conclusion.

The minio global team will generate knowledge records and solve them in this way.

In the new standard, the certificate is: The PEM and private keys are set separately and read by Haproxy.

But in haproxy 1In version 8 and earlier, the certificate is: PEM and private key are synthesized into a certificate to generate a certificate.

Otherwise, an error message will be generated, which is as follows:

haproxy service fails with error "bind :443 unable to load ssl certificate from pem file file".
The following error message is displayed:

[warning] 096/214815 (5805) :parsing [/etc/haproxy/haproxy.cfg:67] :'bind 0.0.0.0:443' :


unable to load default 1024 bits dh parameter for certificate '/etc/haproxy/bundle.pem'., ssl library will use an automatically generated dh parameter.


warning] 096/214815 (5805) :setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. please set a value >= 1024 to make this warning disappear.
The main hint is that the number of bits of the certificate is 1024 bits, which does not meet the requirements of the workload, and you need to change it to 2048 bits.

There are a few different settings that you can use to work around Tunessl.default-dh-param warning.

One option is to explicitly set tunessl.The default-dh-param value is set to a value greater than 1024.

However, the haproxy documentation recommends specifying a custom diffie-hellman parameter, as this method is more secure, so we'll use that method instead. /etc/haproxy/haproxy.cfg First, you'll use a utility to generate a dhparamsPEM file.

Once the file is created, you add it to the global haproxy configuration section so that any block inherits the setting. opensslfrontend To generate custom dh parameters, run the following command:

sudo openssl dhparam -out /etc/haproxy/dhparams.pem 2048


The output process waits a little:


generating dh parameters, 2048 bit long safe prime, generator 2


this is going to take a long time
Once the command is complete, configure the haproxy to use a custom dh parameter file. Open etc haproxy haproxy in your preferred editor or in your preferred editorcfg:

sudo vi /etc/haproxy/haproxy.cfg
The output information is as follows:

# turn on stats unix socket


stats socket /var/lib/haproxy/stats


# utilize system-wide crypto-policies


#ssl-default-bind-ciphers profile=system


ssl-default-server-ciphers profile=system
Now add a line after the ssl-default-server-ciphers profile=system line as shown below:

ssl-dh-param-file /etc/haproxy/dhparams.pem
The entire section should look similar to the following, including the new highlighted ssl-dh-param-file line you added:

# turn on stats unix socket


stats socket /var/lib/haproxy/stats


# utilize system-wide crypto-policies


#ssl-default-bind-ciphers profile=system


ssl-default-server-ciphers profile=systemssl-dh-param-file /etc/haproxy/dhparams.pem
Re-service:

sudo systemctl restart haproxy.service

Prepare the relevant certificate and modify the etc hosts to hijack the related domain name: vim etc hosts

The results after the hijacking were as follows: 1270.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.31.233 img.minio.org.cn test ping: ping imgminio.org.The CN test was successful.

3.2 Synthesize the relevant certificates.

Integrate the private key to. crt, modify its name to. PEM or keep the original name. CRT is acceptable.

Here's how it works: cat imgminio.org.cn.key >>img.minio.org.cn.PEM Note: This example is based on imgminio.org.cn as an example, you can replace it with the actual domain name.

3.3. Add a server after adjusting haproxy.

Run the following command to add the haproxy backend server information:

vim /etc/haproxy/haproxy.cfg

Add the following information:

backend servers


balance roundrobin


mode http


server web1 192.168.31.211:9001 check


server web2 192.168.31.212:9001 check


server web3 192.168.31.213:9001 check


server web4 192.168.31.214:9001 check


backend servers-endpoint


balance roundrobin


mode http


server web1 192.168.31.211:9000 check


server web2 192.168.31.212:9000 check


server web3 192.168.31.213:9000 check


server web4 192.168.31.214:9000 check
In order to achieve better results, we add TLS certificates to 443 and 9443. On HTTP ports 9000 and 9001 do not add certificates. The front-end configuration is as follows:

frontend minio-https


bind *:443 ssl crt /etc/haproxy/certs/img.minio.org.cn.pem


bind *:9001


mode http


default_backend servers


frontend endpoint


bind *:9000


bind *:9443 ssl crt /etc/haproxy/certs/img.minio.org.cn.pem


mode http


default_backend servers-endpoint

HTTPS is successfully configured.

Restart the service and the configuration is successful.

HTTP configuration succeeded. 

MC client. 


wget mv mc /usr/local/bin/mc


chmod +x /usr/local/bin/mc


ln -s /usr/local/bin/mc /usr/bin/mc
Add the 9443 related endpoint to mc:

Add a remote server. 


mc alias set ssl minioadmin minioadmin


#output


added `ssl` successfully.


mc ls ssl


Displays the output information. 


2023-10-19 10:45:13 edt] 0b test/


2023-10-19 10:45:19 edt] 0b test1/
You can use a newer version or our officially recommended configuration. If you are using an earlier version, we will support you with a comprehensive solution for your business customers.

For commercial technical support, please contact the official website of minio China.

Related Pages