I have a docker-compose in which minio, minio/kes and vault talk together. Both minio/kes and vault need TLS, and I used self-signed method with IP address to create certificate for them. I use this command to generate certificate:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout server.key -out server.cert \
-subj "/C=/ST=/L=/O=/CN=localhost" -addext "subjectAltName = IP:127.0.0.1"
here is my docker-compose file:
version: '3.7'
services:
minio:
image: minio/minio:RELEASE.2021-02-01T22-56-52Z
container_name: minio
restart: always
volumes:
- /home/zahra/docker/minio/data:/data
- /home/zahra/docker/kes/certs:/root/.minio/kes/certs
ports:
- "9003:9000"
expose:
- "9003"
environment:
MINIO_ROOT_USER: minio
MINIO_ROOT_PASSWORD: minio123
MINIO_KMS_KES_ENDPOINT: https://minio-kes:7373
MINIO_KMS_KES_CERT_FILE: /root/.minio/kes/certs/client.cert
MINIO_KMS_KES_KEY_FILE: /root/.minio/kes/certs/client.key
MINIO_KMS_KES_CA_PATH: /root/.minio/kes/certs/server.cert
MINIO_KMS_KES_KEY_NAME: test-key
MINIO_KMS_AUTO_ENCRYPTION: 1
command: server /data
healthcheck:
test: [ "CMD", "curl", "-f", "http://localhost:9000/minio/health/live" ]
interval: 30s
timeout: 20s
retries: 3
networks:
- minio-network
minio-kes:
image: minio/kes:v0.19.2
container_name: minio-kes
restart: always
volumes:
- /home/zahra/docker/kes/certs:/root/.kes/certs
- /home/zahra/docker/kes/config:/root/.kes/config
- /home/zahra/docker/vault/certs:/root/.kes/vault/certs
environment:
- KES_SERVER=https://minio-vault:7373
- KES_CLIENT_KEY=/root/.kes/certs/client.key
- KES_CLIENT_CERT=/root/.kes/certs/client.cert
ports:
- "7373:7373"
command: server --config=/root/.kes/config/config.yaml --auth=off
expose:
- "7373"
networks:
- minio-network
depends_on:
- minio-vault
minio-vault:
image: vault:latest
container_name: minio-vault
ports:
- "8200:8200"
volumes:
- /home/zahra/docker/vault/file:/vault/file
- /home/zahra/docker/vault/config:/vault/config
- /home/zahra/docker/vault/certs:/vault/certs
- /home/zahra/docker/vault/policy:/vault/policy
environment:
- VAULT_ADDR=https://127.0.0.1:8200
- VAULT_SKIP_VERIFY=true
- VAULT_TOKEN=MY-TOKEN
cap_add:
- IPC_LOCK
entrypoint: vault server -config=/vault/config/config.json
networks:
- minio-network
networks:
minio-network:
driver: bridge
My problem is that inside docker, I have to use the container-name instead of the IP address of my services, so it gives me the following error: x509 :certificate is not valid for any names but wanted to match minio-kes or x509 :certificate is not valid for any names but wanted to match minio-vault.
minio-kes and minio-kes are my container names.
I tried to replace the common name (CN) while generating the certificate with the name of my container, but again it didn’t work. For example:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout server.key -out server.cert \
-subj "/C=/ST=/L=/O=/CN=minio-kes" -addext "subjectAltName = IP:127.0.0.1"
I don’t know how I should generate certificate in order to work inside docker.
If you are using the domain names to connect, you must add these domain names to the certificate. This can be achieved by adding -addext "subjectAltName = DNS:minio-kes"
to the openssl command.
A certificate can be made valid for multiple domain names. Just add the parameter multiple times in order to add multiple domain names to the certificate.
Also see this answer for further details.