Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to use SSE-C with MinIO behind a reverse proxy #197

Open
sanjaysrikakulam opened this issue Oct 9, 2024 · 1 comment
Open

Unable to use SSE-C with MinIO behind a reverse proxy #197

sanjaysrikakulam opened this issue Oct 9, 2024 · 1 comment

Comments

@sanjaysrikakulam
Copy link

Hi,

I deployed an MinIO instance via EGI for testing SSE-C and I get the following error

mc: <ERROR> unable to upload. Requests specifying Server Side Encryption with Customer provided keys must be made over a secure connection.

Deployment info:
MinIO release: RELEASE.2024-10-02T08-27-28Z

Debug message:

Cmd:

mc put --enc-c "ssecminio/ssec-test/enc_test_file=XXXXXXXXXXXXXXXXXXXX" enc_test_file ssecminio/ssec-test/enc_test_file --debug
mc: <DEBUG> GET /ssec-test/?location= HTTP/1.1
Host: usegalaxy-ssec-api.test.fedcloud.eu
User-Agent: MinIO (linux; amd64) minio-go/v7.0.77 mc/RELEASE.2024-10-02T08-27-28Z
Accept-Encoding: zstd,gzip
Authorization: AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXXXXXXXXXX/20241009/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20241009T151031Z

mc: <DEBUG> HTTP/1.1 200 OK
Content-Length: 128
Accept-Ranges: bytes
Content-Type: application/xml
Date: Wed, 09 Oct 2024 15:10:30 GMT
Server: MinIO
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
Vary: Accept-Encoding
X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
X-Amz-Request-Id: 17FCD16EC588B205
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Let's Encrypt
mc: <DEBUG>  >> Expires: 2025-01-07 13:41:38 +0000 UTC
mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Internet Security Research Group
mc: <DEBUG>  >> Expires: 2027-03-12 23:59:59 +0000 UTC
mc: <DEBUG> Response Time:  139.702026ms

mc: <DEBUG> PUT /ssec-test/enc_test_file HTTP/1.1
Host: usegalaxy-ssec-api.test.fedcloud.eu
User-Agent: MinIO (linux; amd64) minio-go/v7.0.77 mc/RELEASE.2024-10-02T08-27-28Z
Content-Length: 32
Accept-Encoding: zstd,gzip
Authorization: AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXXXXXXXXXXXX/us-east-1/s3/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date;x-amz-server-side-encryption-customer-algorithm;x-amz-server-side-encryption-customer-key;x-amz-server-side-encryption-customer-key-md5, Signature=**REDACTED**
Content-Type: application/octet-stream
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20241009T151031Z
X-Amz-Server-Side-Encryption-Customer-Algorithm: AES256
X-Amz-Server-Side-Encryption-Customer-Key:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X-Amz-Server-Side-Encryption-Customer-Key-Md5: XXXXXXXXXXXXXXXXXXXXXXXXXX

mc: <DEBUG> HTTP/1.1 400 Bad Request
Content-Length: 374
Accept-Ranges: bytes
Content-Type: application/xml
Date: Wed, 09 Oct 2024 15:10:30 GMT
Server: MinIO
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
X-Amz-Request-Id: 17FCD16EC63A9CB9
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidRequest</Code><Message>Requests specifying Server Side Encryption with Customer provided keys must be made over a secure connection.</Message><Resource>/ssec-test/enc_test_file</Resource><RequestId>17FCD16EC63A9CB9</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Let's Encrypt
mc: <DEBUG>  >> Expires: 2025-01-07 13:41:38 +0000 UTC
mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Internet Security Research Group
mc: <DEBUG>  >> Expires: 2027-03-12 23:59:59 +0000 UTC
mc: <DEBUG> Response Time:  10.10284ms

mc: <ERROR> unable to upload. Requests specifying Server Side Encryption with Customer provided keys must be made over a secure connection.
 (3) put-main.go:200 cmd.mainPut(..)
 (2) common-methods.go:510 cmd.uploadSourceToTargetURL(..) Tags: [/home/sanjay/enc_test_file]
 (1) common-methods.go:212 cmd.putTargetStream(..) Tags: [ssecminio, https://usegalaxy-ssec-api.test.fedcloud.eu:443/ssec-test/enc_test_file]
 (0) client-s3.go:1161 cmd.(*S3Client).Put(..)
 Release-Tag:RELEASE.2024-10-02T08-27-28Z | Commit:ce0b4341521d | Host:minion | OS:linux | Arch:amd64 | Lang:go1.22.8 | Mem:8.2 MiB/18 MiB | Heap:8.2 MiB/11 MiB.

Relevant issue: minio/minio#6093

Having the SSE-C, SSE-KMS, and SSE-S3 will be great for secured data analysis.

@micafer
Copy link
Member

micafer commented Oct 10, 2024

Related issue: minio/minio#6093

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants