search

grycap / tosca

TOSCA Types and Templates (YAML)
Apache License 2.0
2 stars 2 forks source link

Unable to use SSE-C with MinIO behind a reverse proxy #197

Open sanjaysrikakulam opened 1 month ago

sanjaysrikakulam commented 1 month ago

Hi,

I deployed an MinIO instance via EGI for testing SSE-C and I get the following error

mc: <ERROR> unable to upload. Requests specifying Server Side Encryption with Customer provided keys must be made over a secure connection.

Deployment info: MinIO release: RELEASE.2024-10-02T08-27-28Z

Debug message:

Cmd:

mc put --enc-c "ssecminio/ssec-test/enc_test_file=XXXXXXXXXXXXXXXXXXXX" enc_test_file ssecminio/ssec-test/enc_test_file --debug
mc: <DEBUG> GET /ssec-test/?location= HTTP/1.1
Host: usegalaxy-ssec-api.test.fedcloud.eu
User-Agent: MinIO (linux; amd64) minio-go/v7.0.77 mc/RELEASE.2024-10-02T08-27-28Z
Accept-Encoding: zstd,gzip
Authorization: AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXXXXXXXXXX/20241009/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20241009T151031Z

mc: <DEBUG> HTTP/1.1 200 OK
Content-Length: 128
Accept-Ranges: bytes
Content-Type: application/xml
Date: Wed, 09 Oct 2024 15:10:30 GMT
Server: MinIO
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
Vary: Accept-Encoding
X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
X-Amz-Request-Id: 17FCD16EC588B205
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Let's Encrypt
mc: <DEBUG>  >> Expires: 2025-01-07 13:41:38 +0000 UTC
mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Internet Security Research Group
mc: <DEBUG>  >> Expires: 2027-03-12 23:59:59 +0000 UTC
mc: <DEBUG> Response Time:  139.702026ms

mc: <DEBUG> PUT /ssec-test/enc_test_file HTTP/1.1
Host: usegalaxy-ssec-api.test.fedcloud.eu
User-Agent: MinIO (linux; amd64) minio-go/v7.0.77 mc/RELEASE.2024-10-02T08-27-28Z
Content-Length: 32
Accept-Encoding: zstd,gzip
Authorization: AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXXXXXXXXXXXX/us-east-1/s3/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date;x-amz-server-side-encryption-customer-algorithm;x-amz-server-side-encryption-customer-key;x-amz-server-side-encryption-customer-key-md5, Signature=**REDACTED**
Content-Type: application/octet-stream
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20241009T151031Z
X-Amz-Server-Side-Encryption-Customer-Algorithm: AES256
X-Amz-Server-Side-Encryption-Customer-Key:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X-Amz-Server-Side-Encryption-Customer-Key-Md5: XXXXXXXXXXXXXXXXXXXXXXXXXX

mc: <DEBUG> HTTP/1.1 400 Bad Request
Content-Length: 374
Accept-Ranges: bytes
Content-Type: application/xml
Date: Wed, 09 Oct 2024 15:10:30 GMT
Server: MinIO
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
X-Amz-Request-Id: 17FCD16EC63A9CB9
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidRequest</Code><Message>Requests specifying Server Side Encryption with Customer provided keys must be made over a secure connection.</Message><Resource>/ssec-test/enc_test_file</Resource><RequestId>17FCD16EC63A9CB9</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Let's Encrypt
mc: <DEBUG>  >> Expires: 2025-01-07 13:41:38 +0000 UTC
mc: <DEBUG> TLS Certificate found:
mc: <DEBUG>  >> Country: US
mc: <DEBUG>  >> Organization: Internet Security Research Group
mc: <DEBUG>  >> Expires: 2027-03-12 23:59:59 +0000 UTC
mc: <DEBUG> Response Time:  10.10284ms

mc: <ERROR> unable to upload. Requests specifying Server Side Encryption with Customer provided keys must be made over a secure connection.
 (3) put-main.go:200 cmd.mainPut(..)
 (2) common-methods.go:510 cmd.uploadSourceToTargetURL(..) Tags: [/home/sanjay/enc_test_file]
 (1) common-methods.go:212 cmd.putTargetStream(..) Tags: [ssecminio, https://usegalaxy-ssec-api.test.fedcloud.eu:443/ssec-test/enc_test_file]
 (0) client-s3.go:1161 cmd.(*S3Client).Put(..)
 Release-Tag:RELEASE.2024-10-02T08-27-28Z | Commit:ce0b4341521d | Host:minion | OS:linux | Arch:amd64 | Lang:go1.22.8 | Mem:8.2 MiB/18 MiB | Heap:8.2 MiB/11 MiB.

Relevant issue: https://github.com/minio/minio/issues/6093

Having the SSE-C, SSE-KMS, and SSE-S3 will be great for secured data analysis.

micafer commented 1 month ago

Related issue: https://github.com/minio/minio/issues/6093