Clarity needed on SSL Certs

[udf2457]

trafficstars

The deployment docs state:

MinIO enables Transport Layer Security (TLS) 1.2+ automatically upon detecting a valid x.509 certificate (.crt) and private key (.key) in the MinIO ${HOME}/.minio/certs directory.

However, as I discovered, this isn't quite true.

The paragraph in the document implies that any .crt and any .key in the certs directory will be picked up.

However, buried elsewhere in the documentation is the fact that files MUST be called private.key and public.crt.

This is really a critical piece of detail that should not be omitted from the deployment section (and quickstart if applicable, I didn't check there).

[ravindk89]

This is a good catch. It's also arguably something to talk to engineering about...

@harshavardhana @kannappanr would it make sense to enable TLS even if we don't have private.key and public.crt, but do have one or more domain-specific keys? e.g.

~/.minio/certs
-> /subdomain1.domain.net/
-> /subdomain2.domain.net/
-> /*.domain.net

In this case there is no 'default' cert to return, but we are ready to respond to a set of hostnames.

Thoughts?

[udf2457]

FYI Logging also needs to be improved in this area too. There was zero log / systemd journal entries about this, and when the console was visited in web browsers you just get various obscure in-browser errors (i.e. generated by the browser, not minio) related to handshakes. Took me a while to figure out the root cause.

[ravindk89]

https://min.io/docs/minio/linux/operations/network-encryption.html

We've improved the TLS pages to make explicit how key names work.

Logging is a server issue, not docs.