按照官方文档操作开启tls最简单的方式就是使用certgen直接生成一对证书密钥，例如：

(https://min.io/docs/minio/linux/operations/network-encryption.html?ref=docs-redirect)，

certgen -host "10.121.10.11"

将生成的private.key和public.crt文件放到默认启动minio用户根目录的~/.minio/certs中即可

这里记录的情况主要是为了让证书能通过校验，不要抛类似错误“mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "https://10.121.10.11:9527": tls: failed to verify certificate: x509: certificate signed by unknown authority.”，为了杜绝此类异常，官方也给了解决方法，就是将证书签发使用的根证书放置到~/.minio/certs/CAs中，形式如下，目录和文件名称要和示例一样：

# ls -R ~/.minio/certs/
/root/.minio/certs/:
CAs private.key public.crt

/root/.minio/certs/CAs:
myCA.crt

这里单独生成证书而不直接使用certgen的原因是这个工具不会导出ca：
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -subj /C=CN/ST=SX/O=IT/OU=Test/CN=RootCA -out myCA.crt

openssl req -newkey rsa:2048 -nodes -keyout private.key -subj /C=CN/ST=SX/O=IT/OU=Test/CN=Test -out public.csr
openssl x509 -req -extfile <(printf "subjectAltName=IP:10.132.10.11") -days 365 -in public.csr -CA myCA.crt -CAkey ca.key -CAcreateserial -out public.crt

 

部署目录如下：
scp -P 22 myCA.crt root@10.121.10.11:/root/.minio/certs/CAs/
scp -P 22 public.crt private.key root@10.121.10.11:/root/.minio/certs/

 

顺便也记录下minio启动脚本：

# cat start.sh
export MINIO_ROOT_USER=admin
export MINIO_ROOT_PASSWORD=password
nohup ./minio server ../data --address "10.121.10.11:9527" &

启动之后，通过mc添加alias的时候就能验证是否配置正常，异常时会抛下面这种错误

./mc alias set myminio/ https://10.121.10.11:9527 admin password
Fingerprint of myminio public key: ed501e0afb32f8b2f17fb927e1e70eb27d4860f2dbfe288bd2216a19bc50b571
Confirm public key y/N: y
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "https://10.121.10.11:9527/probe-bsign-ai6kqmm2cw6vwoct6oyudgkfw1r4u5/?location=": tls: failed to verify certificate: x509: certificate signed by unknown authority.

正常时会返回成功

./mc alias set myminio/ https://10.121.10.11:9527 admin password
Added myminio successfully.