Certificate error when connecting to Minio server on HTTPs using the S3 plugin

Appsmith Support On Prem
1

Taken from a discussion on Discord, initiated by the user scguo on Discord.

I got “Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target” when use S3 to request minio(GitHub - minio/minio: High Performance, Kubernetes Native Object Storage) server. But when I use browse to request, the cert looks good.

968×666 41.8 KB

Using openssl to verify the certificate also responds well:

> openssl s_client -connect minio.xfcbg.top:443 -state
CONNECTED(00000005)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 CN = *.xfcbg.top
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.xfcbg.top
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/CN=*.xfcbg.top
   i:/C=US/O=Let's Encrypt/CN=R3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGjCCBAKgAwIBAgISBENlSPGi+jvNVguTu/y2Hr1mMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTAzMjUwMzAyNDNaFw0yMTA2MjMwMzAyNDNaMBYxFDASBgNVBAMM
CyoueGZjYmcudG9wMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw9IC
sCirzLm29ygB8Ds6UUEJQOyPXTUz53iKOuFEkwVbyTcDhT+No4osLJJhTObGWklW
a//LWSlys1HVK3zVhb5Fm3gt8PgX/xnzZ6sEpZ6WEzJzUUMWPU69P4WuCpU5QXYO
Ijr4LO2AdRDPJm02QdH81MwhJmFSzNuI3PMn2oQbG3uAQyti5z2Ar7iFyVMUrQZ5
EOisVZ4GygJnM2x7YrpT7Czgodh9NCMDgPNLHc+MhTWN6bodIeEsYGu+a4TFdNad
kpdQnb1rBqfxsdTMg1wUNP6q4l3jlctpU/GzbGMKvuJN765hqYD82SpVmjrxoKKK
IiBESzklv17rGKlRtQIDAQABo4ICRDCCAkAwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBSt9ZF0cuSTKAzoaCPUa80YFlyRgzAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDm
H6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5v
LmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAW
BgNVHREEDzANggsqLnhmY2JnLnRvcDBMBgNVHSAERTBDMAgGBmeBDAECATA3Bgsr
BgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
Lm9yZzCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1AESUZS6w7s6vxEAH2Kj+KMDa
5oK+2MsxtT/TM5a1toGoAAABeGeMgLQAAAQDAEYwRAIgPm2w5bHehio1L9FPtXKV
Vfh7L2fQ8cgmYkvkXJnM9L8CIB6LVl1vnH6IPpJya0H1H/cbY5ETp2qD1lSUVnoO
pGjgAHUA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF4Z4yAngAA
BAMARjBEAiBIun7qImOOzjS65zw/xKru2HBnkJnaB99kzNLtBnmsPgIgFmEeaD/l
blOMfjFDLwjYffeAaPVGxt9LCuddb4RdIrEwDQYJKoZIhvcNAQELBQADggEBAAP3
yV+mgP71nvRoEWcuOOp/m9UyJ/WiuyfmJltywEf3EqDTwtSyDtjXlmIu1LRDQB+J
0KjqUBHYhnxRxsB4n3jq0Clu5E9qW9+dGOAN6JJmo8PJU5zJbfo+VpngQ5JcL369
56n/H43giwEXw9WvDXCZhne9E0gZ5roasFvyj+jiA5d6fkJYjENA/DzR+up+FxkZ
JTUWZE0mhPkH+WkAGKUWXphPuGhvbKzXHqDSaRP0OGs89xnyZdCUGsJcW7XQ+MQp
6SiyaeBYiLphRcrRp017VXGnOGXe5BKfTQGVLCis/lTJ10itN4tgb2hSop2mvpDE
K0XG18zQ8ysiIvMB7Qc=
-----END CERTIFICATE-----
subject=/CN=*.xfcbg.top
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 1890 bytes and written 281 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: F31D89942B1244D2DDF4B86BE9EE54C48E2C1AAB5853B4939A18091DE0A39A83
    Session-ID-ctx:
    Master-Key: 0079121008ECCABABC621CBFF8BCB5B83D162B72A0222FA149037BAE4E14F6A1E616E1DB3144C68F1DEE87D06B3286D9
    TLS session ticket:
    0000 - a0 a6 86 4c 72 c7 9a 3d-23 55 98 61 a4 91 99 45   ...Lr..=#U.a...E
    0010 - 67 d9 32 c6 3e b2 8c bc-e1 cc 88 b0 fe 4c 9a 36   g.2.>........L.6
    0020 - 95 d1 6f eb d9 37 a2 10-13 cd cf 5f 7d 3f 01 43   ..o..7....._}?.C
    0030 - f1 e2 f4 6b 5f ad 1c 4a-71 2b 0d e4 c3 d6 55 93   ...k_..Jq+....U.
    0040 - bd ed d0 59 19 f0 df 6f-86 59 67 61 d2 fc 18 db   ...Y...o.Yga....
    0050 - 68 1d 5a 48 ea c8 bc eb-fa 76 4f 2d 87 a0 a8 5d   h.ZH.....vO-...]
    0060 - 99 2e 87 92 6c 9c e7 8d-99 41 a3 0b 2d 99 60 70   ....l....A..-.`p
    0070 - 2f 4f 2d f5 36 d5 7f 59-04 92 ac 8d 1c 7d 7d 1c   /O-.6..Y.....}}.
    0080 - e6                                                .

    Start Time: 1623296965
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
2

Resolution provided by scguo on Discord:

I have resolve this issue, by add Let’s Encrypt’s CA cert to public.crt by cat public.crt ca.cer > public.crt . Thanks.