How to connect Teleport and MinIO via TLS?

[gramunno]

Hello,

I was able to successfully configure Teleport and MinIO as a backend for session recording following this procedure.

Now I want to switch to https. I followed this procedure to setup MinIO for https using a self-signed certificate with the minio utility certgen. This step was successful: I checked it by executing sudo systemctl status minio

Then I updated the teleport configuration file /etc/teleport.yaml by updating the line from:

audit_sessions_uri: "s3://teleport?endpoint=http://127.0.0.1:9199&insecure=true&disablesse=true&region=foo"

to

audit_sessions_uri: "s3://teleport?endpoint=https://127.0.0.1:9199&insecure=false&disablesse=true&region=foo"

Unfortunately looking at the official teleport documentation and searching the Internet I could not find any instruction on how to set in teleport the CA certificate of MinIO (in this case the self-signed certificate).

Indeed if restart teleport, I get the following records in the teleport log:

Nov 08 15:26:45 tp-c0001 teleport[78895]: 2024-11-08T15:26:45+01:00 INFO [S3] Setting up bucket "teleport", sessions path "" in region "foo". s3sessions/s3handler.go:226

Nov 08 15:26:45 tp-c0001 teleport[78895]: 2024-11-08T15:26:45+01:00 ERRO [S3] "Failed to ensure that bucket \"teleport\" exists (RequestError: send request failed\ncaused by: Head \"https://127.0.0.1:9199/teleport\": tls: failed to verify certificate: x509: certificate signed by unknown authority). S3 session uploads may fail. If you've set up the bucket already and gave Teleport write-only access, feel free to ignore this error." s3sessions/s3handler.go:394

Nov 08 15:26:45 tp-c0001 teleport[78895]: 2024-11-08T15:26:45+01:00 INFO [S3] Setup bucket "teleport" completed. duration:287.902925ms s3sessions/s3handler.go:230

And If I try to play any session recorded before the switch to https for MinIO, I get an errror with the same meaning:

RequestError: send request failed caused by: Get "https://127.0.0.1:9199/teleport?prefix=1dbeda77-c660-4d41-8bc7-c689b8529066.tar&versions=": tls: failed to verify certificate: x509: certificate signed by unknown authority

Where do I have to save the MinIO self-signed certificate and where can I tell teleport to look for it?

Thanks in advance

NOTE: in my current setup both teleport and MinIO run on the same host, so now using http is not a problem, but I would like to run the two product on two different hosts, then the need to use https.

[webvictim]

Teleport will use the system trust store, so if you trust the Minio CA at the system level it should work fine.

This process varies from system to system, but for Linux it usually involves putting the file under /usr/share/ca-certificates and running sudo update-ca-certificates or something similar.

[gramunno]

Thanks a lot for the reply.

In my Ubuntu 24.04 installation, after copying the MinIO self-signed certificate to /usr/share/ca-certificates/mozilla , I had to use the command dpkg-reconfigure ca-certificates following this procedure (see the first answer), to update the system trust store with the MinIO self-signed certificate.

Then when restarting teleport, the error on S3 initialization disappeared and the playing of the sessions previously recorded worked fine.