I have an TrueNAS core system running a minio S3-service. Which I would like to use to backup some folders from my windows10 PC. That should be peace of cake, but for some reason, I do not manage.
I installed Duplicati 2 (beta) and started the program via the browser.
- Name: test
- description: “none”
- encryption: “default”
- passphrase: test
- repeat: test
- storage type: S3 compatible
- use ssl: “no” (for the moment)
- server: Custom Url => Url to my Nas including port number
I used www.s3.mynas.gz.lan:12345
- bucketname: test
- bucket region: “default”
- storage class: “default”
- folder path: Unclear(!) I assume that is an optional(!?) path within the bucket, so could it be empty !?
I used “test” for the moment
- AWS AccesId: MyId
- AWS accesskey: MyKey
- Client library to use: Minio SDK
=> bucket name should start with your username !!?? (WHY OH WHY !!, not my intention!)
=> prepend automatically!? OK for the test lets do that
=> Failed to connect: XML-document (1, 1) contains an error (??)
So I am really lost!
What is the problem here / What am I doing wrong !!??
You don’t need to do that. I believe the intent was to assist people with bucket names that aren’t familiar with S3 and how bucket names must be universally unique (within a particular S3 service).
Can you confirm TCP connectivity from the Duplicati machine to the host:port you set? Telnet is a quick way to do this:
telnet www.s3.mynas.gz.lan 12345
See if the connection is established or if it times out/gives you some error.
Related to the first point, it is my feeling as wel … never the less
Second point, I do not think telnet is running on truenas (I would not like that), however:
- I can ping that url
- and I can connect the NAS S3 server via another (less performing) application
- note that I do not use the default port numbers 9000 and 9001 I think for two reasons
a) already used for another application b) from a security standpoint
Here also a copy of the blocking error message
I would just say “no”.
You don’t need telnet on the NAS. The test needs to be performed from your machine running Duplicati, the Windows 10 PC. If you don’t want to install Telnet client on Windows 10, you can use PowerShell:
Test-NetConnection -ComputerName www.s3.mynas.gz.lan -Port 12345
What are the results?
It probably will work since you can use it from another application, but would be good to cover all our bases here while we troubleshoot.
To start with: Thanks for the nice powershell command!
- yep it worked
ComputerName : www.s3.mynas.gz.lan
RemoteAddress : 192.168.x.y
RemotePort : 50000
InterfaceAlias : 10G
SourceAddress : 192.168.a.b
TcpTestSucceeded : True
Appart from that, it also works with
- SyncBackPro (V9 and V10)
- S3 browser
So … still wondering what is wrong …
Be aware, I am running Windows10 Pro 64bit with all the very latest updates
Ok great, I suspected the test would pass but it’s good to get firm confirmation.
I don’t have any other ideas at the moment, but I am personally unfamiliar with minio S3. I know it has been discussed numerous times on the forum, and I believe there are people who use it successfully.
I could try to do a test on my side. Can you tell me exactly what version of minio you are running? Is it running as a docker container on your TrueNAS? Or maybe TrueNAS calls them Jails. I may need to know exactly what version of TrueNAS you are running, too.
I was testing with a truenas core 12U8 system, and I decided to also test this using a test system running 13B1. In both cases I use the build-in S3-service (so no jails or vm).
The results for both systems are the same, as described before.
In both cases “S3 Browser” works as expected.
Below the exact minio versions
panda% pkg info -xI minio
minio-2021.10.23.03.28.24 Amazon S3 compatible object storage server
minio-client-2020.04.04.05.28.55_3 Replacement for ls, cp, mkdir, diff and rsync commands for filesystems
root@Lion[~]# pkg info -xI minio
minio-2021.12.27.07.23.18_1 Amazon S3 compatible object storage server
minio-client-2021.12.10.00.14.28 Replacement for ls, cp, mkdir, diff and rsync commands for filesystems
Note that I do not have a valid certificate installed, however I assume that that only affects the browser, not the ftp-sessions (in case of SyncBackPro or S3 Browser, at least there is not issue).
Minio do not allow me to access the browser for that reason, however that is not what I need for the moment, and generating valid certificate or a certificate is just to complicated and over the top for now.
Great, thank you for the detailed information. I’ll try to set up a test system and see if I can replicate your results, and hopefully find a solution.
It still does not work, however I did some further testing on my 13B1 test platform.
- I did create a CA within Truenas/System/CAs. That is ofcause just a local CA (with a path lengs of 2 to allow path extension
- then I created a certificate based on that CA “s3.mynas.gz.lan” with as alternate “www.s3.mynas.gz.lan”
- and instructed the S3 server to use that certificate and path.
With that certificate in place I could access the minio gui (assume you accept the not valid
So, then I tried duplicati again. Duplicati respond with a different error now (can not connect Unsuccessfil response from server without XML error. See picture below.
Not that I understand the error, neither why the error changes after changing the GUI related?? certificate, neither why e.g. the S3-browser do not need this …
Ok I set up a test VM with TrueNAS 12U8 and got it to work just fine with Duplicati. No issues at all. I did not test SSL yet, I chose
--- when it asked me what certificate to use.
I used default ports of 9000 for the S3 service and 9001 for the web console. I configured Duplicati to use the 9000 port of course:
Duplicati offered to create the “test1” bucket for me, which worked. And it offered to create “testpath” which also seemed to succeed. I did a test connection and it worked:
I then ran a backup and it worked. I see the files in the S3 Console:
So I’m not really sure why you are having this issue… hmmm
Yep, I see that it worked in your case, never the less it does not in mine
I did additional tests today. Some conclusions / remarks
- one significant error was gone after a manual upgrade from 12U8 to 13B1 …
- I normally have ssl activated, which does not give any problems when using e.g. S3-browser
- Since part of the problem could be … certificate related (despite quit different error messages)
I also tried without ssl, which does not solve the problems
- and I tried to use my valid wildcard certificate together with the related path, which did not solve the problem, even made it worse since the wildcard does not allow more than one extra path depth, where, I / the application does need two (like www.S3.
- the main error popups I get, are still related to ^xml-issues^
- I also tried with the url replaced with an ip-address like what you are doing. As expected same results
PS note that my server and client are in two different VLAN’s (path allowed by FW of course)
My network does also support IPV6, however I am not using IPV6 in this case
What are your language settings in the Windows 10 machine and also on the TrueNAS? It shouldn’t matter, but I can try setting mine the same way to see if I can then reproduce the issue.
TrueNas language is englisch, windows 10 64bit pro is dutch.
I am testing with 13B1 now since I noticed better behavoir
SyncBackPro do works with and without encryption assuming both sides are configured the same way
(cert — and no encryption / cert xyz and yes encryption, where the cert is not necessary a valid cert)
S3 browser seems a bit more critical, the cert should match the url, but the ca can be local
- using minio SDK ssl samecert => xml error
- using amazon SDK with ssl => trust failure (which I can imagine) ;
- using minio SDK without encryption => worked !!
- using amazon SDK without encryption = worked !!
So, also these retests seems to confirm that 13B1 works better that 12U8. And in the SSL situation it does not work, where the amazon SDK response is probably valid, and the minio SDK error is “strange”
It is a pity that I can not test with a completely valid certificate. As said I do have a wildcard certificate but that one only supports one star level. So I can use the certificate for “nas.mydomain.nl” but not for “www.nas.mydomain.nl” which is at least required for the gui
Oh you got it to work now (without SSL though)? That’s an improvement!
You should be able to use SSL and trust the fingerprint of the certificate. That way it doesn’t matter if the certificate wasn’t issued by a public CA.