Setting up self-hosted Minio on Windows 10 with automatically renewing SSL certificate

How-To
1

How to install minio on Windows 10 with valid SSL certificate

In this guide we’ll walk through the steps of installing an Amazon S3 compatible service on Windows 10 using minio, a cross-platform implementation of the S3 API.

While minio has a client and an SDK library as well, we’ll only focus on the server side component for now.

Our goals

  • install a fully S3 compatible service
  • start automatically on system startup
  • transport should be protected by a valid SSL certificate (for free)

Using minio you’ll be able to implement secure backup easily between Windows workstations which is very similar to the capabilities CrashPlan had.

Assumptions in this guide

  • minio will run on Windows 10
  • computer is accessible on TCP port 9000 over the internet
  • application files and scripts will be placed to E:\minio\
  • buckets will be stored in E:\minio-data\
  • nssm will be installed to E:\nssm\
  • duplicati will backup data to a bucket called duplicati-test
  • the service will be run as a local administrator user called sysadmin. Its home directory is C:\Users\sysadmin\
  • the computer’s public IP address is 111.111.111.111

Additional assumptions for SSL

  • free DNS is provided by duckdns.org
  • the DNS name is minio-belidzs.example.com and it points to 111.111.111.111

All of the suggestions above can (and should) be replaced by your own values as long as the change is consistent throughout this guide.

Running the service as an admin user is not required. However you’ll need to have admin rights at least during the installation of the service.

Download and run

  1. Create a directory for the application: E:\minio\
  2. Create a directory for the data: E:\minio-data\
  3. Download minio for Windows x64 or minio for Windows x32 to E:\minio\

Verification

  1. Open a command prompt as user sysadmin. Either log in as sysadmin, or hit Windows to open Start menu and type cmd then hit CTRL + SHIFT + Enter. This will open console as sysadmin. Provide its credentials if needed.
  2. Go to the application directory: cd E:\minio\
  3. Start minio: minio.exe server E:\minio-data
  4. Note the location of the configuration files, you’ll need it later:
Created minio configuration file successfully at C:\Users\sysadmin\.minio
  1. Note AccessKey and SecretKey. These will be needed later on.
  2. Open a browser on the local computer, and open minio’s web interface
  3. Use AccessKey and SecretKey from above to log in
  4. Click on the red plus sign in the lower right part of the web page
  5. Click on Create bucket and enter duplicati-test
  6. Refresh browser and make sure you’re in duplicati-test bucket
  7. Click on the red plus sign in the lower right part of the web page
  8. Click on Upload a file and select an arbitrary file
  9. Check in the file system that the test file was successfully uploaded to E:\minio-data\duplicati-test with Windows Explorer, Total Commander or any other suitable tool

Accessing remotely

You need to make sure you can access your service from the computer you want to send backup from.

You’ll need to use the public IP of your computer which you can find out here: dyndns.

  1. If it says 111.111.111.111 then write http://111.111.111.111:9000 into the browser’s address bar on the client computer
  2. Log in with the AccessKey and SecretKey from the previous chapter
  3. Try to download the file you’ve just uploaded

If you cannot access minio, you might need to enable inbound TCP port 9000 on your firewall. This is usually setup by minio itself on its first startup.

If you’re behind NAT, you’ll probably have to set up port forwarding. Search Google on how to do this.

Note

If you want to use minio on a different port (eg. 9001), add the following command line option: --address :9001

Installing as a service

We’re going to use the excellent nssm to convert minio to a regular Windows service.

  1. Create a directory for nssm: E:\nssm\
  2. Download nssm and unzip the appropriate version of nssm.exe to this directory
  3. Open a command prompt as user sysadmin. Either log in as sysadmin, or hit Windows to open Start menu and type cmd then hit CTRL + SHIFT + Enter. This will open console as admin. Provide any credentials if needed.
  4. Go to nssm’s directory: cd E:\nssm\
  5. Install service: nssm.exe install Minio E:\minio\minio.exe server E:\minio-data\
  6. Open services: Hit Windows to open Start Menu, type services and hit CTRL + SHIFT + Enter. Provide administrator credentials if required
  7. Find minio and double-click on its name to open properties
  8. Set Startup type to Automatic
  9. Change to Log On tab and make sure that minio will run as the user you want it to (sysadmin)
  10. Close the properties window
  11. Stop minio if it’s still running (CTRL+C)
  12. Start minio as service: Right click on the service name and Start

Congratulations, you have just installed an unsecured S3 compatible service on Windows.

Verification

  1. Restart computer
  2. Access minio locally
  3. Upload a file
  4. Access minio remotely
  5. Download a file

Get valid SSL certificate to secure network transport

This covers an advanced topic which requires a lot of work to implement but I think it’s always a good idea to protect sensitive data in transport.

If you decide not to proceed further, your files’ confidentiality will still be protected, meaning no one will be able to look into your archives (as long as you let duplicati encrypt your archives) however, your AccessKey will be revealed to the public in the HTTP headers.

While SecretKey is not travelling directly in the stream, people with enough computing resource can relatively easily deduce it from your network traffic, which means they could be able to gain access to and delete your backup files.

A valid SSL certificate not only encrypts your whole traffic between the client and the server, but also guarantees that the host you are talking to is actually the host who owns the DNS name you are connecting to. So you are not uploading backup files to an unknown server.

Subdomain registration

If you don’t have a DNS name pointing to your IP address yet, you have to create one for the certificate. Fortunately it can be easily done for free on duckdns.org

  1. Register on duckdns.org using any method offered
  2. Type your chosen subdomain: minio-belidzs and click add domain
  3. Update current IP if needed
  4. Verify in a browser if you can access to minio using its DNS name you have just created: http://minio-belidzs.example.com:9000

Install Bash on Ubuntu on Windows

This will install a Linux-like subsystem in your OS with the exception of the actual Linux kernel. Learn more about this innovation of Microsoft.

  1. Open PowerShell as an administrator: Hit Windows to open Start Menu, type powershell and hit CTRL + SHIFT + Enter. Provide any administrator credentials if required
  2. Run this command: Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
  3. Restart your computer when prompted.

Install acme.sh

acme.sh is an ACME client written in Bash. It implements the ACME protocol which is used to verify domain ownership and to download valid SSL certificates from Let’s Encrypt.

Verification has many forms. In this guide we will use duckdns.org’s API to serve a temporary TXT record as a form of verification. This is probably the easiest way to do it, because otherwise you might have to open tcp ports 80 or 443 which complicates things.

  1. Open a command prompt as user sysadmin. Either log in as sysadmin, or hit Windows to open Start menu and type cmd then hit CTRL + SHIFT + Enter. Provide credentials of sysadmin if needed.
  2. Run bash
  3. If this is your first time starting Bash on Ubuntu on Windows, create a new user inside Ubuntu, preferably using the same name as in Windows: sysadmin
  4. Run this command to install acme.sh: curl https://get.acme.sh | sh
  5. Close and reopen Bash so the alias is activated
  6. Execute acme.sh inside Bash to see if installation was successful

Get SSL certificate

  1. Determine your minio configuration directory. It was displayed when you first started it: C:\Users\sysadmin\.minio\
  2. Open a command prompt as user sysadmin. Either log in as sysadmin, or hit Windows to open Start menu and type cmd then hit CTRL + SHIFT + Enter. Provide sysadmin's credentials if needed.
  3. Run bash
  4. Open a browser and log in to duckdns.org
  5. Copy your token from the main page
  6. Export token as a Bash variable by executing this command: export DuckDNS_Token="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
  7. Check if your environment variable was successfully created in Bash: echo $DuckDNS_Token
  8. Get your certificate files and automatically copy them to minio’s configuration directory with the following command (please change domain name and /mnt/c/Users/sysadmin/.minio/ if needed):
acme.sh --issue --dns dns_duckdns --domain minio-belidzs.example.com --key-file /mnt/c/Users/sysadmin/.minio/certs/private.key --fullchain-file /mnt/c/Users/sysadmin/.minio/certs/public.crt
  1. Restart minio service
  2. Test your new certificate by visiting https://minio-belidzs.example.com:9000 (note that this is now https instead of plain http)

Great, now your minio service is SSL protected!

However, Let’s Encrypt certificates are only valid for 90 days. Going through the process above every 3 month is not very efficient, so let’s automate the renewal process!

Setting up automatic renewal

The following script runs acme.sh to automagically renew certificate but only if it’s necessary.

In case it is time to renew, touch will create an empty file called renewed in your minio folder.

If renewed file exists, the script will restart minio service to reload certificates, then deletes the file.

  1. Copy and paste this script into E:\minio\renew-cert.bat (customize if neccessary):
@echo off
%windir%\system32\bash.exe -l "/home/sysadmin/.acme.sh"/acme.sh --cron --home "/home/sysadmin/.acme.sh" --renew-hook "/usr/bin/touch /mnt/e/minio/renewed"
if exist E:\minio\renewed (
    net stop minio
    net start minio
    del E:\minio\renewed
)
  1. You can test if it’s working correctly by adding the --force parameter to the end of acme.sh command to force issuing new certificates each time.
    Note that Let’s Encrypt has a throttling policy in place so issuing too many certificates too quickly will get you banned from their service for a while. While you are testing, you can add --test parameter to the command so that your request will go to the staging server instead of the production. While the issued certificates are invalid, you can issue as many as you need without getting banned.
  2. Open Task Scheduler as administrator. Open Start Menu then start typing Task Scheduler then hit CTRL+SHIFT+Enter. Provide an administrator’s credentials.
  3. Right click on Task Scheduler Library, then Create Task...
  4. Name: renew-cert
  5. Make sure running user is the same who created the Bash environment: sysadmin. If not, click on Change User or Group
  6. Check Run whether user is logged on or not
  7. On Triggers click on New...
  8. Set Daily and select a random time.
    Keep in mind that whenever a certificate is due to renewal, the service will be stopped for a few seconds
  9. On Actions click New...
  10. Browse... for your script’s location: E:\minio\renew-cert.bat
  11. Save your task and you’re done
  12. You can run a test again by running the task manually

Configuring Duplicati to use your own S3 server

  1. Add a new backup
  2. Name: Test
  3. Encryption and passphrase: anything you like
  4. Storage type: S3 Compatible
  5. Use SSL: check (only if you have activated SSL in minio)
  6. Server: Custom server url
  7. Custom S3 endpoint: minio-belidzs.example.com:9000
  8. Bucket name: duplicati-test
  9. AWS Access ID: your minio’s AccessKey
  10. AWS Access Key: your minio’s SecretKey
  11. Open Advanced options
  12. Add advanced option: s3-ext-forcepathstyle and check it. This is always required by minio
  13. Add advanced option: allowed-ssl-versions, hold Control and select Tls12 too. This is only needed if you run Duplicati as a service. Read more about this issue here
  14. Click Test Connection
  15. Proceed as usual

If test succeeded you can run a backup task to see if files are actually uploaded to E:\minio-data\.

By default at the end of every backup task there is a verification when a few random files are downloaded from the storage and checked for integrity. It is a very good test to see if the storage actually works and if it can be trusted with your data.

7 Likes
2

Thanks for the How-To. Just a heads-up but I was running into a problem when trying to install Minio as a service in Step 5 (Windows 7). When entering the following:

nssm.exe install d:\minio\minio.exe server d:\minio-data

I kept getting an error of:

“Error creating service! CreateService(): The filename, directory name, or volume label syntax is incorrect.”

I was able to get this to work by defining the service name like this:

nssm.exe install Minio d:\minio\minio.exe server d:\minio-data
Service “Minio” installed successfully!

1 Like
3

Thank you, fixed it!

1 Like
4

Thanks for the How-To. I’m stuck on the SSL certificate install. I’m using xxx.duckdns.org in the acme.sh script. It says it was installed just fine in Ubuntu for Windows App from the Windows Store. When I navigate to the new URL: (I’m using xxx here instead of my actual subdomain)

https://xxx.duckdns.org:9000

I get Secure Connection Failed (in Firefox as example).
The connection to xxx.duckdns.org:9000 was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Any ideas?

Thanks.

5

I didn’t do this step because it was working fine under the local system account. Once I changed it to a user with local Administrator privileges, the SSL certificate started working.

Thanks.

6

Glad you were able to fix this!

7

@belidzs Thanks for this great post! I’ve run into a problem with Windows 7, Minio, Letsencrypt & SSL:

It appears the Cipher suite for Windows 7 does not include RSA encryption. The recommended solution is to use ECDSA instead. The documented way to do this is to use openssl (resulting in a self-signed cert I believe).

Acme.sh appears to support issuing ECDSA certs through Letsencrypt by adding the option --key-length 256

However, Minio won’t start for me when the resulting cert is used.

Any suggestions? Or do you think I might be stuck choosing between a self-signed cert or http if I want to enable Windows 7 machines to use Duplicati as a Crashplan alternative?

Do you know if it’s possible to have 2 different instances of Minio running on the same Windows 10 machine (one for Windows 7 clients, the other for everything else)?

Thank you so much!

8

@ben to be honest I have replaced Windows with Linux so I’m not very up-to-date with the current minio situation :frowning: