Unsecured presigned object urls in openvidu3.3.0 + managing latest minio

Hello everyone, recently we have updated our openvidu single instance from 3.0.0 to 3.3.0 and so far most of things are working except for managing the minio instance. We noticed two issues. (1) The minio console is now way different from how it was and for instance it is now impossible to create app access keys so that our backend apps (minio client instance on nodejs) can for example generate presigned object urls. (2) Speaking of which, we created access key before in openvidu 3.0.0. and it still works but for some reason when we create minio client instance on nodejs like this:

const minioClient = new Minio.Client({
  endPoint: process.env.MINIO_ENDPOINT,
  port: 9000,
  useSSL: true,
  accessKey: process.env.MINIO_ACCESS_KEY,
  secretKey: process.env.MINIO_SECRET_KEY
});

We get following error in nodejs logs:

Error generating URL for LargeChatArea4-2025-07-01T193202-RM_sDkM5SFQD6ry.mp4: Error: write EPROTO 00DF980002000000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:355: at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:94:16) {
  errno: -100,
  code: 'EPROTO',
  syscall: 'write'
}

but when we set useSSL to false, it generates the link correctly but over http instead of https. Making https via code or manually changing makes the link unusable. The page just opens with the message that server responded with invalid response.

The nodejs code uses minio 8.0.5 package.

Clarification on how to use the minio dashboard and generating download links with latest version would be really appreciated.

Yes, I think this is a regression, to fix a wrong redirection we removed the SSL from the minio exposed server. Let me see what you need to add to your caddy.yaml config file to enable it again.

I will take it into account to fix it in 3.4.0

@cruizba, thank you for your attention to this matter. I will be waiting for your response. At the moment our caddy.yaml is the default config that comes after installing the openvidu. We did clean installation.

What type of certificate are you using? You can check it in /opt/openvidu/deployment-info.yaml

letsencrypt
I have ran this command to install the openvidu

sh <(curl -fsSL http://get.openvidu.io/community/singlenode/latest/install.sh) \
    --no-tty --install \
    --domain-name='*****' \
    --enabled-modules='observability,app' \
    --turn-domain-name='' \
    --experimental-turn-tls-with-main-domain \
    --livekit-api-key='****' \
    --livekit-api-secret='****' \
    --dashboard-admin-user='*****' \
    --dashboard-admin-password='*****' \
    --redis-password='*****' \
    --minio-access-key='*****' \
    --minio-secret-key='*****' \
    --mongo-admin-user='*****' \
    --mongo-admin-password='*****' \
    --mongo-replica-set-key='*****' \
    --grafana-admin-user='*****' \
    --grafana-admin-password='*****' \
    --default-app-user='user' \
    --default-app-password='*****' \
    --default-app-admin-user='*****' \
    --default-app-admin-password='*****' \
    --certificate-type='letsencrypt' \
    --letsencrypt-email='*****'
1 Like

@misha follow the following instructions:

  1. Open /opt/openvidu/config/caddy.yaml

  2. Locate the following section:

    
          minio:
            listen:
              - ":${openvidu.CADDY_MINIO_PUBLIC_PORT:?mandatory}"
            logs:
              default_logger_name: default
            routes:
              - handle:
                  - handler: reverse_proxy
                    health_checks:
                      active:
                        expect_status: 200
                        interval: 5s
                        timeout: 2s
                        uri: "/minio/health/live"
                    upstreams:
                      - dial: "127.0.0.1:${openvidu.MINIO_API_INTERNAL_PORT:?mandatory}"
    
  3. Add the following at the end of the minio http server:

                match:
                  - host:
                      - ${openvidu.DOMAIN_NAME:?mandatory}
    

    The section will be like this after adding the match:

          minio:
            listen:
              - ":${openvidu.CADDY_MINIO_PUBLIC_PORT:?mandatory}"
            logs:
              default_logger_name: default
            routes:
              - handle:
                  - handler: reverse_proxy
                    health_checks:
                      active:
                        expect_status: 200
                        interval: 5s
                        timeout: 2s
                        uri: "/minio/health/live"
                    upstreams:
                      - dial: "127.0.0.1:${openvidu.MINIO_API_INTERNAL_PORT:?mandatory}"
                match:
                  - host:
                      - ${openvidu.DOMAIN_NAME:?mandatory}
    

Let me know if this fix your issue! :slight_smile:

2 Likes

It worked
Thank you @cruizba

2 Likes