Better error message when TLS certs do not have proper permissions (#16703)

internal/config/certs.go

@@ -49,19 +49,19 @@ func ParsePublicCertFile(certFile string) (x509Certs []*x509.Certificate, err er
 	for len(current) > 0 {
 		var pemBlock *pem.Block
 		if pemBlock, current = pem.Decode(current); pemBlock == nil {
-			return nil, ErrSSLUnexpectedData(nil).Msg("Could not read PEM block from file %s", certFile)
+			return nil, ErrTLSUnexpectedData(nil).Msg("Could not read PEM block from file %s", certFile)
 		}
 
 		var x509Cert *x509.Certificate
 		if x509Cert, err = x509.ParseCertificate(pemBlock.Bytes); err != nil {
-			return nil, ErrSSLUnexpectedData(nil).Msg("Failed to parse `%s`: %s", certFile, err.Error())
+			return nil, ErrTLSUnexpectedData(nil).Msg("Failed to parse `%s`: %s", certFile, err.Error())
 		}
 
 		x509Certs = append(x509Certs, x509Cert)
 	}
 
 	if len(x509Certs) == 0 {
-		return nil, ErrSSLUnexpectedData(nil).Msg("Empty public certificate file %s", certFile)
+		return nil, ErrTLSUnexpectedData(nil).Msg("Empty public certificate file %s", certFile)
 	}
 
 	return x509Certs, nil
@@ -73,33 +73,33 @@ func ParsePublicCertFile(certFile string) (x509Certs []*x509.Certificate, err er
 func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) {
 	certPEMBlock, err := os.ReadFile(certFile)
 	if err != nil {
-		return tls.Certificate{}, ErrSSLUnexpectedError(err)
+		return tls.Certificate{}, ErrTLSReadError(nil).Msg("Unable to read the public key: %s", err)
 	}
 	keyPEMBlock, err := os.ReadFile(keyFile)
 	if err != nil {
-		return tls.Certificate{}, ErrSSLUnexpectedError(err)
+		return tls.Certificate{}, ErrTLSReadError(nil).Msg("Unable to read the private key: %s", err)
 	}
 	key, rest := pem.Decode(keyPEMBlock)
 	if len(rest) > 0 {
-		return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg("The private key contains additional data")
+		return tls.Certificate{}, ErrTLSUnexpectedData(nil).Msg("The private key contains additional data")
 	}
 	if key == nil {
-		return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg("The private key is not readable")
+		return tls.Certificate{}, ErrTLSUnexpectedData(nil).Msg("The private key is not readable")
 	}
 	if x509.IsEncryptedPEMBlock(key) {
 		password := env.Get(EnvCertPassword, "")
 		if len(password) == 0 {
-			return tls.Certificate{}, ErrSSLNoPassword(nil)
+			return tls.Certificate{}, ErrTLSNoPassword(nil)
 		}
 		decryptedKey, decErr := x509.DecryptPEMBlock(key, []byte(password))
 		if decErr != nil {
-			return tls.Certificate{}, ErrSSLWrongPassword(decErr)
+			return tls.Certificate{}, ErrTLSWrongPassword(decErr)
 		}
 		keyPEMBlock = pem.EncodeToMemory(&pem.Block{Type: key.Type, Bytes: decryptedKey})
 	}
 	cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
 	if err != nil {
-		return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg(err.Error())
+		return tls.Certificate{}, ErrTLSUnexpectedData(nil).Msg(err.Error())
 	}
 	return cert, nil
 }

internal/config/errors.go

@@ -225,19 +225,19 @@ Examples:
 		`Use 'sudo setcap cap_net_bind_service=+ep /path/to/minio' to provide sufficient permissions`,
 	)
 
-	ErrSSLUnexpectedError = newErrFn(
-		"Invalid TLS certificate",
-		"Please check the content of your certificate data",
-		`Only PEM (x.509) format is accepted as valid public & private certificates`,
+	ErrTLSReadError = newErrFn(
+		"Cannot read the TLS certificate",
+		"Please check if the certificate has the proper owner and read permissions",
+		"",
 	)
 
-	ErrSSLUnexpectedData = newErrFn(
+	ErrTLSUnexpectedData = newErrFn(
 		"Invalid TLS certificate",
 		"Please check your certificate",
 		"",
 	)
 
-	ErrSSLNoPassword = newErrFn(
+	ErrTLSNoPassword = newErrFn(
 		"Missing TLS password",
 		"Please set the password to environment variable `MINIO_CERT_PASSWD` so that the private key can be decrypted",
 		"",
@@ -255,7 +255,7 @@ Examples:
 		"",
 	)
 
-	ErrSSLWrongPassword = newErrFn(
+	ErrTLSWrongPassword = newErrFn(
 		"Unable to decrypt the private key using the provided password",
 		"Please set the correct password in environment variable `MINIO_CERT_PASSWD`",
 		"",