Trying to set up PBS to use S3 on QUObjects App (QNAP)

[fribse]

I have a working QUObjects running on my (old) QNAP nas.
It's working quite well, and I've configured Duplicati to use it for storage.
Now I want PBS to use that as well, but I can't seem to get the buckets listed.

The QUOjects has a rather peculiar Access key format, as it's a user access.

S3 Endpoint: https://s3.domain.tld:8010
Access Key: s3pve:randomsetofcharacters
Secret Key: randomsetofcharacters

The buckets are called vm and ct
In duplicati the TargetURL looks like this
"s3s://bucket/?s3-server-name=s3.domain.TLD%3A8010&s3-location-constraint=&s3-storage-class=&s3-client=aws&auth-username=storage%3randomlistofstrings&auth-password=randomlistofstrings&accept-any-ssl-certificate=true",

I am unsure how to get that done in PBS??

Anybody that has some insights?

 

[MarkusKo]

I think you have to check "path style" when entering your s3 endpoint on PBS.

 

[fribse]

I did mark that.
I filled it in like this

I'm not sure how to mark it as with ssl, when it's on a 'atypical' port.
I have of course redacted parts of the key and endpoint a bit

 

[MarkusKo]

Remove the region? It's not Amazon AWS S3 after all ...
The rest looks the same as mine, i used an internal IP instead of a domain name.

Add that Fingerprint if you use a self signed SSL certificate.

 

[fribse]

I tried both with and without region, I have a lets encrypt certificate on it, so fingerprint isn't needed.
I just get a '400 Bad request' when it tries to list the buckets.

 

[MarkusKo]

Maybe the permissions on the QUObject side are not set up correctly?

 

[fribse]

The rights are set up, in QUObjects it's rather simple. You create a NAS user, and give that user rights to the shared folder. Then in QUObjects, you create a bucket (or more) in that storage space (shared folder) and then a key and secret key for that user.
Then when showing the keys, you select which storage space it is for, and it shows the keys and endpoint.

 

[MarkusKo]

I know but that does not solve your "400 Bad Request" issue ...

 

[fribse]

Did you set up proxmox backup server towards quobjects?
Are you using SSL?
Which port is QUObects on?
I tried tearing it down, and recreate it, no luck.

 

[MarkusKo]

Is this a local network connection or over the internet?
Any Proxy / Firewall between PBS and QUObject?
Can you try the IP Address instead of the DNS name (don't forget the Fingerprint if you try the IP Address)?
*edit*
Do you use a self signed SSL certificate?

Yes i added QUObject as S3 Store to PBS, SSL is enabled, Port 8010 (default) and it works for me. I used an internal IP address and added a fingerprint because the certificate is self signed.

 

[fribse]

As I mentioned previously in the thread it's a letsencrypt certificate. The plan is to place the qnap off-site to get a off-site backup, so by giving it a hostname, I can always change the dns the hostname is pointing to when it's moved.
It's currently placed in a DMZ on my site, but there are no firewall limitations from production lan to dmz, and it works fine for duplicati.

But I just tried with the IP and thumbprint, and then it works!
It still doesn't work if I use the hostname, and give the thumbprint.
If I ping from proxmox backup server, it still returns the correct ip address, so it's not like it can't resolve it.
I also tried opening a browser to the nas on port 8010, and even though the webpage says Not found, the site is correctly encrypted.
It's a bit of a problem to have a fingerprint on a letsencrypt certificate, I would really like to not have to use a selfsigned, now that I've spent quite a bit of time getting that to work, and it works so well with the other clients, though I had to mark them as 'accept all certificates'.
I guess it could be because the clients aren't updated on the new letsencrypt root ca?

 

[MarkusKo]

Ok but you are now a step closer - you know it at least works with the ip address.

I also tried opening a browser to the nas on port 8010, and even though the webpage says Not found, the site is correctly encrypted.

On that "not found" page, can you check the certificate in your browser? If it's not the Letsencrypt cert then QUObject may uses it's own certificate and PBS may refuses to connect? I checked my qnap again and there are 2 options how QUObjects can work, as it's own service and as a vhost, what option did you use?

You only need the fingerprint if you use the ip address and / or a self signed cert, with the hostname and a letsencrypt cert you should not use it, otherwise you would have to update the fingerprint every time the certificate changes and with letsencrypt thats currently every 3 months?

I had to mark them as 'accept all certificates'

That doesn't sound right, normally any client software (except maybe browsers ...) would use the certificate stack of the os. PBS is based on Debian 13 so that should work fine with letsencrypt.

When you put the qnap offsite i would suggest to put a firewall before it and limit access from the internet to QUObject to your onsite ip only.

I guess it could be because the clients aren't updated on the new letsencrypt root ca?

What client os do you use? Anything somewhat current should accept letsencrypt certificates. And if not you could add the letsencrypt root ca certs to you os trusted certificate stack.

 

[fribse]

Yes, the certificate chain is correct, that is what I meant with the site is correctly encrypted.
It's the letsencrypt certificate.
I know that the thumbprint is only needed for non-valid certificates, but some of the s3 clients doesn't have the new root cert LE uses, so I just wanted to make sure that that wasn't the case here.
I can see that after I upgraded the duplicati to 2.2.0.1 (the latest stable) I don't have to mark it to accept all certificates.

Yes, of course I will put it behind a fw, I've worked with IT infrastructure 30+ years, so I'm well aware of the challenges, it will not only be behind a firewall, ti will be on an isolated dmz on the remote site, so they can't access it locally, and the firewall's nat will only be open to my ip

I've also tried and go and buy a 'real' ssl certificate, that didn't change anything when using the hostname, but now at least the thumbprint won't change for a year, and if I give PBS an IP and a thumbprint it works, so for some reason the experimental s3 client in proxmox is very odd with this certificate thing when using hostnames? Even odder is it that it works with iDrive E2 etc. that actually uses hostnames, albeit a subdomain with a wildcard on it.