Bug 1327100
| Summary: | [Doc RFE] Document RGW Native SSL Support in Administration Guide | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | Anjana Suparna Sriram <asriram> |
| Component: | Documentation | Assignee: | John Wilkins <jowilkin> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | shilpa <smanjara> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 2.0 | CC: | agunn, asriram, hnallurv, kdreyer, khartsoe, mbenjamin, mwatts, nlevine, uboppana |
| Target Milestone: | rc | ||
| Target Release: | 2.2 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-21 23:48:32 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1258961 | ||
| Bug Blocks: | |||
|
Description
Anjana Suparna Sriram
2016-04-14 09:44:28 UTC
*** Bug 1417056 has been marked as a duplicate of this bug. *** Hi Anjana, Is there a link for the documentation for both RHEl and Ubuntu? The link in c#2 seems to be an old one? Shilpa, here is what we had beforehand. We should also verify generating SSL certs and self-signed stuff so that people have that on hand as well. I don't have guidelines in here for Civetweb, so I'm sure that will be the first request. http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/index.html#_generating_ssl_certificates http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/index.html#_creating_a_self_signed_certificate http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/index.html#_using_ssl_with_civetweb (In reply to John Wilkins from comment #9) > Shilpa, here is what we had beforehand. We should also verify generating SSL > certs and self-signed stuff so that people have that on hand as well. I > don't have guidelines in here for Civetweb, so I'm sure that will be the > first request. > > http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2- > Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/ > index.html#_generating_ssl_certificates > > http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2- > Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/ > index.html#_creating_a_self_signed_certificate > > http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2- > Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/ > index.html#_using_ssl_with_civetweb Hi John, We have only tested with CA signed certificate. I am not sure if it works with self-signed cert. @marcus, @matt can you please confirm? See http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/index.html#_creating_a_self_signed_certificate and http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/index.html#_using_ssl_with_civetweb (In reply to John Wilkins from comment #18) > See > http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2- > Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/ > index.html#_creating_a_self_signed_certificate > > and > > http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2- > Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/ > index.html#_using_ssl_with_civetweb Thanks John, The command, "openssl genrsa -des3 -out server.key 1024" requires you to enter a passphrase. RGW fails to start when we use the cert generated this way because civetweb expects a different pem format. civetweb: 0x7f1659a06dc0: set_ssl_option: cannot open /etc/pki/ca-trust/source/anchors/server.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line But "openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.csr -days 365 -nodes" does not require us to generate passphrase and this cert meets civetweb's requirement. This worked for me. Also, in "Using SSL in civetweb" section, the pem file name used in the doc is server.pem. That needs to be changed here: [client.rgw.{hostname}] rgw_frontends = "civetweb port=443s ssl_certificate=/etc/ceph/private/cert.pem" The last line about using --insecure option is applicable only while running swift commands. (In reply to John Wilkins from comment #20) > http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2- > Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/ > index.html#_creating_a_self_signed_certificate Hi John, We don't need this command: # openssl req -new -key server.key -out server.csr RGW fails to start when you generate a challenge password with this command. Everything else looks fine. Thanks! (In reply to John Wilkins from comment #22) > http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2- > Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/ > index.html#_creating_a_self_signed_certificate Thanks! lgtm Looks good. Thanks Bara and John. http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/index.html#_using_ssl_with_civetweb http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20Ubuntu%20(html-single)/lastSuccessfulBuild/artifact/Ubuntu/index.html#_using_ssl_with_civetweb Verified |