Bug 1425710

Summary: RGW service fails to start with SSL configured on Ubuntu
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: shilpa <smanjara>
Component: RGWAssignee: Marcus Watts <mwatts>
Status: CLOSED ERRATA QA Contact: shilpa <smanjara>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.2CC: cbodley, ceph-eng-bugs, hnallurv, kbader, kdreyer, mbenjamin, mwatts, owasserm, sweil, tserlin
Target Milestone: rc   
Target Release: 2.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: RHEL: ceph-10.2.5-34.el7cp Ubuntu: ceph_10.2.5-26redhat1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-14 15:49:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description shilpa 2017-02-22 08:12:04 UTC 
Description of problem:
RGW fails with error:

2017-02-22 07:10:00.734805 7f3c163dea00  0 civetweb: 0x55ccf9ca59e0: load_dll: cannot load libssl.so
2017-02-22 07:10:00.734860 7f3c163dea00  0 civetweb: 0x55ccf9ca59e0: load_dll: cannot load libcrypto.so

Version-Release number of selected component (if applicable):
10.2.5-21redhat1xenial

How reproducible:
Always

Steps to Reproduce:
1. Generate a CA signed certificate.
2. Add the pem key to /usr/share/ca-certificates/ and add it to trusted ca-certs in /etc/ssl/certs/ca-certificates.crt
3. In ceph.conf add the line and restart rgw:
rgw frontends = civetweb port=443s ssl_certificate=/usr/share/ca-certificates/myca.pem

Actual results:
RGW restart fails with:

2017-02-22 07:10:00.734669 7f3c163dea00  0 starting handler: civetweb
2017-02-22 07:10:00.734693 7f3c163dea00 20 civetweb config: decode_url: no
2017-02-22 07:10:00.734694 7f3bdd5f1700  5 process_single_shard(): failed to acquire lock on obj_delete_at_hint.0000000001
2017-02-22 07:10:00.734696 7f3c163dea00 20 civetweb config: enable_keep_alive: yes
2017-02-22 07:10:00.734698 7f3c163dea00 20 civetweb config: listening_ports: 443s
2017-02-22 07:10:00.734699 7f3c163dea00 20 civetweb config: num_threads: 100
2017-02-22 07:10:00.734700 7f3c163dea00 20 civetweb config: run_as_user: ceph
2017-02-22 07:10:00.734701 7f3c163dea00 20 civetweb config: ssl_certificate: /usr/share/ca-certificates/myca.pem
2017-02-22 07:10:00.734701 7f3bdd5f1700 20 proceeding shard = obj_delete_at_hint.0000000002
2017-02-22 07:10:00.734770 7f3bdddf2700  0 RGWGC::process() failed to acquire lock on gc.26
2017-02-22 07:10:00.734805 7f3c163dea00  0 civetweb: 0x55ccf9ca59e0: load_dll: cannot load libssl.so
2017-02-22 07:10:00.734860 7f3c163dea00  0 civetweb: 0x55ccf9ca59e0: load_dll: cannot load libcrypto.so
2017-02-22 07:10:00.734870 7f3c163dea00 -1 ERROR: failed run


Additional info:
Adding an attachment with steps followed. Note that the same configuration worked on RHEL.
Comment 13 Ken Dreyer (Red Hat) 2017-02-27 16:37:05 UTC 
Where is the PR to master for this change? Or Redmine ticket tracking the backport to Jewel?
Comment 14 Matt Benjamin (redhat) 2017-02-27 17:44:53 UTC 
(In reply to Ken Dreyer (Red Hat) from comment #13)
> Where is the PR to master for this change? Or Redmine ticket tracking the
> backport to Jewel?

Hi Ken,

There's currently not a corresponding change for master, as the changes for cmake build are completely different--but still needed, going forward.

Matt
Comment 15 Ken Dreyer (Red Hat) 2017-02-27 18:01:09 UTC 
We'll still need this in v10.2.6 or v10.2.7 going forward. Mind filing a Redmine ticket and connecting it up here in External Trackers?
Comment 16 Marcus Watts 2017-03-01 07:06:04 UTC 
I filed a duplicate bug before noticing Thomas had beat me to making a ticket.  Yes, I'll need to make the cmake fix for master.
Comment 18 shilpa 2017-03-03 05:52:47 UTC 
Verified on ceph_10.2.5-26
Comment 20 errata-xmlrpc 2017-03-14 15:49:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0514.html