Bug 2330954

Summary: Cephadm feature to create self signed certificates for RGW is not adding a SAN for *.example.com on the created Certificate
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: daniel parkes <dparkes>
Component: CephadmAssignee: Kushal Deb <kdeb>
Status: CLOSED ERRATA QA Contact: Hemanth Sai <hmaheswa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.0CC: adking, cephqe-warriors, hmaheswa, kdeb, rkachach, saraut, tserlin
Target Milestone: ---   
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-19.2.1-86.el9cp Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-06-26 12:19:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description daniel parkes 2024-12-07 06:14:41 UTC 
Description of problem:

We need the SAN of the created self-signed certificate to add *. to the hostname specified  in RGW zonegroup spec option, 

So, for example, if you add in the spec:

  zonegroup_hostnames:
  - s3.cephlab.com

By default, in the certificate's SAN, we will add *.s3.cephlab.com; this is a requirement for accessing buckets in virtual host mode, as the URL to access buckets will be https://BUCKETNAME.s3.cephlabs.com. With the SAN wildcard, you cover all the bucket names. 

At the moment, virtual host bucket access is not working because you get the following certificate verification error:

# curl  https://bucket1.s3.cephlab.com
curl: (60) SSL: no alternative certificate subject name matches target host name 'bucket1.s3.cephlab.com'
More details here: https://curl.se/docs/sslcerts.html
Comment 8 errata-xmlrpc 2025-06-26 12:19:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage 8.1 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2025:9775