Bug 1258961 - [RFE] Enable SSL support in RHCS RadosGW [NEEDINFO]
[RFE] Enable SSL support in RHCS RadosGW
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: RGW (Show other bugs)
All Linux
high Severity medium
: rc
: 2.2
Assigned To: Marcus Watts
Bara Ancincova
: FutureFeature, Triaged
Depends On:
Blocks: 1258382 1327100 1412948
  Show dependency treegraph
Reported: 2015-09-01 11:30 EDT by Vimal Kumar
Modified: 2017-07-30 12:01 EDT (History)
22 users (show)

See Also:
Fixed In Version: RHEL: ceph-10.2.5-11.el7cp Ubuntu: ceph_10.2.5-5redhat1xenial
Doc Type: Enhancement
Doc Text:
.Support for the SSL protocol has been added The Ceph Object Gateway now supports the SSL protocol. Previously, a reverse proxy server with SSL had to be set up to dispatch HTTPS requests. For details, see the https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/2/html-single/object_gateway_guide_for_red_hat_enterprise_linux/#using_ssl_with_civetweb[Using SSL with Civetweb] chapter in the Ceph Object Gateway Guide.
Story Points: ---
Clone Of:
Last Closed: 2017-03-14 11:43:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
uboppana: needinfo? (mbenjamin)

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Ceph Project Bug Tracker 19003 None None None 2017-03-22 17:21 EDT
Red Hat Knowledge Base (Solution) 2038173 None None None 2015-12-25 01:46 EST

  None (edit)
Description Vimal Kumar 2015-09-01 11:30:32 EDT
1) Description of problem:

The RadosGW implementation in RHCS1.3 doesn't support SSL as of now. The suggested method in the RadosGW documentation is to use a reverse proxy.

From the RHCS1.3 documentation of RadosGW:

In version 1.3, the Ceph Object Gateway does not support SSL. You may setup a reverse proxy server with SSL to dispatch HTTPS requests as HTTP requests to CivetWeb. 

This is a feature request to enable SSL support in RadosGW.

2) Version-Release number of selected component (if applicable):


3) Actual results:

RadosGW in RHCS1.3 doesn't support SSL. 

4) Expected results:

RadosGW should support SSL due to the importance of data encryption needed in enterprise environments. This should be available without the need of setting up a proxy server.
Comment 9 Marcus Watts 2016-03-14 17:57:14 EDT
This change is in master, and it's also in v10.0.4.

I don't yet have any documentation on it, I'll try to get to that RSN.

Matt has a tweak to this to actually check if "openssl-devel" is installed - one of us will make sure that gets pushed out.
Comment 21 shilpa 2016-08-12 07:13:21 EDT
Hi Bara,

I see Civetweb with SSL section in the doc https://access.qa.redhat.com/documentation/en/red-hat-ceph-storage/2/single/object-gateway-guide-for-red-hat-enterprise-linux#using_ssl_with_civetweb

Since it is not supported in 2.0, I think we need to remove this reference.
Comment 23 Edu Alcaniz 2016-09-16 02:46:04 EDT
Hi, could you update the status of the BZ please
Comment 24 Matt Benjamin (redhat) 2016-09-20 13:43:30 EDT
(In reply to Edu Alcaniz from comment #23)
> Hi, could you update the status of the BZ please

Status unchange, looking for -needinfo from John.
Comment 26 Edu Alcaniz 2016-09-27 11:28:41 EDT
hi, any luck in QA to move forward? Thanks very much.
Comment 27 shilpa 2016-10-18 05:36:00 EDT
Followed the doc available offline:


After generating the self-signed cert and adding to ceph.conf, rgw crashes.

rgw_frontends = civetweb port=443s ssl_certificate=/root/selfcert.pem

2016-10-18 09:30:14.109302 7efdcf2889c0  0 ceph version 10.2.3-7.el7cp (f69f9569b426f45d948df4be635aa92f4d656654), process radosgw, pid 8145
2016-10-18 09:30:14.185347 7efd4ffff700  0 RGWGC::process() failed to acquire lock on gc.4
2016-10-18 09:30:14.185884 7efd4ffff700  0 RGWGC::process() failed to acquire lock on gc.5
2016-10-18 09:30:14.186366 7efd4ffff700  0 RGWGC::process() failed to acquire lock on gc.6
2016-10-18 09:30:14.187322 7efdcf2889c0  0 starting handler: civetweb
2016-10-18 09:30:14.187432 7efdcf2889c0  0 civetweb: 0x7efdcf4e2dc0: load_dll: cannot load libssl.so
2016-10-18 09:30:14.187475 7efdcf2889c0  0 civetweb: 0x7efdcf4e2dc0: load_dll: cannot load libcrypto.so
2016-10-18 09:30:14.187485 7efdcf2889c0 -1 ERROR: failed run
2016-10-18 09:30:14.189308 7efd4f7fe700 -1 *** Caught signal (Aborted) **
 in thread 7efd4f7fe700 thread_name:rgw_obj_expirer

 ceph version 10.2.3-7.el7cp (f69f9569b426f45d948df4be635aa92f4d656654)
 1: (()+0x56f89a) [0x7efdc59a189a]
 2: (()+0xf370) [0x7efdc4db1370]
 3: (gsignal()+0x37) [0x7efdc42f41d7]
 4: (abort()+0x148) [0x7efdc42f58c8]
 5: (__gnu_cxx::__verbose_terminate_handler()+0x165) [0x7efdc48f6ab5]
 6: (()+0x5ea26) [0x7efdc48f4a26]
 7: (()+0x5ea53) [0x7efdc48f4a53]
 8: (()+0x5ec73) [0x7efdc48f4c73]
 9: (operator new(unsigned long)+0x7d) [0x7efdc48f520d]
 10: (std::string::_Rep::_S_create(unsigned long, unsigned long, std::allocator<char> const&)+0x59) [0x7efdc4953ce9]
 11: (std::string::_Rep::_M_clone(std::allocator<char> const&, unsigned long)+0x1b) [0x7efdc49548fb]
 12: (std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::string const&)+0x5c) [0x7efdc4954fcc]
 13: (RGWObjectExpirer::process_single_shard(std::string const&, utime_t const&, utime_t const&)+0x133) [0x7efdc57d9943]
 14: (RGWObjectExpirer::inspect_all_shards(utime_t const&, utime_t const&)+0xb2) [0x7efdc57d9fb2]
 15: (RGWObjectExpirer::OEWorker::entry()+0x7f) [0x7efdc57da25f]
 16: (()+0x7dc5) [0x7efdc4da9dc5]
 17: (clone()+0x6d) [0x7efdc43b673d]

-- Unit ceph-radosgw@rgw.magna047.service has begun starting up.
Oct 18 09:30:56 magna047 radosgw[8575]: error parsing int: 443s: The option value '443s' seems to be invalid
Oct 18 09:30:56 magna047 radosgw[8575]: 2016-10-18 09:30:56.185159 7fad36c479c0 -1 ERROR: failed run
Oct 18 09:30:56 magna047 radosgw[8575]: terminate called after throwing an instance of 'std::bad_alloc'
Oct 18 09:30:56 magna047 radosgw[8575]: what():  std::bad_alloc
Oct 18 09:30:56 magna047 radosgw[8575]: *** Caught signal (Aborted) **
Oct 18 09:30:56 magna047 radosgw[8575]: in thread 7facc74fb700 thread_name:rgw_obj_expirer
Comment 29 Ken Dreyer (Red Hat) 2016-10-20 13:05:38 EDT
This is going to need more work upstream (and more Teuthology tests) before we can safely support it for RHCS 2 users.
Comment 42 shilpa 2017-03-03 04:08:34 EST
Comment 45 errata-xmlrpc 2017-03-14 11:43:10 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.