Bug 1258961 - [RFE] Enable SSL support in RHCS RadosGW [NEEDINFO]
Summary: [RFE] Enable SSL support in RHCS RadosGW
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: RGW
Version: 1.3.0
Hardware: All
OS: Linux
Target Milestone: rc
: 2.2
Assignee: Marcus Watts
QA Contact: shilpa
Bara Ancincova
Depends On:
Blocks: 1258382 1327100 1412948
TreeView+ depends on / blocked
Reported: 2015-09-01 15:30 UTC by Vimal Kumar
Modified: 2019-09-12 08:50 UTC (History)
22 users (show)

Fixed In Version: RHEL: ceph-10.2.5-11.el7cp Ubuntu: ceph_10.2.5-5redhat1xenial
Doc Type: Enhancement
Doc Text:
.Support for the SSL protocol has been added The Ceph Object Gateway now supports the SSL protocol. Previously, a reverse proxy server with SSL had to be set up to dispatch HTTPS requests. For details, see the https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/2/html-single/object_gateway_guide_for_red_hat_enterprise_linux/#using_ssl_with_civetweb[Using SSL with Civetweb] chapter in the Ceph Object Gateway Guide.
Clone Of:
Last Closed: 2017-03-14 15:43:10 UTC
uboppana: needinfo? (mbenjamin)

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0514 normal SHIPPED_LIVE Red Hat Ceph Storage 2.2 bug fix and enhancement update 2017-03-21 07:24:26 UTC
Ceph Project Bug Tracker 19003 None None None 2017-03-22 21:21:49 UTC
Red Hat Knowledge Base (Solution) 2038173 None None None 2015-12-25 06:46:17 UTC

Description Vimal Kumar 2015-09-01 15:30:32 UTC
1) Description of problem:

The RadosGW implementation in RHCS1.3 doesn't support SSL as of now. The suggested method in the RadosGW documentation is to use a reverse proxy.

From the RHCS1.3 documentation of RadosGW:

In version 1.3, the Ceph Object Gateway does not support SSL. You may setup a reverse proxy server with SSL to dispatch HTTPS requests as HTTP requests to CivetWeb. 

This is a feature request to enable SSL support in RadosGW.

2) Version-Release number of selected component (if applicable):


3) Actual results:

RadosGW in RHCS1.3 doesn't support SSL. 

4) Expected results:

RadosGW should support SSL due to the importance of data encryption needed in enterprise environments. This should be available without the need of setting up a proxy server.

Comment 9 Marcus Watts 2016-03-14 21:57:14 UTC
This change is in master, and it's also in v10.0.4.

I don't yet have any documentation on it, I'll try to get to that RSN.

Matt has a tweak to this to actually check if "openssl-devel" is installed - one of us will make sure that gets pushed out.

Comment 21 shilpa 2016-08-12 11:13:21 UTC
Hi Bara,

I see Civetweb with SSL section in the doc https://access.qa.redhat.com/documentation/en/red-hat-ceph-storage/2/single/object-gateway-guide-for-red-hat-enterprise-linux#using_ssl_with_civetweb

Since it is not supported in 2.0, I think we need to remove this reference.

Comment 23 Edu Alcaniz 2016-09-16 06:46:04 UTC
Hi, could you update the status of the BZ please

Comment 24 Matt Benjamin (redhat) 2016-09-20 17:43:30 UTC
(In reply to Edu Alcaniz from comment #23)
> Hi, could you update the status of the BZ please

Status unchange, looking for -needinfo from John.

Comment 26 Edu Alcaniz 2016-09-27 15:28:41 UTC
hi, any luck in QA to move forward? Thanks very much.

Comment 27 shilpa 2016-10-18 09:36:00 UTC
Followed the doc available offline:


After generating the self-signed cert and adding to ceph.conf, rgw crashes.

rgw_frontends = civetweb port=443s ssl_certificate=/root/selfcert.pem

2016-10-18 09:30:14.109302 7efdcf2889c0  0 ceph version 10.2.3-7.el7cp (f69f9569b426f45d948df4be635aa92f4d656654), process radosgw, pid 8145
2016-10-18 09:30:14.185347 7efd4ffff700  0 RGWGC::process() failed to acquire lock on gc.4
2016-10-18 09:30:14.185884 7efd4ffff700  0 RGWGC::process() failed to acquire lock on gc.5
2016-10-18 09:30:14.186366 7efd4ffff700  0 RGWGC::process() failed to acquire lock on gc.6
2016-10-18 09:30:14.187322 7efdcf2889c0  0 starting handler: civetweb
2016-10-18 09:30:14.187432 7efdcf2889c0  0 civetweb: 0x7efdcf4e2dc0: load_dll: cannot load libssl.so
2016-10-18 09:30:14.187475 7efdcf2889c0  0 civetweb: 0x7efdcf4e2dc0: load_dll: cannot load libcrypto.so
2016-10-18 09:30:14.187485 7efdcf2889c0 -1 ERROR: failed run
2016-10-18 09:30:14.189308 7efd4f7fe700 -1 *** Caught signal (Aborted) **
 in thread 7efd4f7fe700 thread_name:rgw_obj_expirer

 ceph version 10.2.3-7.el7cp (f69f9569b426f45d948df4be635aa92f4d656654)
 1: (()+0x56f89a) [0x7efdc59a189a]
 2: (()+0xf370) [0x7efdc4db1370]
 3: (gsignal()+0x37) [0x7efdc42f41d7]
 4: (abort()+0x148) [0x7efdc42f58c8]
 5: (__gnu_cxx::__verbose_terminate_handler()+0x165) [0x7efdc48f6ab5]
 6: (()+0x5ea26) [0x7efdc48f4a26]
 7: (()+0x5ea53) [0x7efdc48f4a53]
 8: (()+0x5ec73) [0x7efdc48f4c73]
 9: (operator new(unsigned long)+0x7d) [0x7efdc48f520d]
 10: (std::string::_Rep::_S_create(unsigned long, unsigned long, std::allocator<char> const&)+0x59) [0x7efdc4953ce9]
 11: (std::string::_Rep::_M_clone(std::allocator<char> const&, unsigned long)+0x1b) [0x7efdc49548fb]
 12: (std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::string const&)+0x5c) [0x7efdc4954fcc]
 13: (RGWObjectExpirer::process_single_shard(std::string const&, utime_t const&, utime_t const&)+0x133) [0x7efdc57d9943]
 14: (RGWObjectExpirer::inspect_all_shards(utime_t const&, utime_t const&)+0xb2) [0x7efdc57d9fb2]
 15: (RGWObjectExpirer::OEWorker::entry()+0x7f) [0x7efdc57da25f]
 16: (()+0x7dc5) [0x7efdc4da9dc5]
 17: (clone()+0x6d) [0x7efdc43b673d]

-- Unit ceph-radosgw@rgw.magna047.service has begun starting up.
Oct 18 09:30:56 magna047 radosgw[8575]: error parsing int: 443s: The option value '443s' seems to be invalid
Oct 18 09:30:56 magna047 radosgw[8575]: 2016-10-18 09:30:56.185159 7fad36c479c0 -1 ERROR: failed run
Oct 18 09:30:56 magna047 radosgw[8575]: terminate called after throwing an instance of 'std::bad_alloc'
Oct 18 09:30:56 magna047 radosgw[8575]: what():  std::bad_alloc
Oct 18 09:30:56 magna047 radosgw[8575]: *** Caught signal (Aborted) **
Oct 18 09:30:56 magna047 radosgw[8575]: in thread 7facc74fb700 thread_name:rgw_obj_expirer

Comment 29 Ken Dreyer (Red Hat) 2016-10-20 17:05:38 UTC
This is going to need more work upstream (and more Teuthology tests) before we can safely support it for RHCS 2 users.

Comment 42 shilpa 2017-03-03 09:08:34 UTC

Comment 45 errata-xmlrpc 2017-03-14 15:43:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.