Eng Bug:the BZ is https://bugzilla.redhat.com/show_bug.cgi?id=1258961 Additional info: Need to document the support for secure http connection, previously it used to be non-secure http connection only. Users need to open 443 port and access the requests via https. Also a note should be added saying that SSL support is now added This bugs also affects the HA Proxy docs which need to be updated.
*** Bug 1417056 has been marked as a duplicate of this bug. ***
Hi Anjana, Is there a link for the documentation for both RHEl and Ubuntu? The link in c#2 seems to be an old one?
Shilpa, here is what we had beforehand. We should also verify generating SSL certs and self-signed stuff so that people have that on hand as well. I don't have guidelines in here for Civetweb, so I'm sure that will be the first request. http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/index.html#_generating_ssl_certificates http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/index.html#_creating_a_self_signed_certificate http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/index.html#_using_ssl_with_civetweb
(In reply to John Wilkins from comment #9) > Shilpa, here is what we had beforehand. We should also verify generating SSL > certs and self-signed stuff so that people have that on hand as well. I > don't have guidelines in here for Civetweb, so I'm sure that will be the > first request. > > http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2- > Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/ > index.html#_generating_ssl_certificates > > http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2- > Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/ > index.html#_creating_a_self_signed_certificate > > http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2- > Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/ > index.html#_using_ssl_with_civetweb Hi John, We have only tested with CA signed certificate. I am not sure if it works with self-signed cert. @marcus, @matt can you please confirm?
See http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/index.html#_creating_a_self_signed_certificate and http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/index.html#_using_ssl_with_civetweb
(In reply to John Wilkins from comment #18) > See > http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2- > Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/ > index.html#_creating_a_self_signed_certificate > > and > > http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2- > Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/ > index.html#_using_ssl_with_civetweb Thanks John, The command, "openssl genrsa -des3 -out server.key 1024" requires you to enter a passphrase. RGW fails to start when we use the cert generated this way because civetweb expects a different pem format. civetweb: 0x7f1659a06dc0: set_ssl_option: cannot open /etc/pki/ca-trust/source/anchors/server.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line But "openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.csr -days 365 -nodes" does not require us to generate passphrase and this cert meets civetweb's requirement. This worked for me. Also, in "Using SSL in civetweb" section, the pem file name used in the doc is server.pem. That needs to be changed here: [client.rgw.{hostname}] rgw_frontends = "civetweb port=443s ssl_certificate=/etc/ceph/private/cert.pem" The last line about using --insecure option is applicable only while running swift commands.
http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/index.html#_creating_a_self_signed_certificate
(In reply to John Wilkins from comment #20) > http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2- > Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/ > index.html#_creating_a_self_signed_certificate Hi John, We don't need this command: # openssl req -new -key server.key -out server.csr RGW fails to start when you generate a challenge password with this command. Everything else looks fine. Thanks!
(In reply to John Wilkins from comment #22) > http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2- > Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/ > index.html#_creating_a_self_signed_certificate Thanks! lgtm
Looks good. Thanks Bara and John.
http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20RHEL%20(html-single)/lastSuccessfulBuild/artifact/RHEL/index.html#_using_ssl_with_civetweb http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage_2-Object_Gateway%20-%20Ubuntu%20(html-single)/lastSuccessfulBuild/artifact/Ubuntu/index.html#_using_ssl_with_civetweb
Verified