Bug 1425710 - RGW service fails to start with SSL configured on Ubuntu
Summary: RGW service fails to start with SSL configured on Ubuntu
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: RGW
Version: 2.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 2.2
Assignee: Marcus Watts
QA Contact: shilpa
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-22 08:12 UTC by shilpa
Modified: 2017-07-30 16:02 UTC (History)
10 users (show)

Fixed In Version: RHEL: ceph-10.2.5-34.el7cp Ubuntu: ceph_10.2.5-26redhat1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-14 15:49:58 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0514 normal SHIPPED_LIVE Red Hat Ceph Storage 2.2 bug fix and enhancement update 2017-03-21 07:24:26 UTC
Ceph Project Bug Tracker 19098 None None None 2017-02-27 19:37:52 UTC

Description shilpa 2017-02-22 08:12:04 UTC
Description of problem:
RGW fails with error:

2017-02-22 07:10:00.734805 7f3c163dea00  0 civetweb: 0x55ccf9ca59e0: load_dll: cannot load libssl.so
2017-02-22 07:10:00.734860 7f3c163dea00  0 civetweb: 0x55ccf9ca59e0: load_dll: cannot load libcrypto.so

Version-Release number of selected component (if applicable):
10.2.5-21redhat1xenial

How reproducible:
Always

Steps to Reproduce:
1. Generate a CA signed certificate.
2. Add the pem key to /usr/share/ca-certificates/ and add it to trusted ca-certs in /etc/ssl/certs/ca-certificates.crt
3. In ceph.conf add the line and restart rgw:
rgw frontends = civetweb port=443s ssl_certificate=/usr/share/ca-certificates/myca.pem

Actual results:
RGW restart fails with:

2017-02-22 07:10:00.734669 7f3c163dea00  0 starting handler: civetweb
2017-02-22 07:10:00.734693 7f3c163dea00 20 civetweb config: decode_url: no
2017-02-22 07:10:00.734694 7f3bdd5f1700  5 process_single_shard(): failed to acquire lock on obj_delete_at_hint.0000000001
2017-02-22 07:10:00.734696 7f3c163dea00 20 civetweb config: enable_keep_alive: yes
2017-02-22 07:10:00.734698 7f3c163dea00 20 civetweb config: listening_ports: 443s
2017-02-22 07:10:00.734699 7f3c163dea00 20 civetweb config: num_threads: 100
2017-02-22 07:10:00.734700 7f3c163dea00 20 civetweb config: run_as_user: ceph
2017-02-22 07:10:00.734701 7f3c163dea00 20 civetweb config: ssl_certificate: /usr/share/ca-certificates/myca.pem
2017-02-22 07:10:00.734701 7f3bdd5f1700 20 proceeding shard = obj_delete_at_hint.0000000002
2017-02-22 07:10:00.734770 7f3bdddf2700  0 RGWGC::process() failed to acquire lock on gc.26
2017-02-22 07:10:00.734805 7f3c163dea00  0 civetweb: 0x55ccf9ca59e0: load_dll: cannot load libssl.so
2017-02-22 07:10:00.734860 7f3c163dea00  0 civetweb: 0x55ccf9ca59e0: load_dll: cannot load libcrypto.so
2017-02-22 07:10:00.734870 7f3c163dea00 -1 ERROR: failed run


Additional info:
Adding an attachment with steps followed. Note that the same configuration worked on RHEL.

Comment 13 Ken Dreyer (Red Hat) 2017-02-27 16:37:05 UTC
Where is the PR to master for this change? Or Redmine ticket tracking the backport to Jewel?

Comment 14 Matt Benjamin (redhat) 2017-02-27 17:44:53 UTC
(In reply to Ken Dreyer (Red Hat) from comment #13)
> Where is the PR to master for this change? Or Redmine ticket tracking the
> backport to Jewel?

Hi Ken,

There's currently not a corresponding change for master, as the changes for cmake build are completely different--but still needed, going forward.

Matt

Comment 15 Ken Dreyer (Red Hat) 2017-02-27 18:01:09 UTC
We'll still need this in v10.2.6 or v10.2.7 going forward. Mind filing a Redmine ticket and connecting it up here in External Trackers?

Comment 16 Marcus Watts 2017-03-01 07:06:04 UTC
I filed a duplicate bug before noticing Thomas had beat me to making a ticket.  Yes, I'll need to make the cmake fix for master.

Comment 18 shilpa 2017-03-03 05:52:47 UTC
Verified on ceph_10.2.5-26

Comment 20 errata-xmlrpc 2017-03-14 15:49:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0514.html


Note You need to log in before you can comment on or make changes to this bug.