2330954 – Cephadm feature to create self signed certificates for RGW is not adding a SAN for *.example.com on the created Certificate

Bug 2330954 - Cephadm feature to create self signed certificates for RGW is not adding a SAN for *.example.com on the created Certificate

Summary: Cephadm feature to create self signed certificates for RGW is not adding a SA...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	Cephadm
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	8.1
Assignee:	Kushal Deb
QA Contact:	Hemanth Sai
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-12-07 06:14 UTC by daniel parkes
Modified:	2025-06-26 12:20 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ceph-19.2.1-86.el9cp
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2025-06-26 12:19:57 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCEPH-10329	0	None	None	None	2024-12-07 06:15:43 UTC
Red Hat Product Errata	RHSA-2025:9775	0	None	None	None	2025-06-26 12:20:00 UTC

Description daniel parkes 2024-12-07 06:14:41 UTC

Description of problem:

We need the SAN of the created self-signed certificate to add *. to the hostname specified  in RGW zonegroup spec option, 

So, for example, if you add in the spec:

  zonegroup_hostnames:
  - s3.cephlab.com

By default, in the certificate's SAN, we will add *.s3.cephlab.com; this is a requirement for accessing buckets in virtual host mode, as the URL to access buckets will be https://BUCKETNAME.s3.cephlabs.com. With the SAN wildcard, you cover all the bucket names. 

At the moment, virtual host bucket access is not working because you get the following certificate verification error:

# curl  https://bucket1.s3.cephlab.com
curl: (60) SSL: no alternative certificate subject name matches target host name 'bucket1.s3.cephlab.com'
More details here: https://curl.se/docs/sslcerts.html

Comment 8 errata-xmlrpc 2025-06-26 12:19:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage 8.1 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2025:9775

Note You need to log in before you can comment on or make changes to this bug.