Thanks Mark. I have been trying to install this on controller node. But for some reason, I am unable to install certutil or libnss3-tools on debian. I am not sure how to proceed.
On Wednesday, October 8, 2014 6:26 PM, Mark Kirkwood <mark.kirkwood@xxxxxxxxxxxxxxx> wrote:
If you are using ceph + radosgw packages they should be built with the
nss option (--with-nss), so nothing to do there.
For the server running keystone you need to do:
(root) $ mkdir /var/ceph/nss
(root) $ openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \
certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
(root) $ openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pub
(root) rsync -av /var/ceph/nss/* rgw-host:/var/ceph/nss
as indicated in the ceph docs. I found I needed to actually be root for
this to work (i.e sudo did not work), but apart from that no problem.
You need to install whatever packages give you the openssl and certutil
binaries.
Cheers
Mark
On 09/10/14 05:21, lakshmi k s wrote:
> Hello Mark,
>
> Thanks for your reply. Where should I be installing NSS package? On
> Gateway or Openstack Controller node? On both, I could not execute the
> following command as it resulted in bunch of errors.
>
> openssl x509
> -in /etc/keystone/ssl/certs/ca.pem -pubkey | certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
>
> Also, you mentioned about SSL. What should I be doing for this? Should rgw.conf in /etc/apache2/sites-enabled on gateway node be configured for SSL like this below. I do not have this right now.
>
> SSLEngine on
> SSLCertificateFile /etc/apache2/ssl/apache.crt
> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
> SetEnv SERVER_PORT_SECURE 443
>
>
nss option (--with-nss), so nothing to do there.
For the server running keystone you need to do:
(root) $ mkdir /var/ceph/nss
(root) $ openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \
certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
(root) $ openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pub
(root) rsync -av /var/ceph/nss/* rgw-host:/var/ceph/nss
as indicated in the ceph docs. I found I needed to actually be root for
this to work (i.e sudo did not work), but apart from that no problem.
You need to install whatever packages give you the openssl and certutil
binaries.
Cheers
Mark
On 09/10/14 05:21, lakshmi k s wrote:
> Hello Mark,
>
> Thanks for your reply. Where should I be installing NSS package? On
> Gateway or Openstack Controller node? On both, I could not execute the
> following command as it resulted in bunch of errors.
>
> openssl x509
> -in /etc/keystone/ssl/certs/ca.pem -pubkey | certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
>
> Also, you mentioned about SSL. What should I be doing for this? Should rgw.conf in /etc/apache2/sites-enabled on gateway node be configured for SSL like this below. I do not have this right now.
>
> SSLEngine on
> SSLCertificateFile /etc/apache2/ssl/apache.crt
> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
> SetEnv SERVER_PORT_SECURE 443
>
>
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
