Almost - the converted certs need to be saved on your *rgw* host in
nss_db_path (default is /var/ceph/nss but wherever you have it
configured should be ok). Then restart the gateway.
What is happening is the the rgw needs these certs to speak with
encryption to the keystone server (the latter does not need anything
changed, as it is already using encryption).
Regards
Mark
On 10/10/14 08:31, lakshmi k s wrote:
Thanks Mark. I got past this error being root. So essentially, I copied
the certs from openstack controller node to gateway node. Did the
conversion using certutil and copied the files back to controller node
under /var/lib/ceph/nss directory. Is this the correct directory? Ceph
doc says /var/ceph/nss though.
But after this, I tried to use curl GET command, but in vain.Same old
401 - Authorization failure.
curl -i -X GET
http://gateway.ex.com/swift/v1/AUTH_bad9e2232b304f89acb03436635b80cc -H
"X-Auth-
Token: a510edb22f074946940cd4c07aafcd9d"
HTTP/1.1 401 Unauthorized
Date: Thu, 09 Oct 2014 19:17:31 GMT
Server: Apache/2.4.7 (Ubuntu)
Accept-Ranges: bytes
Content-Length: 12
Content-Type: text/plain; charset=utf-8
AccessDeniedroot
Not much difference in radosgw logs too. Note that the token used above
is same one in ceph.conf file too. Please help.
[client.radosgw.gateway]
rgw keystone url = http://192.0.8.2:5000
rgw keystone admin token = a510edb22f074946940cd4c07aafcd9d
rgw keystone accepted roles = admim Member _member_ swiftoperator
rgw keystone token cache size = 500
rgw keystone revocation interval = 500
rgw s3 auth use keystone = false
nss db path = /var/lib/ceph/nss
debug rgw = 20
host = gateway
keyring = /etc/ceph/ceph.client.radosgw.keyring
rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
log file = /var/log/ceph/client.radosgw.gateway.log
rgw dns name = gateway
On Thursday, October 9, 2014 1:15 AM, Mark Kirkwood
<mark.kirkwood@xxxxxxxxxxxxxxx> wrote:
I ran into this - needed to actually be root via sudo -i or similar,
*then* it worked. Unhelpful error message is I think referring to no
intialized db.
On 09/10/14 16:36, lakshmi k s wrote:
> Good workaround. But it did not work. Not sure what this error is all
> about now.
>
> gateway@gateway <mailto:gateway@gateway>:~$ openssl x509 -in
/home/gateway/ca.pem -pubkey |
> certutil -d /var/lib/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> certificate/key database is in an old, unsupported format.
>
>
>
> On Wednesday, October 8, 2014 7:55 PM, Mark Kirkwood
> <mark.kirkwood@xxxxxxxxxxxxxxx
<mailto:mark.kirkwood@xxxxxxxxxxxxxxx>> wrote:
>
>
> As a workaround check if your rgw host has openssl and certutil
> installed, if so you can copy the relevant unconverted certs over to it
> and convert 'em there.
>
> On 09/10/14 15:07, lakshmi k s wrote:
> > Tried aptitude as well, but no luck.
> >
> > Ceph users, have you tried to install libnss3-tools or certutil
tool on
> > debian/ubuntu? If so, how did you go about this problem.
> >
> >
> > On Wednesday, October 8, 2014 7:01 PM, Mark Kirkwood
> > <mark.kirkwood@xxxxxxxxxxxxxxx <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
<mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>> wrote:
> >
> >
> > Ok, so that is the thing to get sorted. I'd suggest posting the
error(s)
> > you are getting perhaps here (someone else might know), but definitely
> > to one of the Debian specific lists.
> >
> > In the meantime perhaps try installing the packages with aptitude
rather
> > than apt-get - if there is some fancy footwork required it is fairly
> > smart about what needs to be done.
> >
> > Cheers
> >
> > Mark
> >
> > On 09/10/14 14:38, lakshmi k s wrote:
> > > Thanks Mark. I have been trying to install this on controller
> node. But
> > > for some reason, I am unable to install certutil or
libnss3-tools on
> > > debian. I am not sure how to proceed.
> > >
> >
> >
> >
>
>
>
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com