Right, I have these certs on both nodes - keystone node and rgw gateway node. Not sure where I am going wrong. And what about SSL? Should the following be in rgw.conf in gateway node? I am not using this as it was optional.
SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key SetEnv SERVER_PORT_SECURE 443
On Thursday, October 9, 2014 2:48 PM, Mark Kirkwood <mark.kirkwood@xxxxxxxxxxxxxxx> wrote:
Almost - the converted certs need to be saved on your *rgw* host in
nss_db_path (default is /var/ceph/nss but wherever you have it
configured should be ok). Then restart the gateway.
What is happening is the the rgw needs these certs to speak with
encryption to the keystone server (the latter does not need anything
changed, as it is already using encryption).
Regards
Mark
On 10/10/14 08:31, lakshmi k s wrote:
> Thanks Mark. I got past this error being root. So essentially, I copied
> the certs from openstack controller node to gateway node. Did the
> conversion using certutil and copied the files back to controller node
> under /var/lib/ceph/nss directory. Is this the correct directory? Ceph
> doc says /var/ceph/nss though.
>
> But after this, I tried to use curl GET command, but in vain.Same old
> 401 - Authorization failure.
>
> curl -i -X GET
> http://gateway.ex.com/swift/v1/AUTH_bad9e2232b304f89acb03436635b80cc -H
> "X-Auth-
> Token: a510edb22f074946940cd4c07aafcd9d"
>
> HTTP/1.1 401 Unauthorized
> Date: Thu, 09 Oct 2014 19:17:31 GMT
> Server: Apache/2.4.7 (Ubuntu)
> Accept-Ranges: bytes
> Content-Length: 12
> Content-Type: text/plain; charset=utf-8
> AccessDeniedroot
>
> Not much difference in radosgw logs too. Note that the token used above
> is same one in ceph.conf file too. Please help.
>
> [client.radosgw.gateway]
> rgw keystone url = "" shape="rect" href="http://192.0.8.2:5000/" target="_blank" class="" style="">http://192.0.8.2:5000
> rgw keystone admin token = a510edb22f074946940cd4c07aafcd9d
> rgw keystone accepted roles = admim Member _member_ swiftoperator
> rgw keystone token cache size = 500
> rgw keystone revocation interval = 500
> rgw s3 auth use keystone = false
> nss db path = /var/lib/ceph/nss
> debug rgw = 20
> host = gateway
> keyring = /etc/ceph/ceph.client.radosgw.keyring
> rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
> log file = /var/log/ceph/client.radosgw.gateway.log
> rgw dns name = gateway
>
>
>
>
>
> On Thursday, October 9, 2014 1:15 AM, Mark Kirkwood
> <mark.kirkwood@xxxxxxxxxxxxxxx> wrote:
>
>
> I ran into this - needed to actually be root via sudo -i or similar,
> *then* it worked. Unhelpful error message is I think referring to no
> intialized db.
>
> On 09/10/14 16:36, lakshmi k s wrote:
> > Good workaround. But it did not work. Not sure what this error is all
> > about now.
> >
> > gateway@gateway <mailto:gateway@gateway>:~$ openssl x509 -in
> /home/gateway/ca.pem -pubkey |
> > certutil -d /var/lib/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
> > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> > certificate/key database is in an old, unsupported format.
> >
> >
> >
> > On Wednesday, October 8, 2014 7:55 PM, Mark Kirkwood
> > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>> wrote:
> >
> >
> > As a workaround check if your rgw host has openssl and certutil
> > installed, if so you can copy the relevant unconverted certs over to it
> > and convert 'em there.
> >
> > On 09/10/14 15:07, lakshmi k s wrote:
> > > Tried aptitude as well, but no luck.
> > >
> > > Ceph users, have you tried to install libnss3-tools or certutil
> tool on
> > > debian/ubuntu? If so, how did you go about this problem.
> > >
> > >
> > > On Wednesday, October 8, 2014 7:01 PM, Mark Kirkwood
> > > <mark.kirkwood@xxxxxxxxxxxxxxx <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>> wrote:
>
> > >
> > >
> > > Ok, so that is the thing to get sorted. I'd suggest posting the
> error(s)
> > > you are getting perhaps here (someone else might know), but definitely
> > > to one of the Debian specific lists.
> > >
> > > In the meantime perhaps try installing the packages with aptitude
> rather
> > > than apt-get - if there is some fancy footwork required it is fairly
> > > smart about what needs to be done.
> > >
> > > Cheers
> > >
> > > Mark
> > >
> > > On 09/10/14 14:38, lakshmi k s wrote:
> > > > Thanks Mark. I have been trying to install this on controller
> > node. But
> > > > for some reason, I am unable to install certutil or
> libnss3-tools on
> > > > debian. I am not sure how to proceed.
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>
>
nss_db_path (default is /var/ceph/nss but wherever you have it
configured should be ok). Then restart the gateway.
What is happening is the the rgw needs these certs to speak with
encryption to the keystone server (the latter does not need anything
changed, as it is already using encryption).
Regards
Mark
On 10/10/14 08:31, lakshmi k s wrote:
> Thanks Mark. I got past this error being root. So essentially, I copied
> the certs from openstack controller node to gateway node. Did the
> conversion using certutil and copied the files back to controller node
> under /var/lib/ceph/nss directory. Is this the correct directory? Ceph
> doc says /var/ceph/nss though.
>
> But after this, I tried to use curl GET command, but in vain.Same old
> 401 - Authorization failure.
>
> curl -i -X GET
> http://gateway.ex.com/swift/v1/AUTH_bad9e2232b304f89acb03436635b80cc -H
> "X-Auth-
> Token: a510edb22f074946940cd4c07aafcd9d"
>
> HTTP/1.1 401 Unauthorized
> Date: Thu, 09 Oct 2014 19:17:31 GMT
> Server: Apache/2.4.7 (Ubuntu)
> Accept-Ranges: bytes
> Content-Length: 12
> Content-Type: text/plain; charset=utf-8
> AccessDeniedroot
>
> Not much difference in radosgw logs too. Note that the token used above
> is same one in ceph.conf file too. Please help.
>
> [client.radosgw.gateway]
> rgw keystone url = "" shape="rect" href="http://192.0.8.2:5000/" target="_blank" class="" style="">http://192.0.8.2:5000
> rgw keystone admin token = a510edb22f074946940cd4c07aafcd9d
> rgw keystone accepted roles = admim Member _member_ swiftoperator
> rgw keystone token cache size = 500
> rgw keystone revocation interval = 500
> rgw s3 auth use keystone = false
> nss db path = /var/lib/ceph/nss
> debug rgw = 20
> host = gateway
> keyring = /etc/ceph/ceph.client.radosgw.keyring
> rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
> log file = /var/log/ceph/client.radosgw.gateway.log
> rgw dns name = gateway
>
>
>
>
>
> On Thursday, October 9, 2014 1:15 AM, Mark Kirkwood
> <mark.kirkwood@xxxxxxxxxxxxxxx> wrote:
>
>
> I ran into this - needed to actually be root via sudo -i or similar,
> *then* it worked. Unhelpful error message is I think referring to no
> intialized db.
>
> On 09/10/14 16:36, lakshmi k s wrote:
> > Good workaround. But it did not work. Not sure what this error is all
> > about now.
> >
> > gateway@gateway <mailto:gateway@gateway>:~$ openssl x509 -in
> /home/gateway/ca.pem -pubkey |
> > certutil -d /var/lib/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
> > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> > certificate/key database is in an old, unsupported format.
> >
> >
> >
> > On Wednesday, October 8, 2014 7:55 PM, Mark Kirkwood
> > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>> wrote:
> >
> >
> > As a workaround check if your rgw host has openssl and certutil
> > installed, if so you can copy the relevant unconverted certs over to it
> > and convert 'em there.
> >
> > On 09/10/14 15:07, lakshmi k s wrote:
> > > Tried aptitude as well, but no luck.
> > >
> > > Ceph users, have you tried to install libnss3-tools or certutil
> tool on
> > > debian/ubuntu? If so, how did you go about this problem.
> > >
> > >
> > > On Wednesday, October 8, 2014 7:01 PM, Mark Kirkwood
> > > <mark.kirkwood@xxxxxxxxxxxxxxx <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>> wrote:
>
> > >
> > >
> > > Ok, so that is the thing to get sorted. I'd suggest posting the
> error(s)
> > > you are getting perhaps here (someone else might know), but definitely
> > > to one of the Debian specific lists.
> > >
> > > In the meantime perhaps try installing the packages with aptitude
> rather
> > > than apt-get - if there is some fancy footwork required it is fairly
> > > smart about what needs to be done.
> > >
> > > Cheers
> > >
> > > Mark
> > >
> > > On 09/10/14 14:38, lakshmi k s wrote:
> > > > Thanks Mark. I have been trying to install this on controller
> > node. But
> > > > for some reason, I am unable to install certutil or
> libnss3-tools on
> > > > debian. I am not sure how to proceed.
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>
>
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
