I have an ochestrated (cephadm) ceph cluster (16.2.11) with 2 radosgw services on 2 separate hosts without HA (i.e. no ingress/haproxy in front). Both of the rgw servers use SSL and have a properly signed certificate. We can access them with standard S3 tools like s3cmd, cyberduck, etc.
The problem seems to be that the the Ceph mgr dashboard fails to access the RGW API because it uses the shortname "gw01" instead of the FQDN "gw01.domain.com" when forming the S3 signature which makes the S3 signature check fail and we get the following error:
Error connecting to Object Gateway: RGW REST API failed request with status code 403 (b'{"Code":"SignatureDoesNotMatch","RequestId":"tx00000521ceca28974e94b-006408e' b'f93-454bbb4e-default","HostId":"454bbb4e-default-default"}')
It seems that the ceph mgr (which we have restarted several times) uses just the short hostname from the inventory and I don't see how to tell it to use the FQDN. Neither is it possible to configure the RGW to listen on an alternate non-SSL port on the cluster private network since the service spec for RGW only allows to set the rgw_frontend_port and rgw_frontend_type, but not the full frontend spec (which would allow for multiple listeners).
When we did have HA (haproxy) ingress configured, we ran into issues with the user clients getting lots of 503 errors due to some interaction between the RGW and the haproxy so we gave up on that config and now talk directly to the RGW over SSL which is working well.
Any suggestions?
thanks,
Wyllys Ingersoll
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
