Do you have an ingress service for HAProxy/keepalived? If so, that’s the service that you will need to have orch redeploy/restart. If not, maybe try `ceph orch redeploy pech` ?
Thank you,
Josh Beaman
From: Kai Stian Olstad <ceph+list@xxxxxxxxxx>
Date: Wednesday, June 14, 2023 at 7:58 AM
To: ceph-users@xxxxxxx <ceph-users@xxxxxxx>
Subject: [EXTERNAL] How to change RGW certificate in Cephadm?
When I enabled RGW in cephadm I used this spec file rgw.yml
service_type: rgw
service_id: pech
placement:
label: cog
spec:
ssl: true
rgw_frontend_ssl_certificate: |
-----BEGIN CERTIFICATE-----
<snip />
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<snip />
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<snip />
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
<snip />
-----END RSA PRIVATE KEY-----
And enabled it with
ceph orch apply -i /etc/ceph/rgw.yml
The certificate is about to expire so I would like to update it.
I updated rgw.yml spec with the new certificate and run
ceph orch apply -i /etc/ceph/rgw.yml
But nothing happened, so I tried to redeploy one of them with
ceph orch daemon redeploy rgw.pech.pech-mon-3.upnvrd
It redeployed the RGW, but still uses the old certificate.
ceph config-key list | grep rgw
gives me two keys of interest mgr/cephadm/spec.rgw.pech and rgw/cert/rgw.pech
The content of mgr/cephadm/spec.rgw.pech is the new spec file with the updated
certificates, but the rgw/cert/rgw.pech only contains certificate and private
key, but the certificate is the old ones about to expire.
I have looked in the documentation and can't find how to update the certificate
for RGW.
Can anyone shed some light on how to replace the certificate?
--
Kai Stian Olstad
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
