Re: [EXTERNAL] How to change RGW certificate in Cephadm?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Jun 14, 2023 at 03:43:17PM +0000, Beaman, Joshua wrote:

Do you have an ingress service for HAProxy/keepalived?  If so, that’s the service that you will need to have orch redeploy/restart.  If not, maybe try `ceph orch redeploy pech` ?


No ingress, but we did have it running at one time with spec file

  service_type: ingress
  service_id: rgw.pech

This was removed a while ago with

  ceph orch rm ingress.rgw.pech

because haproxy did not have sane values for our environment, timeout was to
low and it was hard coded.

We then applied the spec file in my previous mail. So we are only running
multiple RGW with SSL. Load balancing and HA is done with PowerDNS with
LUA-records.


ceph orch redeploy pech only gives me an error

  pech is not a valid daemon name


We have a servie named rgw.pech

  ceph orch ls --service_name=rgw.pech
  NAME      PORTS  RUNNING  REFRESHED  AGE  PLACEMENT
  rgw.pech  ?:443      7/7  4m ago     22h  label:cog

But running

  ceph orch redeploy rgw.pech

will redeploy all 7 RGW, and would be the same as

  ceph orch daemon redeploy rgw.pech.pech-mon-3.upnvrd

but only redeploy one of them.


From: Kai Stian Olstad <ceph+list@xxxxxxxxxx>
The certificate is about to expire so I would like to update it.
I updated rgw.yml spec with the new certificate and run
  ceph orch apply -i /etc/ceph/rgw.yml

But nothing happened, so I tried to redeploy one of them with
  ceph orch daemon redeploy rgw.pech.pech-mon-3.upnvrd

It redeployed the RGW, but still uses the old certificate.


  ceph config-key list | grep rgw
gives me two keys of interest mgr/cephadm/spec.rgw.pech and rgw/cert/rgw.pech

The content of mgr/cephadm/spec.rgw.pech is the new spec file with the updated
certificates, but the rgw/cert/rgw.pech only contains certificate and private
key, but the certificate is the old ones about to expire.


When I run

  ceph orch daemon redeploy rgw.pech.pech-mon-3.upnvrd

The log says it using rgw/cert/rgw.pech witch contains the old certificate.

  0 framework: beast
  0 framework conf key: ssl_port, val: 443
  0 framwwork conf key: ssl_certificate, val: config://rgw/cert/rgw.pech

--
Kai Stian Olstad
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux