Hi,
I'm not sure if it's a sufficient answer, but we use our own CA and
have it integrated with a ca-bundle mapping as extra_container_args
for the rgw daemons:
extra_container_args:
- -v=/var/lib/ca-certificates/:/var/lib/ca-certificates/:ro
-
-v=/var/lib/ca-certificates/ca-bundle.pem:/etc/pki/tls/certs/ca-bundle.crt:ro
The ceph container checks /etc/pki/tls/certs/ca-bundle.crt per default
(/etc/krb5.conf), and sometimes we need the /var/lib/ca-certificates/
path as well, so I configured both. That seems to work well, but I
don't have multisite enabled. To verify I did a curl test from within
the container to the rgw endpoint and got a valid response.
This is from a test cluster on Reef. This is not yet in our production
cluster, maybe I'll add that as well during a maintenance window, but
for now it's not required.
Regards,
Eugen
Zitat von "Alex Hussein-Kershaw (HE/HIM)" <alexhus@xxxxxxxxxxxxx>:
Hi ceph-users!
I'm going through the process of migrating to use cephadm for my
clusters. Previously I used ceph-ansible. My question is essentially
"How can I configure RGW multisite with self-signed certificates
with cephadm?". I have prototyped the migration and redeployed RGWs.
Everything on my adopted site is running the latest version of Reef
(18.2.2). The remote site is using Octopus as historically deployed
with ceph-ansible.
My RGWs on both sites are up and I can make requests to them, but
they are failing to sync, and "radosgw-admin sync status" shows a
generic input/output error. Taking some network capture I can see
that the TLS handshake is failing with "Unknown CA", so it looks
like the RGWs don't trust my self-signed certificate, I suppose
that's not a surprise.
However, I can't work out how to establish the trust. I've tried
mounting in the /etc/pki directory from the machine it's running on
into the RGW containers, which does contain the self-signed CA, but
I still see errors in my multi-site sync. I did notice that I can
curl from within the containers successfully to the remote HTTPS
RGWs after this though, so it did do something. Where do the RGWs
infer which CAs to trust from?
I should also mention that when stepping all the RGWs down to HTTP
the sync works with no issues (I was nervous about the Reef to
Octopus pairing, but it seems fine).
Kind regards,
Alex
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
