Hi,
I came across [1] and wanted to try to have all certificates/keys in
one file. But it appears that the validation happens only against the
first cert. So what I did was to concatenate all certs/keys into one
file, then added that to ceph:
ceph config-key set rgw/cert/rgw.realm.zone -i all-hosts.cert.pem
ceph orch redeploy rgw
The daemons pick up the config correctly and start, but running a curl
only succeeds for the first in the list:
# first host ok
curl https://host3.dmain:443
<?xml version="1.0" encoding="UTF-8"?><ListAllMyBucketsResult...
# second host fails
curl -v https://host4.domain:443
...
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: [...] CN=host3.domain; emailAddress=[...]
* start date: Jul 18 09:59:07 2024 GMT
* expire date: Aug 17 09:59:07 2025 GMT
* subjectAltName does not match host4.domain
* SSL: no alternative certificate subject name matches target host
name 'host4.domain'
This is still on Pacific 16.2.13 (testing something for a customer).
What I tried in a Reef cluster was to set the certs per host by
mapping the cert directory into the containers, then changing this
config:
ceph config set client.rgw.realm.hostname.suffix rgw_frontends "beast
ssl_port=443 ssl_certificate=/etc/ceph/mycert.pem"
And after restarting the daemon, it seems to work. So my question is,
how do you deal with per-host certificates and rgw? Any comments are
appreciated.
Thanks!
Eugen
[1]
https://lists.ceph.io/hyperkitty/list/ceph-users@xxxxxxx/message/F2GXMK6PE2ULJPZMGPVWCZ6AKZIKNDKJ/
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
