Le 06/06/2025 à 18:14:52+0000, Eugen Block a écrit
Hi,
>
> I don't have a good explanation for you, but it should be a workaround. I've
> been looking into all kinds of variations with concatenated certs etc., but
> what works for me is to set the mentioned config-key. You can find an
> example in the (old-ish) SUSE docs [0].
>
> ceph config-key set rgw/cert/{REALM}/{zone}.key
>
> So in your case you should set the private key like:
>
> ceph config-key set rgw/cert/obspm/meudon.key -i your-private.key
>
> Let us know if that works for you, or are you not willing to retry again
> with ssl enabled? ;-)
So...here the conclusion of my tests :
1/ If I use this yaml file
service_type: rgw
service_id: s3storage
rgw_realm: obspm
rgw_zonegroup: dio
rgw_zone: meudon
placement:
label: services
count_per_host: 1
spec:
rgw_frontend_port: 8080
zone_endpoints: https://cthulhu1.obspm.fr:8080,
https://cthulhu2.obspm.fr:8080, https://cthulhu3.obspm.fr:8080,
https://cthulhu4.obspm.fr:8080, https://cthulhu5.obspm.fr:8080
ssl: true
meaning without rgw_frontend_ssl_certificate
It's not working event if I put the config-key manually.
2/ If I use the same file but with
rgw_frontend_ssl_certificate
whatever I put inside the value of the key, the
ceph config-key dump rgw/cert/obspm/meudon.crt
ceph config-key dump rgw/cert/obspm/meudon.pem
are always empty
But I put manually the config-key
ceph config-key set
it's working.
I've no idea why's that.
Anyway big thanks.
Thanks.
>
> [0]
> https://documentation.suse.com/ses/7.1/single-html/ses-admin/#ogw-sssl-config
>
> Zitat von Albert Shih <albert.s...@obspm.fr>:
>
> > Le 06/06/2025 à 11:41:46+0000, Michael Worsham a écrit
> > Hi,
> >
> > >
> > > service_type: rgw
> > > service_id: encrypted_rgw
> > > placement:
> > > label: encrypted
> > > count_per_host: 1
> > > networks:
> > > - your-network/24
> > > spec:
> > > rgw_frontend_port: 8101
> > > ssl: true
> > > rgw_frontend_ssl_certificate: |
> > >
> > > It should follow the certificate chain your SSL provider gives,
> > > generally the
> > > order would be: Your Certificate → Intermediary Certificate(s) → Root
> > > Certificate → Private Key
> >
> > Thanks...but that's not working.
> >
> > First I check (again) the certicats (we use same certificats and chain CA
> > on our website).
> >
> > Than I try every possible combinaisons (well not all, didn't try random
> > order ;-) )
> >
> > I check with the openssl the key is correct against the certificat.
> >
> > I check the yaml is correctly formated.
> >
> > But not working.
> >
> > Too much waste time, I will just run the rgw without ssl, after all I got a
> > haproxy in the front and he got the certificat without a issue.
> >
> > But if someone know where the problem is I will be glad to know and learn
> > something.
> >
> >
> >
> > Thanks again.
> >
> > Regards
> > >
> > > This is an external email. Please take care when clicking links or opening
> > > attachments. When in doubt, check with the Help Desk or Security.
> > >
> > >
> > > Hi everyone.
> > >
> > > I'm trying to configure a RGW for S3.
> > >
> > > I'm currently running reef 18.2.7
> > >
> > > I was able to make the rgw working (= the service is up and listen on the
> > > correct port) without ssl.
> > >
> > > I'm trying to configure the ssl port and I didn't find the correct syntaxe
> > > for that.
> > >
> > > I create a yaml file with something like
> > >
> > > spec:
> > > rgw_frontend_port: 8080
> > > zone_endpoints: https://host1:8080, https://host2:8080,etc.
> > > ssl: true
> > > rgw_frontend_ssl_certificate: |
> > > -----BEGIN RSA PRIVATE KEY-----
> > > ....
> > > -----END RSA PRIVATE KEY-----
> > > -----BEGIN CERTIFICATE-----
> > > .....
> > > -----END CERTIFICATE-----
> > >
> > > or with the all chain of CA
> > >
> > > spec:
> > > rgw_frontend_port: 8080
> > > zone_endpoints: https://host1:8080, https://host2:8080,etc.
> > > ssl: true
> > > rgw_frontend_ssl_certificate: |
> > > -----BEGIN RSA PRIVATE KEY-----
> > > ....
> > > -----END RSA PRIVATE KEY-----
> > > -----BEGIN CERTIFICATE-----
> > > .....
> > > -----END CERTIFICATE-----
> > > -----BEGIN CERTIFICATE-----
> > > .....
> > > -----END CERTIFICATE-----
> > > .....
> > > -----BEGIN CERTIFICATE-----
> > > .....
> > > -----END CERTIFICATE-----
> > >
> > > both not working the journalctl say
> > >
> > > ssl_private_key was not found: rgw/cert/obspm/meudon.key
> > >
> > > I find somewhere on the net this syntaxe
> > >
> > > spec:
> > > rgw_frontend_port: 8080
> > > zone_endpoints: https://host1:8080, https://host2:8080,etc.
> > > ssl: true
> > > ssl_private_key: |
> > > -----BEGIN RSA PRIVATE KEY-----
> > > ....
> > > -----END RSA PRIVATE KEY-----
> > > ssl_certificate: |
> > > -----BEGIN CERTIFICATE-----
> > > .....
> > > -----END CERTIFICATE-----
> > >
> > > and I got
> > >
> > > Error EINVAL: ServiceSpec: __init__() got an unexpected keyword argument
> > > 'ssl_private_key'
> > >
> > >
> > > Any clue ?
> > >
> > > Regards
> > >
> > > --
> > > Albert SHIH 🦫 🐸
> > > France
> > > Heure locale/Local time:
> > > ven. 06 juin 2025 10:47:08 CEST
> > > _______________________________________________
> > > ceph-users mailing list -- ceph-users@ceph.io
> > > To unsubscribe send an email to ceph-users-le...@ceph.io
> > > This message and its attachments are from Data Dimensions and are
> > > intended only
> > > for the use of the individual or entity to which it is addressed, and may
> > > contain information that is privileged, confidential, and exempt from
> > > disclosure under applicable law. If the reader of this message is not the
> > > intended recipient, or the employee or agent responsible for delivering
> > > the
> > > message to the intended recipient, you are hereby notified that any
> > > dissemination, distribution, or copying of this communication is strictly
> > > prohibited. If you have received this communication in error, please
> > > notify the
> > > sender immediately and permanently delete the original email and destroy
> > > any
> > > copies or printouts of this email as well as any attachments.
> > --
> > Albert SHIH 🦫 🐸
> > Observatoire de Paris
> > France
> > Heure locale/Local time:
> > ven. 06 juin 2025 16:44:45 CEST
> > _______________________________________________
> > ceph-users mailing list -- ceph-users@ceph.io
> > To unsubscribe send an email to ceph-users-le...@ceph.io
>
>
> _______________________________________________
> ceph-users mailing list -- ceph-users@ceph.io
> To unsubscribe send an email to ceph-users-le...@ceph.io
--
Albert SHIH 🦫 🐸
Observatoire de Paris
France
Heure locale/Local time:
lun. 09 juin 2025 15:50:35 CEST
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
