I don't have a good explanation for you, but it should be a workaround. I've
been looking into all kinds of variations with concatenated certs etc., but
what works for me is to set the mentioned config-key. You can find an
example in the (old-ish) SUSE docs [0].
ceph config-key set rgw/cert/{REALM}/{zone}.key
So in your case you should set the private key like:
ceph config-key set rgw/cert/obspm/meudon.key -i your-private.key
Let us know if that works for you, or are you not willing to retry again
with ssl enabled? ;-)
[0]
https://documentation.suse.com/ses/7.1/single-html/ses-admin/#ogw-sssl-config
Zitat von Albert Shih <albert.s...@obspm.fr>:
> Le 06/06/2025 à 11:41:46+0000, Michael Worsham a écrit
> Hi,
>
> >
> > service_type: rgw
> > service_id: encrypted_rgw
> > placement:
> > label: encrypted
> > count_per_host: 1
> > networks:
> > - your-network/24
> > spec:
> > rgw_frontend_port: 8101
> > ssl: true
> > rgw_frontend_ssl_certificate: |
> >
> > It should follow the certificate chain your SSL provider gives,
> > generally the
> > order would be: Your Certificate → Intermediary Certificate(s) → Root
> > Certificate → Private Key
>
> Thanks...but that's not working.
>
> First I check (again) the certicats (we use same certificats and chain CA
> on our website).
>
> Than I try every possible combinaisons (well not all, didn't try random
> order ;-) )
>
> I check with the openssl the key is correct against the certificat.
>
> I check the yaml is correctly formated.
>
> But not working.
>
> Too much waste time, I will just run the rgw without ssl, after
all I got a
> haproxy in the front and he got the certificat without a issue.
>
> But if someone know where the problem is I will be glad to know and learn
> something.
>
>
>
> Thanks again.
>
> Regards
> >
> > This is an external email. Please take care when clicking links
or opening
> > attachments. When in doubt, check with the Help Desk or Security.
> >
> >
> > Hi everyone.
> >
> > I'm trying to configure a RGW for S3.
> >
> > I'm currently running reef 18.2.7
> >
> > I was able to make the rgw working (= the service is up and
listen on the
> > correct port) without ssl.
> >
> > I'm trying to configure the ssl port and I didn't find the
correct syntaxe
> > for that.
> >
> > I create a yaml file with something like
> >
> > spec:
> > rgw_frontend_port: 8080
> > zone_endpoints: https://host1:8080, https://host2:8080,etc.
> > ssl: true
> > rgw_frontend_ssl_certificate: |
> > -----BEGIN RSA PRIVATE KEY-----
> > ....
> > -----END RSA PRIVATE KEY-----
> > -----BEGIN CERTIFICATE-----
> > .....
> > -----END CERTIFICATE-----
> >
> > or with the all chain of CA
> >
> > spec:
> > rgw_frontend_port: 8080
> > zone_endpoints: https://host1:8080, https://host2:8080,etc.
> > ssl: true
> > rgw_frontend_ssl_certificate: |
> > -----BEGIN RSA PRIVATE KEY-----
> > ....
> > -----END RSA PRIVATE KEY-----
> > -----BEGIN CERTIFICATE-----
> > .....
> > -----END CERTIFICATE-----
> > -----BEGIN CERTIFICATE-----
> > .....
> > -----END CERTIFICATE-----
> > .....
> > -----BEGIN CERTIFICATE-----
> > .....
> > -----END CERTIFICATE-----
> >
> > both not working the journalctl say
> >
> > ssl_private_key was not found: rgw/cert/obspm/meudon.key
> >
> > I find somewhere on the net this syntaxe
> >
> > spec:
> > rgw_frontend_port: 8080
> > zone_endpoints: https://host1:8080, https://host2:8080,etc.
> > ssl: true
> > ssl_private_key: |
> > -----BEGIN RSA PRIVATE KEY-----
> > ....
> > -----END RSA PRIVATE KEY-----
> > ssl_certificate: |
> > -----BEGIN CERTIFICATE-----
> > .....
> > -----END CERTIFICATE-----
> >
> > and I got
> >
> > Error EINVAL: ServiceSpec: __init__() got an unexpected keyword argument
> > 'ssl_private_key'
> >
> >
> > Any clue ?
> >
> > Regards
> >
> > --
> > Albert SHIH 🦫 🐸
> > France
> > Heure locale/Local time:
> > ven. 06 juin 2025 10:47:08 CEST
> > _______________________________________________
> > ceph-users mailing list -- ceph-users@ceph.io
> > To unsubscribe send an email to ceph-users-le...@ceph.io
> > This message and its attachments are from Data Dimensions and are
> > intended only
> > for the use of the individual or entity to which it is
addressed, and may
> > contain information that is privileged, confidential, and exempt from
> > disclosure under applicable law. If the reader of this message
is not the
> > intended recipient, or the employee or agent responsible for
delivering the
> > message to the intended recipient, you are hereby notified that any
> > dissemination, distribution, or copying of this communication
is strictly
> > prohibited. If you have received this communication in error, please
> > notify the
> > sender immediately and permanently delete the original email
and destroy any
> > copies or printouts of this email as well as any attachments.
> --
> Albert SHIH 🦫 🐸
> Observatoire de Paris
> France
> Heure locale/Local time:
> ven. 06 juin 2025 16:44:45 CEST
> _______________________________________________
> ceph-users mailing list -- ceph-users@ceph.io
> To unsubscribe send an email to ceph-users-le...@ceph.io
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
