fqdn on the dashboard needs working certificate validation.
"Squid did cert work inline → bad cert raised crypto.Error → caught and
rewrapped as ServerConfigException cleanly. Tentacle does cert work via a
subprocess; failures can now come from (a) the fork itself, (b) PyO3
init crashing in the child (the documented subinterpreter collision), or (c)
genuine cert errors marshalled back as JSON. When (b) happens, the
dashboard module's cert provisioning never completes, the module ends up
half-initialized, and downstream dashboard→RGW calls fail with
SignatureDoesNotMatch because the dashboard is operating without
properly loaded
credentials/sigv4 plumbing."
On 5/23/26 17:54, Eugen Block via ceph-users wrote:
Hi,
I might be wrong, but I don't think it's a cert issue. If you look in
the mgr log, do you see more information that just the
SignatureDoesNotMatch error?
Could it be mismatching dashboard-rgw-api settings? Have you checked
these settings?
ceph dashboard get-rgw-api-admin-resource
ceph dashboard get-rgw-api-access-key
ceph dashboard get-rgw-api-secret-key
They should match with:
radosgw-admin user info --uid dashboard | jq -r '.keys'
But as I wrote, it might something else, I would expect the mgr log to
contain more details.
Regards
Eugen
Zitat von Iztok Gregori via ceph-users <[email protected]>:
Hi to all!
After upgrading my cluster from squid to tentacle (now on 20.2.1) I'm
getting the following error when I try to access any 'page' in the
Object section of the Ceph Dashboard:
Error connecting to Object Gateway: RGW REST API failed request with
status code 403
(b'{"Code":"SignatureDoesNotMatch","Message":"","RequestId":"tx0000000b5bf42356'
b'85174-006a0d95b0-308299-eros","HostId":"308299-zone-default"}')
I'm pretty sure that in Squid it was working (I don't usually access
the Dashboard, but I did after the upgrade to check if everything is
ok).
The error 'SignatureDoesNotMatch' leads me to believe that there is a
problem somewhere with the SSL certificates. But I put
RGW_API_SSL_VERIFY to false...
I have a SSL certificate (issued by harica.gr) which has different
SANs including the hostname of all the nodes where RGW daemon is
running (plus a cluster hostname and a wildcard hostname). I used
this certificate for the ingress service and for the rgw daemons.
Everything is done with a spec file using ceph orchestrator. I'm
using the fullchain for the certificates and the the rgw/ingress
services are running without any problem
Or I'm completely wrong and the problem itself is with the access
permissions (error code 403)?
Any ideas?
Thanks
Iztok
--
Iztok Gregori
ICT Systems and Services
Elettra - Sincrotrone Trieste S.C.p.A.
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
