Actions
Bug #57924
openmgr/dashboard: fails with "Module 'dashboard' has failed: key type unsupported" when using letsencrypt ec certificates
Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
Description of problem¶
After generating a recent certificate by letsencrypt and configuring dashboard to use them, dashboard is not working anymore.
Environment¶
ceph version
string: ceph version 17.2.5 (98318ae89f1a893a6ded3a640405cdbb33e08757) quincy (stable)- Platform (OS/distro/release): Debian
- Cluster details (nodes, monitors, OSDs): 30 OSDs on 4 Nodes, 5 Monitors, 2 Managers
- Did it happen on a stable environment or after a migration/upgrade?: happened on stable
- Browser used (e.g.:
Version 86.0.4240.198 (Official Build) (64-bit)
): irrelevant. There was no service listening anymore.
How reproducible¶
Steps:
- generate key with dehydrated
- use keys for dashboard
[root@ceph:~] 22 # ceph dashboard set-ssl-certificate-key -i /var/lib/dehydrated/certs/local/privkey.pem SSL certificate key updated [root@ceph:~] # ceph dashboard set-ssl-certificate -i /var/lib/dehydrated/certs/local/fullchain.pem SSL certificate updated
- Restart Manager
ceph mgr fail
-> Now there is no dashboard anymore.
Actual results¶
Okt 25 14:13:06 cephmgr2 ceph-mgr[1039008]: [prometheus INFO cherrypy.error] [25/Oct/2022:12:13:06] ENGINE Bus STARTING Okt 25 14:13:06 cephmgr2 ceph-mgr[1039008]: log_channel(cluster) log [ERR] : Unhandled exception from module 'dashboard' while running on mgr.cephmgr2.zvtgjh: key type unsupported Okt 25 14:13:06 cephmgr2 ceph-mgr[1039008]: dashboard.serve: Okt 25 14:13:06 cephmgr2 conmon[1039003]: 2022-10-25T12:13:06.163+0000 7fc726376700 -1 log_channel(cluster) log [ERR] : Unhandled exception from module 'dashboard' while running on mgr.cephmgr2.zvtgjh: key type unsupported Okt 25 14:13:06 cephmgr2 conmon[1039003]: 2022-10-25T12:13:06.167+0000 7fc726376700 -1 dashboard.serve: Okt 25 14:13:06 cephmgr2 conmon[1039003]: 2022-10-25T12:13:06.167+0000 7fc726376700 -1 Traceback (most recent call last): Okt 25 14:13:06 cephmgr2 conmon[1039003]: File "/usr/share/ceph/mgr/dashboard/module.py", line 508, in serve Okt 25 14:13:06 cephmgr2 conmon[1039003]: uri = self.await_configuration() Okt 25 14:13:06 cephmgr2 conmon[1039003]: File "/usr/share/ceph/mgr/dashboard/module.py", line 211, in await_configuration Okt 25 14:13:06 cephmgr2 conmon[1039003]: uri = self._configure() Okt 25 14:13:06 cephmgr2 conmon[1039003]: File "/usr/share/ceph/mgr/dashboard/module.py", line 172, in _configure Okt 25 14:13:06 cephmgr2 conmon[1039003]: verify_tls_files(cert_fname, pkey_fname) Okt 25 14:13:06 cephmgr2 conmon[1039003]: File "/usr/share/ceph/mgr/mgr_util.py", line 638, in verify_tls_files Okt 25 14:13:06 cephmgr2 conmon[1039003]: pkey.check() Okt 25 14:13:06 cephmgr2 conmon[1039003]: File "/lib/python3.6/site-packages/OpenSSL/crypto.py", line 344, in check Okt 25 14:13:06 cephmgr2 conmon[1039003]: raise TypeError("key type unsupported") Okt 25 14:13:06 cephmgr2 conmon[1039003]: TypeError: key type unsupported Okt 25 14:13:06 cephmgr2 conmon[1039003]: Okt 25 14:13:06 cephmgr2 ceph-mgr[1039008]: Traceback (most recent call last): File "/usr/share/ceph/mgr/dashboard/module.py", line 508, in serve uri = self.await_configuration() File "/usr/share/ceph/mgr/dashboard/module.py", line 211, in await_configuration uri = self._configure() File "/usr/share/ceph/mgr/dashboard/module.py", line 172, in _configure verify_tls_files(cert_fname, pkey_fname) File "/usr/share/ceph/mgr/mgr_util.py", line 638, in verify_tls_files pkey.check() File "/lib/python3.6/site-packages/OpenSSL/crypto.py", line 344, in check raise TypeError("key type unsupported") TypeError: key type unsupported
# ceph status cluster: id: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX health: HEALTH_ERR Module 'dashboard' has failed: key type unsupported
there was no service on port 8443 listening.
Expected results¶
A Dashboard with a valid Certificate
Additional info¶
Workaround:
- remove cert/key when manager dashboard does not work:
# ceph config-key rm mgr/dashboard/cert
key deleted
# ceph config-key rm mgr/dashboard/key
key deleted
# force dehydrated to use rsa private key:
dehydrated --algo rsa -x -c
# now use the rsa cert
cd /var/lib/dehydrated/certs/local/
ceph config-key set mgr/dashboard/crt -i fullchain.pem
ceph config-key set mgr/dashboard/key -i privkey.pem.pem
Actions