https://tracker.ceph.com/https://tracker.ceph.com/favicon.ico2015-10-19T15:54:07ZCeph rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=603102015-10-19T15:54:07ZAnonymous
<ul></ul><p>Jiang,</p>
<p>I've only thus far worked with hammer, so you'll need to confirm this on your firefly installation. However, civetweb by default uses dlopen() to load crypto/ssl libraries. Assuming this code path works on your system (ie. library naming/versioning is not an issue), it should be a matter of correctly specifying 'rgw_frontends'.</p>
<p>Basically, something like: rgw_frontends = civetweb port=443s ssl_certificate=/path/to/your/cert.pem</p>
<p>Note the 's' on the port number is necessary to specify SSL.</p>
<p>Try this out and see how it goes.</p>
<p>-Karol</p> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=606192015-10-24T05:34:49ZJiang Yulnsyyj@hotmail.com
<ul></ul><p>Thank you very much,Let me try.<br />The reason why the configuration civetweb, because apache + fastcgi in our production environment uses two domain names. When using a browser JS call radosgw, there have been cross-border problems. The browser sends the OPTIONS request, leading to radosgw not recognized.<br />Under normal circumstances are:<br />1. Browser starting OPTIONS request<br />2. Cross-domain license server reply<br />3. The browser sends a GET request<br />4. Server Reply Data<br />However, step 2, the server replies 403, cause the browser can not receive cross-domain license, it will not send a GET request.<br />Is there a better way to handle it?</p> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=609362015-11-02T20:08:35ZNathan Cutlerncutler@suse.cz
<ul><li><strong>Project</strong> changed from <i>Ceph</i> to <i>rgw</i></li></ul> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=742132016-07-11T23:24:49ZRussell Islammisla011@fiu.edu
<ul></ul><p>Any documentation available?</p> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=743042016-07-12T18:21:40ZYehuda Sadehyehuda@redhat.com
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Documentation</i></li><li><strong>Subject</strong> changed from <i>How do I configure civetweb use https</i> to <i>rgw: document civetweb ssl configuration</i></li><li><strong>Assignee</strong> set to <i>Marcus Watts</i></li></ul> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=743052016-07-12T18:22:11ZYehuda Sadehyehuda@redhat.com
<ul><li><strong>Priority</strong> changed from <i>Normal</i> to <i>High</i></li></ul> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=743062016-07-12T18:22:21ZYehuda Sadehyehuda@redhat.com
<ul><li><strong>Release</strong> deleted (<del><i>firefly</i></del>)</li><li><strong>Affected Versions</strong> deleted (<del><i>0.80</i></del>)</li></ul> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=752342016-07-22T22:19:21ZRussell Islammisla011@fiu.edu
<ul></ul><p>All the steps for configuring multistage rgw are for http only. Could you please give us the steps for https along with SSL configuration. I tried using the following config.</p>
<p>[client.rgw.ceph-us-east-1]<br />rgw_frontends = civetweb port=443s ssl_certificate=/etc/pki/tls/ca.pem<br />rgw_zone=ceph-us-east-1</p>
<p>Primary zone is fine but when I try to pull the realm from west region got the following curl error.</p>
<pre><code>adosgw-admin realm pull --url=https://ceph-us-east-1:443 --access-key=$SYSTEM_ACCESS_KEY --secret=$SYSTEM_SECRET_KEY<br />request failed: (22) Invalid argument<br />2016-07-22 14:59:30.532614 7ff59310f9c0 0 curl_easy_perform returned error: Peer's certificate issuer has been marked as not trusted by the user.<br />I think SSL configuration was not done properly for civentweb based gateway.</code></pre>
<p>Any information would me much appreciated.</p>
<p>FYI:<br />steps used for SSL<br />openssl genrsa -out ca.key 2048<br />openssl req -new -key ca.key -out ca.csr -subj "/C=US/ST=California/L=City/O=Company/OU=Linux/CN=www.company.com" <br />openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt<br />cp -f ca.crt /etc/pki/tls/certs<br /> cp -f ca.key /etc/pki/tls/private/ca.key<br /> cp -f ca.csr /etc/pki/tls/private/ca.csr<br />cp ca.crt ca.pem<br />cat ca.key >> ca.pem <br />cp ca.pem /etc/pki/tls/</p> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=881742017-03-29T07:17:20ZMarcus Wattsmwatts@redhat.com
<ul></ul><p>Cephs's rados/ssl support has been a bit slower than I would have liked. However, it should be getting better now, and you evidently have found one of the working flavors.</p>
<p>There are 2 things you'll probably want to do with your certificates. (a) you'll want to add "subjectAltName" for entries for all the host names you want your radosgw to be known by. And (b) on the client side you need to make sure the CA is trusted.</p>
<p>For (a) - if using openssl, add: [v3_req] subjectAltName = ${ENV::SAN}, then when running openssl req, prefix with env SAN=DNS:fqdn. Verify your req has "requested extensions: X509v3 Subject Alternative Name:" before signing it,<br />and that the resulting certificate has "X509v3 Subject Alternative Name:".</p>
<p>For (b) - making the CA trusted depends on the distribution as well as which software (openssl, nss, and java apps will look different places.) For red hat distributions, one of the key commands is "update-ca-trust". For debian based, one equivalent is dpkg-reconfigure ca-certificates. Where you put the ca cert and what else you do is complicated. Putting your ca cert under /etc/pki/tls/certs/ might not be best. Also note firefox has its own ca store.</p> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=1055142018-01-22T19:48:04ZCasey Bodleycbodley@redhat.com
<ul></ul><p><a class="external" href="https://github.com/ceph/ceph/pull/20058">https://github.com/ceph/ceph/pull/20058</a></p>
<p>adds basic documentation for rgw_frontend options</p> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=1059482018-01-26T00:20:38ZNathan Cutlerncutler@suse.cz
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Fix Under Review</i></li><li><strong>Assignee</strong> changed from <i>Marcus Watts</i> to <i>Casey Bodley</i></li></ul> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=1059502018-01-26T00:22:50ZNathan Cutlerncutler@suse.cz
<ul><li><strong>Duplicated by</strong> <i><a class="issue tracker-6 status-10 priority-4 priority-default closed" href="/issues/13670">Documentation #13670</a>: rgw frontends not mentioned in radosgw config-ref </i> added</li></ul> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=1061952018-01-30T18:57:10ZCasey Bodleycbodley@redhat.com
<ul><li><strong>Backport</strong> set to <i>luminous</i></li></ul><p>@Nathan, I'd like to get this documentation backported to luminous, but it won't let me change the `Status` here</p>
<p>also, the backport should probably show '.. versionadded:: Luminous' for Beast (as we're planning to backport any further development), rather than mentioning Mimic</p> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=1064352018-02-01T20:36:51ZCasey Bodleycbodley@redhat.com
<ul><li><strong>Copied to</strong> <i><a class="issue tracker-9 status-3 priority-4 priority-default closed" href="/issues/22884">Backport #22884</a>: luminous: rgw: document civetweb ssl configuration</i> added</li></ul> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=1065452018-02-02T05:08:38ZNathan Cutlerncutler@suse.cz
<ul><li><strong>Status</strong> changed from <i>Fix Under Review</i> to <i>Pending Backport</i></li></ul> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=1065462018-02-02T05:10:07ZNathan Cutlerncutler@suse.cz
<ul></ul><p>@Casey: I thought I had added the "Pending Backport" status to the Documentation tracker already. . . should be fixed now. I had to edit the workflows.</p> rgw - Documentation #13523: rgw: document civetweb ssl configurationhttps://tracker.ceph.com/issues/13523?journal_id=1093272018-03-19T16:52:18ZNathan Cutlerncutler@suse.cz
<ul><li><strong>Status</strong> changed from <i>Pending Backport</i> to <i>Resolved</i></li></ul>