Bug #40013
openmgr/restful: can not configure custom certificate (mimic)
0%
Description
Unable to configure mgr/restful custom certificate on Ceph Mimic 13.2.2 (CentOS 7.6.1810)
Steps:
1. generate new certificate and key
$ openssl req -new -nodes -x509 \ -subj "/O=IT/CN=ceph-mgr-restful" \ -days 3650 \ -keyout restful.key \ -out restful.crt \ -extensions v3_ca
2. list existing config keys:
$ ceph config-key list [ "config-history/1/", "config-history/2/", "config-history/2/+mgr/mgr/restful/server_port", "config/mgr/mgr/restful/server_port", "mgr/restful/controller-0/crt", "mgr/restful/controller-0/key", "mgr/restful/keys/admin" ]
(restful plugin is already configured with a self-signed certificate)
3. configure restful plugin certificate:
$ ceph config-key set mgr/restful/controller-0/crt -i restful.crt WARNING: it looks like you might be trying to set a ceph-mgr module configuration key. Since Ceph 13.0.0 (Mimic), mgr module configuration is done with `config set`, and new values set using `config-key set` will be ignored. set mgr/restful/controller-0/crt
4. use 'config set' instead:
$ ceph config set mgr mgr/restful/controller-0/crt -i restful.crt Invalid command: missing required parameter value(<string>) config set <who> <name> <value> : Set a configuration option for one or more entities Error EINVAL: invalid command
5. use inline certificate content:
$ ceph config set mgr mgr/restful/$name/crt $(cat restful.crt) Invalid command: unused arguments: [u'CERTIFICATE-----', ...*removed*..., u'-----END', u'CERTIFICATE-----'] config set <who> <name> <value> : Set a configuration option for one or more entities Error EINVAL: invalid command
6. try again with a smaller (invalid) certificate value:
$ ceph config set mgr mgr/restful/$name/crt "CERTIFICATE"
... seems to work but let's check that it worked
7. list new config keys:
$ ceph config-key list [ "config-history/1/", "config-history/2/", "config-history/2/+mgr/mgr/restful/server_port", "config-history/3/", "config-history/3/+mgr/mgr/restful/controller-0/crt", "config/mgr/mgr/restful/controller-0/crt", "config/mgr/mgr/restful/server_port", "mgr/restful/controller-0/crt", "mgr/restful/controller-0/key", "mgr/restful/keys/admin" ]
Compared with output at step 2 a new config-key was added: "config/mgr/mgr/restful/controller-0/crt" instead of replacing already existing self-signed certificate key "mgr/restful/controller-0/crt".
There are 3 issues:
1. can not import certificate from file with "-i" option
2. config-key doesn't work with restful plugin while "config set" is writing to "config/mgr/mgr/restful/..." instead of "mgr/restful/..."
3. the self-signed certificate generated with "ceph restful create-self-signed-cert" as suggested by the documentation page (http://docs.ceph.com/docs/mimic/mgr/restful/) is tied to "ceph-restful" host name. Using it on "controller-0" host doesn't work. There is no way to configure CN when running "ceph restful create-self-signed-cert".
Updated by Daniel Badea almost 5 years ago
Found this related issue http://tracker.ceph.com/issues/39123 for mgr/dashboard
Updated by Sebastian Wagner almost 5 years ago
- Project changed from Ceph to mgr
- Category deleted (
rest-api)
Updated by Sebastian Wagner almost 5 years ago
- Related to Bug #39123: mgr/dashboard: SSL certificate upload command throws deprecation warning added