Project

General

Profile

Bug #40013

mgr/restful: can not configure custom certificate (mimic)

Added by Daniel Badea almost 2 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
restful module
Target version:
-
% Done:

0%

Source:
Community (dev)
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

Unable to configure mgr/restful custom certificate on Ceph Mimic 13.2.2 (CentOS 7.6.1810)

Steps:
1. generate new certificate and key

  $ openssl req -new -nodes -x509 \
          -subj "/O=IT/CN=ceph-mgr-restful" \
          -days 3650 \
          -keyout restful.key \
          -out restful.crt \
          -extensions v3_ca

2. list existing config keys:
  $ ceph config-key list

  [
    "config-history/1/",
    "config-history/2/",
    "config-history/2/+mgr/mgr/restful/server_port",
    "config/mgr/mgr/restful/server_port",
    "mgr/restful/controller-0/crt",
    "mgr/restful/controller-0/key",
    "mgr/restful/keys/admin" 
  ]

(restful plugin is already configured with a self-signed certificate)
3. configure restful plugin certificate:
  $ ceph config-key set mgr/restful/controller-0/crt -i restful.crt

  WARNING: it looks like you might be trying to set a ceph-mgr module configuration key.  Since Ceph 13.0.0 (Mimic), mgr module configuration is done with `config set`, and new values set using `config-key set` will be ignored.
  set mgr/restful/controller-0/crt

4. use 'config set' instead:
  $ ceph config set mgr mgr/restful/controller-0/crt -i restful.crt

  Invalid command: missing required parameter value(<string>)
  config set <who> <name> <value> :  Set a configuration option for one or more entities
  Error EINVAL: invalid command

5. use inline certificate content:
  $ ceph config set mgr mgr/restful/$name/crt $(cat restful.crt)

  Invalid command: unused arguments: [u'CERTIFICATE-----', ...*removed*..., u'-----END', u'CERTIFICATE-----']
  config set <who> <name> <value> :  Set a configuration option for one or more entities
  Error EINVAL: invalid command

6. try again with a smaller (invalid) certificate value:
  $ ceph config set mgr mgr/restful/$name/crt "CERTIFICATE" 

... seems to work but let's check that it worked
7. list new config keys:
  $ ceph config-key list

  [
    "config-history/1/",
    "config-history/2/",
    "config-history/2/+mgr/mgr/restful/server_port",
    "config-history/3/",
    "config-history/3/+mgr/mgr/restful/controller-0/crt",
    "config/mgr/mgr/restful/controller-0/crt",
    "config/mgr/mgr/restful/server_port",
    "mgr/restful/controller-0/crt",
    "mgr/restful/controller-0/key",
    "mgr/restful/keys/admin" 
  ]

Compared with output at step 2 a new config-key was added: "config/mgr/mgr/restful/controller-0/crt" instead of replacing already existing self-signed certificate key "mgr/restful/controller-0/crt".

There are 3 issues:

1. can not import certificate from file with "-i" option

2. config-key doesn't work with restful plugin while "config set" is writing to "config/mgr/mgr/restful/..." instead of "mgr/restful/..."

3. the self-signed certificate generated with "ceph restful create-self-signed-cert" as suggested by the documentation page (http://docs.ceph.com/docs/mimic/mgr/restful/) is tied to "ceph-restful" host name. Using it on "controller-0" host doesn't work. There is no way to configure CN when running "ceph restful create-self-signed-cert".


Related issues

Related to mgr - Bug #39123: mgr/dashboard: SSL certificate upload command throws deprecation warning Resolved 04/05/2019

History

#1 Updated by Daniel Badea almost 2 years ago

Found this related issue http://tracker.ceph.com/issues/39123 for mgr/dashboard

#2 Updated by Sebastian Wagner almost 2 years ago

  • Project changed from Ceph to mgr
  • Category deleted (rest-api)

#3 Updated by Sebastian Wagner almost 2 years ago

  • Related to Bug #39123: mgr/dashboard: SSL certificate upload command throws deprecation warning added

#4 Updated by Sebastian Wagner over 1 year ago

  • Category set to restful module

Also available in: Atom PDF