Bug #40013
openmgr/restful: can not configure custom certificate (mimic)
0%
Description
Unable to configure mgr/restful custom certificate on Ceph Mimic 13.2.2 (CentOS 7.6.1810)
Steps:
1. generate new certificate and key
$ openssl req -new -nodes -x509 \
-subj "/O=IT/CN=ceph-mgr-restful" \
-days 3650 \
-keyout restful.key \
-out restful.crt \
-extensions v3_ca
2. list existing config keys:
$ ceph config-key list
[
"config-history/1/",
"config-history/2/",
"config-history/2/+mgr/mgr/restful/server_port",
"config/mgr/mgr/restful/server_port",
"mgr/restful/controller-0/crt",
"mgr/restful/controller-0/key",
"mgr/restful/keys/admin"
]
(restful plugin is already configured with a self-signed certificate)
3. configure restful plugin certificate:
$ ceph config-key set mgr/restful/controller-0/crt -i restful.crt WARNING: it looks like you might be trying to set a ceph-mgr module configuration key. Since Ceph 13.0.0 (Mimic), mgr module configuration is done with `config set`, and new values set using `config-key set` will be ignored. set mgr/restful/controller-0/crt
4. use 'config set' instead:
$ ceph config set mgr mgr/restful/controller-0/crt -i restful.crt Invalid command: missing required parameter value(<string>) config set <who> <name> <value> : Set a configuration option for one or more entities Error EINVAL: invalid command
5. use inline certificate content:
$ ceph config set mgr mgr/restful/$name/crt $(cat restful.crt) Invalid command: unused arguments: [u'CERTIFICATE-----', ...*removed*..., u'-----END', u'CERTIFICATE-----'] config set <who> <name> <value> : Set a configuration option for one or more entities Error EINVAL: invalid command
6. try again with a smaller (invalid) certificate value:
$ ceph config set mgr mgr/restful/$name/crt "CERTIFICATE"
... seems to work but let's check that it worked
7. list new config keys:
$ ceph config-key list
[
"config-history/1/",
"config-history/2/",
"config-history/2/+mgr/mgr/restful/server_port",
"config-history/3/",
"config-history/3/+mgr/mgr/restful/controller-0/crt",
"config/mgr/mgr/restful/controller-0/crt",
"config/mgr/mgr/restful/server_port",
"mgr/restful/controller-0/crt",
"mgr/restful/controller-0/key",
"mgr/restful/keys/admin"
]
Compared with output at step 2 a new config-key was added: "config/mgr/mgr/restful/controller-0/crt" instead of replacing already existing self-signed certificate key "mgr/restful/controller-0/crt".
There are 3 issues:
1. can not import certificate from file with "-i" option
2. config-key doesn't work with restful plugin while "config set" is writing to "config/mgr/mgr/restful/..." instead of "mgr/restful/..."
3. the self-signed certificate generated with "ceph restful create-self-signed-cert" as suggested by the documentation page (http://docs.ceph.com/docs/mimic/mgr/restful/) is tied to "ceph-restful" host name. Using it on "controller-0" host doesn't work. There is no way to configure CN when running "ceph restful create-self-signed-cert".
Updated by Daniel Badea almost 5 years ago
Found this related issue http://tracker.ceph.com/issues/39123 for mgr/dashboard
Updated by Sebastian Wagner almost 5 years ago
- Project changed from Ceph to mgr
- Category deleted (
rest-api)
Updated by Sebastian Wagner almost 5 years ago
- Related to Bug #39123: mgr/dashboard: SSL certificate upload command throws deprecation warning added