Feature #51947
Updated by Sebastian Wagner over 2 years ago
Using v16.2.4, Ubuntu 20.04 hosts for cluster and ingress (haproxy) for RGW instances. Multisite setup with one zone group, two zones. I have a certificate issued from an intermediate CA, which chains to a trusted root. In the certificate section of the ingress.yaml file, if I only put the server certificate, I will get errors trying to replicate as the secondary cannot build the certificate chain for TLS. I put the chain certificate in the ingress spec, but after applying and checking the haproxy.cfg, the chain has been stripped out and only the server certificate is left. Same TLS errors for replication. If I inject the chain certificate directly into the haproxy.cfg (bad idea of course, as it gets overwritten), TLS works properly as the secondary can build the chain back to the root. The ingress spec should support chain certificates as haproxy already does. The format below works in haproxy: <pre> ssl_cert: | # optional: SSL certificate and key -----BEGIN PRIVATE KEY----- Key stuff -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- Server Certificate stuff -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Intermediate CA cert stuff -----END CERTIFICATE----- </pre>