ceph-rgw does not assign appropriate certificate
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
New
|
Undecided
|
Unassigned |
Bug Description
When deploying ceph with tls-e, with multiple controller nodes, the ceph-rgw service uses the same backend certificate for all nodes. The problem is that the other nodes have different nodenames so tls authenthication fails. The key point is that the current configuration of:
```
client.
```
it should instead be like
```
client.
```
I hit this on RDO Wallaby with Ceph 5 pacific
curl -v https:/ /overcloud- controller- 2.storage. xxx:8080/ swift/healthche ck controller- 2.storage. xxx (10.3.2.143) port 8080 (#0) tls/certs/ ca-bundle. crt 256_GCM_ SHA384 controller- 0.storage. xxx controller- 2.storage. xxx controller- 2.storage. xxx' controller- 2.storage. xxx'
* Trying 10.3.2.143...
* TCP_NODELAY set
* Connected to overcloud-
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: O=XXX; CN=overcloud-
* start date: Jan 4 09:23:38 2023 GMT
* expire date: Jan 4 09:23:38 2025 GMT
* subjectAltName does not match overcloud-
* SSL: no alternative certificate subject name matches target host name 'overcloud-
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, [no content] (0):
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (51) SSL: no alternative certificate subject name matches target host name 'overcloud-