tripleo

ceph-rgw does not assign appropriate certificate

Bug #1992766 reported by Cristian Le on 2022-10-13

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	tripleo	New	Undecided	Unassigned

Bug Description

When deploying ceph with tls-e, with multiple controller nodes, the ceph-rgw service uses the same backend certificate for all nodes. The problem is that the other nodes have different nodenames so tls authenthication fails. The key point is that the current configuration of:
```
client.rgw.rgw.controller-0.nyzzol basic rgw_frontends beast ssl_endpoint=10.0.3.90:8080 ssl_certificate=config://rgw/cert/rgw.rgw
```
it should instead be like
```
client.rgw.rgw.controller-0.nyzzol basic rgw_frontends beast ssl_endpoint=10.0.3.90:8080 ssl_certificate=config://rgw/cert/rgw.rgw.controller-0.nyzzol
```

Revision history for this message

Cyril Lopez (cylopez) wrote on 2023-01-18:

I hit this on RDO Wallaby with Ceph 5 pacific

curl -v https://overcloud-controller-2.storage.xxx:8080/swift/healthcheck
* Trying 10.3.2.143...
* TCP_NODELAY set
* Connected to overcloud-controller-2.storage.xxx (10.3.2.143) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: O=XXX; CN=overcloud-controller-0.storage.xxx
* start date: Jan 4 09:23:38 2023 GMT
* expire date: Jan 4 09:23:38 2025 GMT
* subjectAltName does not match overcloud-controller-2.storage.xxx
* SSL: no alternative certificate subject name matches target host name 'overcloud-controller-2.storage.xxx'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, [no content] (0):
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (51) SSL: no alternative certificate subject name matches target host name 'overcloud-controller-2.storage.xxx'

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.