I have an ochestrated (cephadm) ceph cluster (16.2.11) with 2 radosgw services
on 2 separate hosts without HA (i.e. no ingress/haproxy in front). Both of the
rgw servers use SSL and have a properly signed certificate. We can access them
with standard S3 tools like s3cmd, cyberduck, etc.
The problem seems to be that the the Ceph mgr dashboard fails to access the RGW
API because it uses the shortname "gw01" instead of the FQDN "gw01.domain.com"
when forming the S3 signature which makes the S3 signature check fail and we
get the following error:
Error connecting to Object Gateway: RGW REST API failed request with status
code 403
(b'{"Code":"SignatureDoesNotMatch","RequestId":"tx00000521ceca28974e94b-006408e'
b'f93-454bbb4e-default","HostId":"454bbb4e-default-default"}')
It seems that the ceph mgr (which we have restarted several times) uses just
the short hostname from the inventory and I don't see how to tell it to use the
FQDN. Neither is it possible to configure the RGW to listen on an alternate
non-SSL port on the cluster private network since the service spec for RGW only
allows to set the rgw_frontend_port and rgw_frontend_type, but not the full
frontend spec (which would allow for multiple listeners).
When we did have HA (haproxy) ingress configured, we ran into issues with the
user clients getting lots of 503 errors due to some interaction between the RGW
and the haproxy so we gave up on that config and now talk directly to the RGW
over SSL which is working well.
Any suggestions?
thanks,
Wyllys Ingersoll
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
