Hi,

if I'm not mistaken, setting a cert/key combination with

ceph dashboard set-ssl-certificate[-key] -i cert[key]

only populates this config-keys:

mgr/dashboard/crt
mgr/dashboard/key


This cert/key pair should then contain either a wildcard to be applicable to all mgr daemons. If you need per daemon cert/key pairs, you need to add more cert/key pairs like this:

ceph config-key set mgr/dashboard/{MGR1}/crt -i cert.pem
ceph config-key set mgr/dashboard/{MGR1}/key -i key.pem

ceph config-key set mgr/dashboard/{MGR2}/crt -i cert.pem
ceph config-key set mgr/dashboard/{MGR2}/key -i key.pem


We use the latter approach (not wildcard certs), but some of our customers use wildcards and it works as well.

Hope this helps!
Eugen


Zitat von lejeczek <pelj...@yahoo.co.uk>:

Hi guys.

I thought I had a problem with restarting dashboard - following in docs on ssl certs. But ! I might have other issue - restarting dashboard does what is expected of - but, with these:

-> $ ceph dashboard set-ssl-certificate-key podster2.mine.priv -i /root/podster2.mine.priv.key -> $ ceph dashboard set-ssl-certificate podster2.mine.priv -i /root/podster2.mine.priv.crt -> $ ceph dashboard set-ssl-certificate-key podster1.mine.priv -i /root/podster1.mine.priv.key -> $ ceph dashboard set-ssl-certificate podster1.mine.priv -i /root/podster1.mine.priv.crt

If I go to podster2 I get podster1's cert, perhaps these do not do anything,

If I do:
-> $ ceph dashboard set-ssl-certificate -i /root/podster2.mine.priv.crt
-> $ ceph dashboard set-ssl-certificate-key -i /root/podster2.mine.priv.key
then podster1 has podster2's cert - naturally - but (weirdly?) if go to podster2 (by FQDN) then I get redirected to IP (as in URL) of
when I do:
-> $ ceph dashboard set-ssl-certificate -i /root/podster1.mine.priv.crt
-> $ ceph dashboard set-ssl-certificate-key -i /root/podster1.mine.priv.key
and I go to podster2 then, no redirection, "only" warning about cert being of podster1's, podster1 has a good cert!

If I do (again) - having podster1 have "correct" cert, with no per-node/manager cert - per-node/mgr cert, as shown earlier, then.. again, podster1 has its correct cert, podster2 has podster1's cert (no ! redirection to IP though).

How much of an "issue" this might be - given the fact that I deployed anew cluster twice (lab) - and this reproduces each time. Or,  I'm missing some obvious, big picture - and it's simply bad luck, deploying cluster twice.

ceph version 18.2.7 (6b0e988052ec84cf2d4a54ff9bbbc5e720b621ad) reef (stable)
all thoughts are much appreciated.
many thanks, L.
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io


_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io

Reply via email to