Hi,
if I'm not mistaken, setting a cert/key combination with
ceph dashboard set-ssl-certificate[-key] -i cert[key]
only populates this config-keys:
mgr/dashboard/crt
mgr/dashboard/key
This cert/key pair should then contain either a wildcard to be
applicable to all mgr daemons. If you need per daemon cert/key pairs,
you need to add more cert/key pairs like this:
ceph config-key set mgr/dashboard/{MGR1}/crt -i cert.pem
ceph config-key set mgr/dashboard/{MGR1}/key -i key.pem
ceph config-key set mgr/dashboard/{MGR2}/crt -i cert.pem
ceph config-key set mgr/dashboard/{MGR2}/key -i key.pem
We use the latter approach (not wildcard certs), but some of our
customers use wildcards and it works as well.
Hope this helps!
Eugen
Zitat von lejeczek <pelj...@yahoo.co.uk>:
Hi guys.
I thought I had a problem with restarting dashboard - following in
docs on ssl certs.
But ! I might have other issue - restarting dashboard does what is
expected of - but, with these:
-> $ ceph dashboard set-ssl-certificate-key podster2.mine.priv -i
/root/podster2.mine.priv.key
-> $ ceph dashboard set-ssl-certificate podster2.mine.priv -i
/root/podster2.mine.priv.crt
-> $ ceph dashboard set-ssl-certificate-key podster1.mine.priv -i
/root/podster1.mine.priv.key
-> $ ceph dashboard set-ssl-certificate podster1.mine.priv -i
/root/podster1.mine.priv.crt
If I go to podster2 I get podster1's cert, perhaps these do not do anything,
If I do:
-> $ ceph dashboard set-ssl-certificate -i /root/podster2.mine.priv.crt
-> $ ceph dashboard set-ssl-certificate-key -i /root/podster2.mine.priv.key
then podster1 has podster2's cert - naturally - but (weirdly?) if go
to podster2 (by FQDN) then I get redirected to IP (as in URL) of
when I do:
-> $ ceph dashboard set-ssl-certificate -i /root/podster1.mine.priv.crt
-> $ ceph dashboard set-ssl-certificate-key -i /root/podster1.mine.priv.key
and I go to podster2 then, no redirection, "only" warning about cert
being of podster1's, podster1 has a good cert!
If I do (again) - having podster1 have "correct" cert, with no
per-node/manager cert - per-node/mgr cert, as shown earlier, then..
again, podster1 has its correct cert, podster2 has podster1's cert
(no ! redirection to IP though).
How much of an "issue" this might be - given the fact that I
deployed anew cluster twice (lab) - and this reproduces each time.
Or, I'm missing some obvious, big picture - and it's simply bad
luck, deploying cluster twice.
ceph version 18.2.7 (6b0e988052ec84cf2d4a54ff9bbbc5e720b621ad) reef (stable)
all thoughts are much appreciated.
many thanks, L.
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io