then my problem was different. v20 did introduce python subprocesses, py03.
On 5/27/26 07:13, Iztok Gregori via ceph-users wrote:
Hi!
On 26/05/26 18:16, C U via ceph-users wrote:
fqdn on the dashboard needs working certificate validation.
"Squid did cert work inline → bad cert raised crypto.Error → caught
and rewrapped as ServerConfigException cleanly. Tentacle does cert
work via a
subprocess; failures can now come from (a) the fork itself, (b)
PyO3 init crashing in the child (the documented subinterpreter
collision), or (c)
genuine cert errors marshalled back as JSON. When (b) happens, the
dashboard module's cert provisioning never completes, the module ends up
half-initialized, and downstream dashboard→RGW calls fail with
SignatureDoesNotMatch because the dashboard is operating without
properly loaded
credentials/sigv4 plumbing."
In this context you mean the validation of the certificate build
around the FQDN of the RGW VIP, right?
The certificate in question is a public one, the CA is correctly
installed in the system paths, an "openssl s_client -showcerts
-connect vip.domain.com:443" shows no error (verify: return 1) and has
the correct FQDN. I executed the openssl command within the active MGR
container.
Is there an other location where I the CA should be (if the problem is
indeed the certificate validation)?
Cheers
Iztok
On 5/23/26 17:54, Eugen Block via ceph-users wrote:
Hi,
I might be wrong, but I don't think it's a cert issue. If you look
in the mgr log, do you see more information that just the
SignatureDoesNotMatch error?
Could it be mismatching dashboard-rgw-api settings? Have you checked
these settings?
ceph dashboard get-rgw-api-admin-resource
ceph dashboard get-rgw-api-access-key
ceph dashboard get-rgw-api-secret-key
They should match with:
radosgw-admin user info --uid dashboard | jq -r '.keys'
But as I wrote, it might something else, I would expect the mgr log
to contain more details.
Regards
Eugen
Zitat von Iztok Gregori via ceph-users <[email protected]>:
Hi to all!
After upgrading my cluster from squid to tentacle (now on 20.2.1)
I'm getting the following error when I try to access any 'page' in
the Object section of the Ceph Dashboard:
Error connecting to Object Gateway: RGW REST API failed request
with status code 403
(b'{"Code":"SignatureDoesNotMatch","Message":"","RequestId":"tx0000000b5bf42356'
b'85174-006a0d95b0-308299-eros","HostId":"308299-zone-default"}')
I'm pretty sure that in Squid it was working (I don't usually
access the Dashboard, but I did after the upgrade to check if
everything is ok).
The error 'SignatureDoesNotMatch' leads me to believe that there is
a problem somewhere with the SSL certificates. But I put
RGW_API_SSL_VERIFY to false...
I have a SSL certificate (issued by harica.gr) which has different
SANs including the hostname of all the nodes where RGW daemon is
running (plus a cluster hostname and a wildcard hostname). I used
this certificate for the ingress service and for the rgw daemons.
Everything is done with a spec file using ceph orchestrator. I'm
using the fullchain for the certificates and the the rgw/ingress
services are running without any problem
Or I'm completely wrong and the problem itself is with the access
permissions (error code 403)?
Any ideas?
Thanks
Iztok
--
Iztok Gregori
ICT Systems and Services
Elettra - Sincrotrone Trieste S.C.p.A.
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
