No, I don't have any explicit ssl enabled in the rgw site.
Now you might be running into http://tracker.ceph.com/issues/7796 . So check if you have enabled
WSGIChunkedRequest On In your keystone virtualhost setup (explained in the issue). Cheers Mark On 10/10/14 11:03, lakshmi k s wrote:
Right, I have these certs on both nodes - keystone node and rgw gateway node. Not sure where I am going wrong. And what about SSL? Should the following be in rgw.conf in gateway node? I am not using this as it was optional. SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key SetEnv SERVER_PORT_SECURE 443 On Thursday, October 9, 2014 2:48 PM, Mark Kirkwood <[email protected]> wrote: Almost - the converted certs need to be saved on your *rgw* host in nss_db_path (default is /var/ceph/nss but wherever you have it configured should be ok). Then restart the gateway. What is happening is the the rgw needs these certs to speak with encryption to the keystone server (the latter does not need anything changed, as it is already using encryption). Regards Mark On 10/10/14 08:31, lakshmi k s wrote: > Thanks Mark. I got past this error being root. So essentially, I copied > the certs from openstack controller node to gateway node. Did the > conversion using certutil and copied the files back to controller node > under /var/lib/ceph/nss directory. Is this the correct directory? Ceph > doc says /var/ceph/nss though. > > But after this, I tried to use curl GET command, but in vain.Same old > 401 - Authorization failure. > > curl -i -X GET > http://gateway.ex.com/swift/v1/AUTH_bad9e2232b304f89acb03436635b80cc <http://gateway.ex.com/swift/v1/AUTH_bad9e2232b304f89acb03436635b80cc>-H > "X-Auth- > Token: a510edb22f074946940cd4c07aafcd9d" > > HTTP/1.1 401 Unauthorized > Date: Thu, 09 Oct 2014 19:17:31 GMT > Server: Apache/2.4.7 (Ubuntu) > Accept-Ranges: bytes > Content-Length: 12 > Content-Type: text/plain; charset=utf-8 > AccessDeniedroot > > Not much difference in radosgw logs too. Note that the token used above > is same one in ceph.conf file too. Please help. > > [client.radosgw.gateway] > rgw keystone url = http://192.0.8.2:5000 <http://192.0.8.2:5000/> > rgw keystone admin token = a510edb22f074946940cd4c07aafcd9d > rgw keystone accepted roles = admim Member _member_ swiftoperator > rgw keystone token cache size = 500 > rgw keystone revocation interval = 500 > rgw s3 auth use keystone = false > nss db path = /var/lib/ceph/nss > debug rgw = 20 > host = gateway > keyring = /etc/ceph/ceph.client.radosgw.keyring > rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock > log file = /var/log/ceph/client.radosgw.gateway.log > rgw dns name = gateway > > > > > > On Thursday, October 9, 2014 1:15 AM, Mark Kirkwood > <[email protected] <mailto:[email protected]>> wrote: > > > I ran into this - needed to actually be root via sudo -i or similar, > *then* it worked. Unhelpful error message is I think referring to no > intialized db. > > On 09/10/14 16:36, lakshmi k s wrote: > > Good workaround. But it did not work. Not sure what this error is all > > about now. > > > > gateway@gateway <mailto:gateway@gateway> <mailto:gateway@gateway <mailto:gateway@gateway>>:~$ openssl x509 -in > /home/gateway/ca.pem -pubkey | > > certutil -d /var/lib/ceph/nss -A -n ca -t "TCu,Cu,Tuw" > > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The > > certificate/key database is in an old, unsupported format. > > > > > > > > On Wednesday, October 8, 2014 7:55 PM, Mark Kirkwood > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > > As a workaround check if your rgw host has openssl and certutil > > installed, if so you can copy the relevant unconverted certs over to it > > and convert 'em there. > > > > On 09/10/14 15:07, lakshmi k s wrote: > > > Tried aptitude as well, but no luck. > > > > > > Ceph users, have you tried to install libnss3-tools or certutil > tool on > > > debian/ubuntu? If so, how did you go about this problem. > > > > > > > > > On Wednesday, October 8, 2014 7:01 PM, Mark Kirkwood > > > <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> wrote: > > > > > > > > > > Ok, so that is the thing to get sorted. I'd suggest posting the > error(s) > > > you are getting perhaps here (someone else might know), but definitely > > > to one of the Debian specific lists. > > > > > > In the meantime perhaps try installing the packages with aptitude > rather > > > than apt-get - if there is some fancy footwork required it is fairly > > > smart about what needs to be done. > > > > > > Cheers > > > > > > Mark > > > > > > On 09/10/14 14:38, lakshmi k s wrote: > > > > Thanks Mark. I have been trying to install this on controller > > node. But > > > > for some reason, I am unable to install certutil or > libnss3-tools on > > > > debian. I am not sure how to proceed. > > > > > > > > > > > > > > > > > > > > > >
_______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
