)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"b93ac5c08975bab50b0f2dca3abf28a113a9c721","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"f8a91a4a_9ad29676","updated":"2023-08-26 20:51:20.000000000","message":"it is obvious when using self-signed certificates we need some manipulations with CA files for deploy. this is related not only for radosgw.","commit_id":"a86bae7a2d306e28beeb61045e60f4138f70ee25"}],"doc/source/reference/storage/external-ceph-guide.rst":[{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"0dba29ce3c475ca89174b242358921709d7d1716","unresolved":true,"context_lines":[{"line_number":292,"context_line":"setting ``ceph_rgw_swift_account_in_url`` to ``true``. This should match the"},{"line_number":293,"context_line":"``rgw_swift_account_in_url`` configuration option in Ceph RadosGW."},{"line_number":294,"context_line":""},{"line_number":295,"context_line":"Ceph may encounter issues if SSL certificates are used.  If self-signed"},{"line_number":296,"context_line":"certificates are used, verify that they are added to the local certificate"},{"line_number":297,"context_line":"authority. In Ubuntu, for example, this would be copying the certificates in"},{"line_number":298,"context_line":"``/etc/kolla/certificates/private/`` to ``/usr/local/share/ca-certificates/``"},{"line_number":299,"context_line":"and issue the ``update-ca-certificates`` command. Or if debugging, you can"},{"line_number":300,"context_line":"temporarily disable SSL verification by setting `rgw_verify_ssl` to false."},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"The ceph configurations should be set for all of the ceph rgw clients found"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9dcf299d_6389cd75","line":299,"range":{"start_line":295,"start_character":0,"end_line":299,"end_character":49},"updated":"2022-05-16 08:54:59.000000000","message":"Are you sure that does the trick? I think cephadm is running services in containers, are they bind mounting those dirs or something similar?","commit_id":"a86bae7a2d306e28beeb61045e60f4138f70ee25"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"a296e99eab16df3fdbeab33d3e37eb55e7101115","unresolved":true,"context_lines":[{"line_number":292,"context_line":"setting ``ceph_rgw_swift_account_in_url`` to ``true``. This should match the"},{"line_number":293,"context_line":"``rgw_swift_account_in_url`` configuration option in Ceph RadosGW."},{"line_number":294,"context_line":""},{"line_number":295,"context_line":"Ceph may encounter issues if SSL certificates are used.  If self-signed"},{"line_number":296,"context_line":"certificates are used, verify that they are added to the local certificate"},{"line_number":297,"context_line":"authority. In Ubuntu, for example, this would be copying the certificates in"},{"line_number":298,"context_line":"``/etc/kolla/certificates/private/`` to ``/usr/local/share/ca-certificates/``"},{"line_number":299,"context_line":"and issue the ``update-ca-certificates`` command. Or if debugging, you can"},{"line_number":300,"context_line":"temporarily disable SSL verification by setting `rgw_verify_ssl` to false."},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"The ceph configurations should be set for all of the ceph rgw clients found"}],"source_content_type":"text/x-rst","patch_set":2,"id":"651f8a54_ea8c09f2","line":299,"range":{"start_line":295,"start_character":0,"end_line":299,"end_character":49},"in_reply_to":"4b978fa3_27bd3072","updated":"2022-05-31 08:30:02.000000000","message":"Even if this fixes an issue (would be nice to see details of the issue being fixed), /etc/kolla/certificates/private/ is not the correct location to find the CA cert. It might be in /etc/kolla/certificates/ca/ if you are copying it to the kolla containers, but it might not.\n\nAlso, /etc/kolla/certificates/ca/ would be on the Ansible control host. Which host(s) need to trust the CA to fix your issue?","commit_id":"a86bae7a2d306e28beeb61045e60f4138f70ee25"},{"author":{"_account_id":20451,"name":"James","email":"James.o.benson@gmail.com","username":"JamesOBenson"},"change_message_id":"efa1c3e18a1a9901490188d2c1a4a754451491e2","unresolved":true,"context_lines":[{"line_number":292,"context_line":"setting ``ceph_rgw_swift_account_in_url`` to ``true``. This should match the"},{"line_number":293,"context_line":"``rgw_swift_account_in_url`` configuration option in Ceph RadosGW."},{"line_number":294,"context_line":""},{"line_number":295,"context_line":"Ceph may encounter issues if SSL certificates are used.  If self-signed"},{"line_number":296,"context_line":"certificates are used, verify that they are added to the local certificate"},{"line_number":297,"context_line":"authority. In Ubuntu, for example, this would be copying the certificates in"},{"line_number":298,"context_line":"``/etc/kolla/certificates/private/`` to ``/usr/local/share/ca-certificates/``"},{"line_number":299,"context_line":"and issue the ``update-ca-certificates`` command. Or if debugging, you can"},{"line_number":300,"context_line":"temporarily disable SSL verification by setting `rgw_verify_ssl` to false."},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"The ceph configurations should be set for all of the ceph rgw clients found"}],"source_content_type":"text/x-rst","patch_set":2,"id":"65a6cafa_1a79cfbf","line":299,"range":{"start_line":295,"start_character":0,"end_line":299,"end_character":49},"in_reply_to":"651f8a54_ea8c09f2","updated":"2022-05-31 16:26:06.000000000","message":"Hi, the problem is with Ceph not being a Kolla container, so certificates are not copied to the container (these are self-signed certs made from Kolla) and consequently SSL certificate issues arise.  The easiest way to solve this problem is to make the host recognize the certificates locally, that way Ceph will also recognize them regardless of how Ceph is installed (Podman, Docker, Ansible, etc). In my installation, I have TLS enabled in everything with Kolla (see below my TLS options):\n\n`kolla_enable_tls_internal: \"yes\"\nkolla_enable_tls_external: \"yes\"\nkolla_enable_tls_backend: \"tes\"\nrabbitmq_enable_tls: \"yes\"\nkolla_copy_ca_into_containers: \"yes\"\nopenstack_cacert: \"{{{{ \u0027/etc/pki/tls/certs/ca-bundle.crt\u0027 if kolla_enable_tls_external \u003d\u003d \u0027yes\u0027 else \u0027\u0027 }}}}\"\n`\n\nWith regards to the cert file location, \u0027/etc/kolla/certificates/ca/root.crt\u0027 and \u0027/etc/kolla/certificates/private/root/root.crt\u0027 are identical. Depending on what TLS is enabled for the end-user, they may need to import additional SSL certificates.  Importing only the root.crt did not work for me which is why I referenced the private folder instead of the ca folder. The private folder has the benefit of having the root folder but also the internal, external, and backend certificates (folders) available.  It may be possible to import only a subset of the certificates, but I didn\u0027t want to explicitly say import a certificate that they do not have/use it.","commit_id":"a86bae7a2d306e28beeb61045e60f4138f70ee25"},{"author":{"_account_id":20451,"name":"James","email":"James.o.benson@gmail.com","username":"JamesOBenson"},"change_message_id":"1cf7d6038c56c9e2f34bf5f670c4dd28d80aba16","unresolved":true,"context_lines":[{"line_number":292,"context_line":"setting ``ceph_rgw_swift_account_in_url`` to ``true``. This should match the"},{"line_number":293,"context_line":"``rgw_swift_account_in_url`` configuration option in Ceph RadosGW."},{"line_number":294,"context_line":""},{"line_number":295,"context_line":"Ceph may encounter issues if SSL certificates are used.  If self-signed"},{"line_number":296,"context_line":"certificates are used, verify that they are added to the local certificate"},{"line_number":297,"context_line":"authority. In Ubuntu, for example, this would be copying the certificates in"},{"line_number":298,"context_line":"``/etc/kolla/certificates/private/`` to ``/usr/local/share/ca-certificates/``"},{"line_number":299,"context_line":"and issue the ``update-ca-certificates`` command. Or if debugging, you can"},{"line_number":300,"context_line":"temporarily disable SSL verification by setting `rgw_verify_ssl` to false."},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"The ceph configurations should be set for all of the ceph rgw clients found"}],"source_content_type":"text/x-rst","patch_set":2,"id":"4b978fa3_27bd3072","line":299,"range":{"start_line":295,"start_character":0,"end_line":299,"end_character":49},"in_reply_to":"9dcf299d_6389cd75","updated":"2022-05-16 15:38:08.000000000","message":"Yes, without issuing that command, I would get SSL cert errors.  Once updated, I could communicate properly.","commit_id":"a86bae7a2d306e28beeb61045e60f4138f70ee25"}]}