Switch from legacy ssl_* to certificates relation fails
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ceph RADOS Gateway Charm |
New
|
Undecided
|
Unassigned |
Bug Description
juju: 2.7.3
ceph-radosgw: 14.2.8
charm-ceph-radosgw: 289
Starting with a working ceph-radosgw unit configured with ssl_cert and ssl_key containing base64-encoded PEM and port=443, I attempted the following:
juju config ceph-radosgw --reset ssl_cert,ssl_key
juju add-relation ceph-radosgw:
(aside: the first step did not successfully remove SSL...)
Attempting to use ceph-radosgw results in certificate errors (previous cert was self-signed) when attempting e.g. 'openstack container list' and problems using dashboard (horizon) whose logs also show certificate validation issues. Further investigation found that the server certificate had not changed, it was still using the old cert/key.
The unit logs contain...
2020-06-23 11:17:32 DEBUG juju-log Writing file /etc/apache2/
2020-06-23 11:17:33 DEBUG juju-log Writing file /etc/apache2/
... from the original ssl_* configuration, and...
2020-06-29 15:02:26 DEBUG juju-log certificates:83: Writing file /etc/apache2/
2020-06-29 15:02:26 DEBUG juju-log certificates:83: Writing file /etc/apache2/
... for the certificates relation attempt. (full log excerpt of the latter attempt attached)
Unsurprisingly, then:
ubuntu@
total 20
-rw-r----- 1 root root 1809 Jun 23 11:17 cert_172.18.2.7
-rw-r----- 1 root root 4626 Jun 29 15:02 cert_juju-
-rw-r----- 1 root root 3276 Jun 23 11:17 key_172.18.2.7
-rw-r----- 1 root root 1708 Jun 29 15:02 key_juju-
But...
ubuntu@
SSLCertific
SSLCertific
SSLCertific