MicroCeph How To, 1

This is the first draft of a how-to written in the context of the Canonical Open Documentation Academy (CODA).

How to enable SSL/TLS for Ceph's RADOS GateWay (RGW)

This guide will demonstrate how to set up an SSL/TLS endpoint for accessing a MicroCeph single node installation through the RGW component.

You will need:

a MicroCeph single node installation. This will have RGW enabled.
a valid TLS certificate. Using one of three main methods (self-signed certificate, Let's Encrypt, external/commercial CA), you will obtain a domain.key and a domain.crt file, which we will use below. (If you don't have your own certificate, see Step 0 for a convenient option.)

Step 0: Getting a TLS certificate with Certbot

Install Certbot

Certbot is a command line utility which makes acquiring and renewing SSL certificates from LetsEncrypt an easy, free and automated process. You can install Certbot with the snap or apt package manager.

To install Certbot with snap:

sudo snap install certbot --classic

Or apt:

sudo apt-get install certbot python3-certbot-apache -y

Get a certificate

In the following command, replace the placeholders with your domain and valid email address (for certificate renewals).

sudo certbot certonly --manual \
    --preferred-challenges dns \
    -d s3.yourdomain.com \
    -m your-email@example.com \
    --agree-tos

You will be asked to set a DNS record in order to verify ownership of your domain.

Please deploy a DNS TXT record under the name:

_acme-challenge.s3.yourdomain.com.

with the following value:

MKc2mNJmrOuZ5-6zcxnD3NUCb_0w_mRG8bOPIA8K66w

Your certificate should be automatically issued and downloaded.

Step 1: Disabling RGW

If you try enabling RGW when it is already enabled, you will get the following error:

Error: failed placing service rgw: host failed hospitality checks
for rgw enablement: rgw service already active on host`

So, if you followed the above guide to set up your MicroCeph node, you first need to run:

sudo microceph disable rgw

Step 2: Enabling RGW with your certificate

The enable command expects the actual base 64 certificate and key, not just the file path. This can be done with the following command, where you will need to substitute the actual path to your certificate and key.

sudo microceph enable rgw \
--ssl-certificate "$(base64 -w0 ./domain.crt)" \
--ssl-private-key "$(base64 -w0 ./domain.key)"

If your port 443 is already in use, you can specify a different SSL port:

sudo microceph enable rgw \
--ssl-port 7443 \
--ssl-certificate "$(base64 -w0 ./domain.crt)" \
--ssl-private-key "$(base64 -w0 ./domain.key)"

Step 3 (optional): Verifying the configuration

You can check your configuration with the following command: cat /var/snap/microceph/current/conf/radosgw.conf

The output should be similar to this, with your own IP address and port number:

# Generated by MicroCeph, DO NOT EDIT.
[global]
mon host = [IP ADDRESS]
run dir = /var/snap/microceph/1601/run
auth allow insecure global id reclaim = false

[client.radosgw.gateway]
rgw init timeout = 1200
rgw frontends = beast ssl_port=7443 ssl_certificate=/var/snap/microceph/    common/server.crt ssl_private_key=/var/snap/microceph/common/server.key

Step 4: Connecting to your endpoint

You can now use your chosen domain name to access your S3 endpoint through https.

$ curl https://s3.yourdomain.com:7443
<?xml version="1.0" encoding="UTF-8"?><ListAllMyBucketsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>anonymous</ID></Owner><Buckets></Buckets></ListAllMyBucketsResult>#