]>
Commit | Line | Data |
---|---|---|
86a553d6 MC |
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
2 | From: Max Carrara <m.carrara@proxmox.com> | |
3 | Date: Thu, 4 Jan 2024 17:37:50 +0100 | |
4 | Subject: [PATCH] mgr/dashboard: remove ability to create and check TLS | |
5 | key/cert pairs | |
6 | ||
7 | In order to avoid running into PyO3-related issues [0] with PyOpenSSL, | |
8 | the ability to create self-signed certs is disabled - the command | |
9 | `ceph dashboard create-self-signed-cert` is made to always return an | |
10 | error. | |
11 | ||
12 | The command's error message contains the manual steps the user may | |
13 | follow in order to set the certificate themselves, as well as a link | |
14 | to the Ceph Dashboard documentation regarding TLS support. [1] | |
15 | ||
16 | Furthermore, the check on start-up, that verifies that the configured | |
17 | key/cert pair actually match, is also removed. This means that users | |
18 | need to ensure themselves that the correct pair is supplied - | |
19 | otherwise their browser will complain. | |
20 | ||
21 | These changes allow the dashboard to launch with TLS enabled again. | |
22 | ||
23 | [0]: https://tracker.ceph.com/issues/63529 | |
24 | [1]: https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support | |
25 | ||
26 | Signed-off-by: Max Carrara <m.carrara@proxmox.com> | |
27 | --- | |
28 | src/pybind/mgr/dashboard/module.py | 41 ++++++++++++++++++++---------- | |
29 | 1 file changed, 27 insertions(+), 14 deletions(-) | |
30 | ||
31 | diff --git a/src/pybind/mgr/dashboard/module.py b/src/pybind/mgr/dashboard/module.py | |
32 | index 68725be6e35..9db55a3ee93 100644 | |
33 | --- a/src/pybind/mgr/dashboard/module.py | |
34 | +++ b/src/pybind/mgr/dashboard/module.py | |
35 | @@ -23,8 +23,7 @@ if TYPE_CHECKING: | |
36 | ||
37 | from mgr_module import CLIReadCommand, CLIWriteCommand, HandleCommandResult, \ | |
38 | MgrModule, MgrStandbyModule, NotifyType, Option, _get_localized_key | |
39 | -from mgr_util import ServerConfigException, build_url, \ | |
40 | - create_self_signed_cert, get_default_addr, verify_tls_files | |
41 | +from mgr_util import ServerConfigException, build_url, get_default_addr | |
42 | ||
43 | from . import mgr | |
44 | from .controllers import Router, json_error_page | |
45 | @@ -172,11 +171,14 @@ class CherryPyConfig(object): | |
46 | else: | |
47 | pkey_fname = self.get_localized_module_option('key_file') # type: ignore | |
48 | ||
49 | - verify_tls_files(cert_fname, pkey_fname) | |
50 | - | |
51 | # Create custom SSL context to disable TLS 1.0 and 1.1. | |
52 | context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) | |
53 | - context.load_cert_chain(cert_fname, pkey_fname) | |
54 | + | |
55 | + try: | |
56 | + context.load_cert_chain(cert_fname, pkey_fname) | |
57 | + except ssl.SSLError: | |
58 | + raise ServerConfigException("No certificate configured") | |
59 | + | |
60 | if sys.version_info >= (3, 7): | |
61 | if Settings.UNSAFE_TLS_v1_2: | |
62 | context.minimum_version = ssl.TLSVersion.TLSv1_2 | |
63 | @@ -473,15 +475,26 @@ class Module(MgrModule, CherryPyConfig): | |
64 | ||
65 | @CLIWriteCommand("dashboard create-self-signed-cert") | |
66 | def set_mgr_created_self_signed_cert(self): | |
67 | - cert, pkey = create_self_signed_cert('IT', 'ceph-dashboard') | |
68 | - result = HandleCommandResult(*self.set_ssl_certificate(inbuf=cert)) | |
69 | - if result.retval != 0: | |
70 | - return result | |
71 | - | |
72 | - result = HandleCommandResult(*self.set_ssl_certificate_key(inbuf=pkey)) | |
73 | - if result.retval != 0: | |
74 | - return result | |
75 | - return 0, 'Self-signed certificate created', '' | |
76 | + from textwrap import dedent | |
77 | + | |
78 | + err = """ | |
79 | + Creating self-signed certificates is currently not available. | |
80 | + However, you can still set a key and certificate pair manually: | |
81 | + | |
82 | + 1. Generate a private key and self-signed certificate: | |
83 | + # openssl req -newkey rsa:2048 -nodes -x509 \\ | |
84 | + -keyout /root/dashboard-key.pem -out /root/dashboard-cert.pem -sha512 \\ | |
85 | + -days 3650 -subj "/CN=IT/O=ceph-mgr-dashboard" -utf8 | |
86 | + | |
87 | + 2. Set the corresponding config keys for the key/cert pair: | |
88 | + # ceph config-key set mgr/dashboard/key -i /root/dashboard-key.pem | |
89 | + # ceph config-key set mgr/dashboard/crt -i /root/dashboard-crt.pem | |
90 | + | |
91 | + For more information on how to configure TLS for the dashboard, visit: | |
92 | + https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support | |
93 | + """ | |
94 | + | |
95 | + return -errno.ENOTSUP, '', dedent(err).strip() | |
96 | ||
97 | @CLIWriteCommand("dashboard set-rgw-credentials") | |
98 | def set_rgw_credentials(self): | |
99 | -- | |
100 | 2.39.2 | |
101 |