1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Max Carrara <m.carrara@proxmox.com>
3 Date: Thu, 4 Jan 2024 17:37:50 +0100
4 Subject: [PATCH] mgr/dashboard: remove ability to create and check TLS
7 In order to avoid running into PyO3-related issues [0] with PyOpenSSL,
8 the ability to create self-signed certs is disabled - the command
9 `ceph dashboard create-self-signed-cert` is made to always return an
12 The command's error message contains the manual steps the user may
13 follow in order to set the certificate themselves, as well as a link
14 to the Ceph Dashboard documentation regarding TLS support. [1]
16 Furthermore, the check on start-up, that verifies that the configured
17 key/cert pair actually match, is also removed. This means that users
18 need to ensure themselves that the correct pair is supplied -
19 otherwise their browser will complain.
21 These changes allow the dashboard to launch with TLS enabled again.
23 [0]: https://tracker.ceph.com/issues/63529
24 [1]: https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support
26 Signed-off-by: Max Carrara <m.carrara@proxmox.com>
28 src/pybind/mgr/dashboard/module.py | 41 ++++++++++++++++++++----------
29 1 file changed, 27 insertions(+), 14 deletions(-)
31 diff --git a/src/pybind/mgr/dashboard/module.py b/src/pybind/mgr/dashboard/module.py
32 index 68725be6e35..9db55a3ee93 100644
33 --- a/src/pybind/mgr/dashboard/module.py
34 +++ b/src/pybind/mgr/dashboard/module.py
35 @@ -23,8 +23,7 @@ if TYPE_CHECKING:
37 from mgr_module import CLIReadCommand, CLIWriteCommand, HandleCommandResult, \
38 MgrModule, MgrStandbyModule, NotifyType, Option, _get_localized_key
39 -from mgr_util import ServerConfigException, build_url, \
40 - create_self_signed_cert, get_default_addr, verify_tls_files
41 +from mgr_util import ServerConfigException, build_url, get_default_addr
44 from .controllers import Router, json_error_page
45 @@ -172,11 +171,14 @@ class CherryPyConfig(object):
47 pkey_fname = self.get_localized_module_option('key_file') # type: ignore
49 - verify_tls_files(cert_fname, pkey_fname)
51 # Create custom SSL context to disable TLS 1.0 and 1.1.
52 context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
53 - context.load_cert_chain(cert_fname, pkey_fname)
56 + context.load_cert_chain(cert_fname, pkey_fname)
57 + except ssl.SSLError:
58 + raise ServerConfigException("No certificate configured")
60 if sys.version_info >= (3, 7):
61 if Settings.UNSAFE_TLS_v1_2:
62 context.minimum_version = ssl.TLSVersion.TLSv1_2
63 @@ -473,15 +475,26 @@ class Module(MgrModule, CherryPyConfig):
65 @CLIWriteCommand("dashboard create-self-signed-cert")
66 def set_mgr_created_self_signed_cert(self):
67 - cert, pkey = create_self_signed_cert('IT', 'ceph-dashboard')
68 - result = HandleCommandResult(*self.set_ssl_certificate(inbuf=cert))
69 - if result.retval != 0:
72 - result = HandleCommandResult(*self.set_ssl_certificate_key(inbuf=pkey))
73 - if result.retval != 0:
75 - return 0, 'Self-signed certificate created', ''
76 + from textwrap import dedent
79 + Creating self-signed certificates is currently not available.
80 + However, you can still set a key and certificate pair manually:
82 + 1. Generate a private key and self-signed certificate:
83 + # openssl req -newkey rsa:2048 -nodes -x509 \\
84 + -keyout /root/dashboard-key.pem -out /root/dashboard-cert.pem -sha512 \\
85 + -days 3650 -subj "/CN=IT/O=ceph-mgr-dashboard" -utf8
87 + 2. Set the corresponding config keys for the key/cert pair:
88 + # ceph config-key set mgr/dashboard/key -i /root/dashboard-key.pem
89 + # ceph config-key set mgr/dashboard/crt -i /root/dashboard-crt.pem
91 + For more information on how to configure TLS for the dashboard, visit:
92 + https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support
95 + return -errno.ENOTSUP, '', dedent(err).strip()
97 @CLIWriteCommand("dashboard set-rgw-credentials")
98 def set_rgw_credentials(self):