Error adding iscsi-gateway-add using HTTPS

[gramallo]

Hi all and thanks for reading this to help on my issue

I am running Ceph Nautilus with ceph-iscsi 3.4-1.el7 While running ansible installation i get error on dashboard role trying to add iscsi gateways and same error is returned running the add command from shell

My cluster is configured with wildcard certs for: dashboard, rados gateway, iscsi gateway Error "Error code: SSL_ERROR_BAD_CERT_DOMAIN" is seen when browsing with Firefox

SSL verify is disabled ceph dashboard set-rgw-api-ssl-verify False Option RGW_API_SSL_VERIFY updated

Command ceph --cluster ceph dashboard iscsi-gateway-add https://myadmin:admin.01@10.129.1.114:5050

Error EINVAL: iscsi REST API cannot be reached. Please check your configuration and that the API endpoint is accessible

Ansible error

failed: [cnode01 -> cnode01] (item=cnode05) => changed=false
  ansible_loop_var: item
  cmd:
  - ceph
  - --cluster
  - ceph
  - dashboard
  - iscsi-gateway-add
  - https://myadmin:admin.01@10.129.1.114:5050
  delta: '0:00:00.829076'
  end: '2020-03-30 10:28:19.305049'
  invocation:
    module_args:
      _raw_params: ' ceph --cluster ceph dashboard iscsi-gateway-add https://myadmin:admin.01@10.129.1.114:5050'
      _uses_shell: false
      argv: null
      chdir: null
      creates: null
      executable: null
      removes: null
      stdin: null
      stdin_add_newline: true
      strip_empty_ends: true
      warn: true
  item: cnode05
  msg: non-zero return code
  rc: 22
  start: '2020-03-30 10:28:18.475973'
  stderr: 'Error EINVAL: iscsi REST API cannot be reached. Please check your configuration and that the API endpoint is accessible'
  stderr_lines: <omitted>
  stdout: ''
  stdout_lines: <omitted>

Iscsi gateway cfg
Dir has certificates files in place

/etc/ceph/iscsi-gateway.cfg" 23L, 977C

# Ansible managed
[config]
api_password = admin.01
api_port = 5050
# API settings.
# The API supports a number of options that allow you to tailor it to your
# local environment. If you want to run the API under https, you will need to
# create cert/key files that are compatible for each iSCSI gateway node, that is
# not locked to a specific node. SSL cert and key files *must* be called
# 'iscsi-gateway.crt' and 'iscsi-gateway.key' and placed in the
'/etc/ceph/' directory
# on *each* gateway node. With the SSL files in place, you can use 'api_secure =
true'
# to switch to https mode.
# To support the API, the bear minimum settings are:
api_secure = True
# Optional settings related to the CLI/API service
api_user = myadmin
cluster_name = ceph
loop_delay = 1
trusted_ip_list = 10.129.1.114,10.129.1.113

Some tests

[root@cnode05 /]# curl --insecure --user myadmin:admin.01 -X GET https://10.129.1.114:5050/api/config
{
  "created": "2020/03/26 19:02:10",
  "discovery_auth": {
    "mutual_password": "",
    "mutual_password_encryption_enabled": false,
    "mutual_username": "",
    "password": "",
    "password_encryption_enabled": false,
    "username": ""
  },
  "disks": {},
  "epoch": 0,
  "gateways": {},
  "targets": {},
  "updated": "",
  "version": 11
}[root@cnode05 /]# curl --insecure --user myadmin:admin.01 -X GET https://10.129.1.114:5050/api/_ping
{
  "message": "pong"
}[root@cnode05 /]# curl --insecure --user myadmin:admin.01 -X GET https://10.129.1.114:5050/api/sysinfo/ip_addresses
{
  "data": [
    "172.17.0.1",
    "10.129.1.114",
    "10.10.16.114"
  ]

[ricardoasmarques]

@gramallo are you running those curl tests on the same host where ansible is running the ceph dashboard iscsi-gateway-add ... command? I wonder if you are missing some IP address on /etc/ceph/iscsi-gateway.cfg -> trusted_ip_list.

[mikechristie]

@gramallo

I responded to the same question on the ceph user lists. Please just reply here so ricardo can see the responses. He is the ceph iscsi dashboard expert and I'm not sure he's on the ceph list.

[gramallo]

Hi @ricardoasmarques the issue is not present when API is configured as insecure trusted_ip_list is set. I can run the playbook again to reconfigure api secure = true and capture logs What is the file i need to look at for details of error?