Enable HTTPS for the Ceph Object Gateway (RGW) by using the cephadm certificate manager.
Before you begin
- The Ceph Object Gateway is deployed using cephadm.
- You have access to the RGW service specification.
- Certificate files are available if you are using custom certificates.
About this task
Starting with version 9.0, HTTPS for the Ceph Object Gateway is configured by using the cephadm certificate manager (certmgr). This method replaces legacy frontend SSL configuration and provides a consistent way to manage certificates across services.
Important: The rgw_frontend_ssl_certificate configuration option is deprecated and is not supported in 9.0 and later releases. Do not use this option for new deployments.
Procedure
-
Define the RGW service specification with HTTPS enabled.
-
Configure HTTPS by using cephadm-signed certificates (default).
Use cephadm to automatically generate and manage certificates for the RGW service. Set ssl: true and certificate_source: cephadm-signed in the servicespecification.
service_type: rgw
service_id: my-rgw
spec:
ssl: true
certificate_source: cephadm-signed
Apply the service specification.
ceph orch apply -i rgw.yaml
cephadm generates a certificate and enables HTTPS for the RGW endpoints.
Note: The generate_cert: true field remains supported when used together with ssl: true and produces the same cephadm-managed self-signed certificate behavior. For new deployments, certificate_source: cephadm-signed is the preferred method.
-
Configure HTTPS by using inline certificates.
Provide a certificate and private key directly in the service specification. Set ssl: true, certificate_source: inline, and embed the PEM certificate andprivate key in the ssl_cert and ssl_key fields.
service_type: rgw
service_id: my-rgw
spec:
ssl: true
certificate_source: inline
ssl_cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
ssl_key: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
Apply the service specification:
ceph orch apply -i rgw.yaml
cephadm deploys the RGW service with the custom certificate and key.
Note: Both ssl_cert and ssl_key are required when certificate_source is inline.
-
Configure HTTPS for the Ceph Object Gateway by using referenced, externally managed certificates.
The certificates are not generated by cephadm; instead, they are stored and referenced in the service specification.
First, register the certificate and key with certmgr:
ceph orch certmgr cert set --cert-name rgw_ssl_cert --service-name rgw.<service_id> -i $PWD/server_cert.pem
ceph orch certmgr key set --key-name rgw_ssl_key --service-name rgw.<service_id> -i $PWD/server_key
Then configure the RGW service to use the referenced certificate:
service_type: rgw
service_id: my-rgw
spec:
ssl: true
certificate_source: reference
Apply the updated specification:
ceph orch apply -i my-rgw.yaml
-
Configure wildcard SAN support if required.
To support virtual-host-style S3 access, enable wildcard Subject Alternative Names (SAN) in the cephadm-signed certificate. Set wildcard_enabled to true and list the zone group hostnames in zonegroup_hostnames.
service_type: rgw
service_id: my-rgw
spec:
ssl: true
certificate_source: cephadm-signed
wildcard_enabled: true
zonegroup_hostnames:
- "*.example.com"
Apply the updated specification:
ceph orch apply -i my-rgw.yaml
When
wildcard_enabled is set to
true,
cephadm includes a wildcard SAN entry in the generated certificate (for example, *.s3.example.com), allowing bucket access using virtual-host-style DNS names.
Results
After completing this task, HTTPS is enabled for the Ceph Object Gateway. Certificates are managed by cephadm through certmgr, and RGW endpoints are accessible over secure connections.
Verify the deployment.
ceph orch ls and ceph orch ps
The RGW service should show the HTTPS port (for example, ?:443).