[pve-devel] [PATCH v1 squid-stable-8 ceph 2/2] drop patch that disables generating self-signed certs for dashboard

From: "Max R. Carrara" <m.carrara@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH v1 squid-stable-8 ceph 2/2] drop patch that disables generating self-signed certs for dashboard
Date: Tue, 15 Jul 2025 11:32:37 +0200	[thread overview]
Message-ID: <20250715093237.650039-3-m.carrara@proxmox.com> (raw)
In-Reply-To: <20250715093237.650039-1-m.carrara@proxmox.com>

Due to the backported patches of the previous commit, this patch is
not necessary anymore.

Signed-off-by: Max R. Carrara <m.carrara@proxmox.com>
---
 ...move-ability-to-create-and-check-TLS.patch | 126 ------------------
 patches/series                                |   1 -
 2 files changed, 127 deletions(-)
 delete mode 100644 patches/0011-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch

diff --git a/patches/0011-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch b/patches/0011-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch
deleted file mode 100644
index 3dce8e7a50..0000000000
--- a/patches/0011-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Max Carrara <m.carrara@proxmox.com>
-Date: Fri, 26 Jan 2024 14:04:47 +0100
-Subject: [PATCH] mgr/dashboard: remove ability to create and check TLS
- key/cert pairs
-
-In order to avoid running into PyO3-related issues [0] with PyOpenSSL,
-the ability to create self-signed certs is disabled - the command
-`ceph dashboard create-self-signed-cert` is made to always return an
-error.
-
-The command's error message contains the manual steps the user may
-follow in order to set the certificate themselves, as well as a link
-to the Ceph Dashboard documentation regarding TLS support. [1]
-
-Furthermore, the check on start-up, that verifies that the configured
-key/cert pair actually match, is also removed. This means that users
-need to ensure themselves that the correct pair is supplied -
-otherwise their browser will complain.
-
-Other checks unrelated to the verification of keypairs are preserved,
-such as checking for the cert's and key's existence on the filesystem.
-
-`ssl.SSLError`s that occur during startup are re-raised with the
-additional information they contain as `ServerConfigException`s, as
-the dashboard handles these in its startup loop. Other exceptions are
-re-raised as well. Otherwise, the dashboard will irrecoverably crash,
-which also causes the `ceph dashboard` subcommand to stop working
-altogether, even if one of its sub-subcommands are unrelated to the
-dashboard itself.
-
-These changes allow the dashboard to launch with TLS enabled again.
-
-[0]: https://tracker.ceph.com/issues/63529
-[1]: https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support
-
-Signed-off-by: Max Carrara <m.carrara@proxmox.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- src/pybind/mgr/dashboard/module.py | 58 ++++++++++++++++++++++--------
- 1 file changed, 43 insertions(+), 15 deletions(-)
-
-diff --git a/src/pybind/mgr/dashboard/module.py b/src/pybind/mgr/dashboard/module.py
-index 41160b698aa..8f57061abe2 100644
---- a/src/pybind/mgr/dashboard/module.py
-+++ b/src/pybind/mgr/dashboard/module.py
-@@ -23,8 +23,7 @@ if TYPE_CHECKING:
- 
- from mgr_module import CLIReadCommand, CLIWriteCommand, HandleCommandResult, \
-     MgrModule, MgrStandbyModule, NotifyType, Option, _get_localized_key
--from mgr_util import ServerConfigException, build_url, \
--    create_self_signed_cert, get_default_addr, verify_tls_files
-+from mgr_util import ServerConfigException, build_url, get_default_addr
- 
- from . import mgr
- from .controllers import Router, json_error_page
-@@ -169,11 +168,29 @@ class CherryPyConfig(object):
-             else:
-                 pkey_fname = self.get_localized_module_option('key_file')  # type: ignore
- 
--            verify_tls_files(cert_fname, pkey_fname)
-+            if not cert_fname or not pkey_fname:
-+                raise ServerConfigException('no certificate configured')
-+
-+            if not os.path.isfile(cert_fname):
-+                raise ServerConfigException(f"Certificate {cert_fname} does not exist")
-+
-+            if not os.path.isfile(pkey_fname):
-+                raise ServerConfigException(f"private key {pkey_fname} does not exist")
-+
-+            try:
-+                # Create custom SSL context to disable TLS 1.0 and 1.1.
-+                context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-+                context.load_cert_chain(cert_fname, pkey_fname)
-+            except ssl.SSLError as e:
-+                raise ServerConfigException(
-+                    "Encountered unexpected error while creating SSL context"
-+                    f" - library: {e.library}, reason: {e.reason}"
-+                )
-+            except Exception as e:
-+                raise ServerConfigException(
-+                    f"Encountered unexpected error while creating SSL context: {e}"
-+                )
- 
--            # Create custom SSL context to disable TLS 1.0 and 1.1.
--            context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
--            context.load_cert_chain(cert_fname, pkey_fname)
-             if sys.version_info >= (3, 7):
-                 context.minimum_version = ssl.TLSVersion.TLSv1_3
-             else:
-@@ -464,15 +481,26 @@ class Module(MgrModule, CherryPyConfig):
- 
-     @CLIWriteCommand("dashboard create-self-signed-cert")
-     def set_mgr_created_self_signed_cert(self):
--        cert, pkey = create_self_signed_cert('IT', 'ceph-dashboard')
--        result = HandleCommandResult(*self.set_ssl_certificate(inbuf=cert))
--        if result.retval != 0:
--            return result
--
--        result = HandleCommandResult(*self.set_ssl_certificate_key(inbuf=pkey))
--        if result.retval != 0:
--            return result
--        return 0, 'Self-signed certificate created', ''
-+        from textwrap import dedent
-+
-+        err = """
-+        Creating self-signed certificates is currently not available.
-+        However, you can still set a key and certificate pair manually:
-+
-+        1. Generate a private key and self-signed certificate:
-+          # openssl req -newkey rsa:2048 -nodes -x509 \\
-+          -keyout /root/dashboard-key.pem -out /root/dashboard-crt.pem -sha512 \\
-+          -days 3650 -subj "/CN=IT/O=ceph-mgr-dashboard" -utf8
-+
-+        2. Set the corresponding config keys for the key/cert pair:
-+          # ceph config-key set mgr/dashboard/key -i /root/dashboard-key.pem
-+          # ceph config-key set mgr/dashboard/crt -i /root/dashboard-crt.pem
-+
-+        For more information on how to configure TLS for the dashboard, visit:
-+        https://docs.ceph.com/en/reef/mgr/dashboard/#ssl-tls-support
-+        """
-+
-+        return -errno.ENOTSUP, '', dedent(err).strip()
- 
-     @CLIWriteCommand("dashboard set-rgw-credentials")
-     def set_rgw_credentials(self):
diff --git a/patches/series b/patches/series
index ce1d9725d0..9adb8681e2 100644
--- a/patches/series
+++ b/patches/series
@@ -5,7 +5,6 @@
 0008-fix-service-ordering-avoid-Before-remote-fs-pre.targ.patch
 0009-fix-4759-run-ceph-crash-daemon-with-www-data-group-f.patch
 0010-fix-compatibility-with-CPUs-not-supporting-SSE-4.1-i.patch
-0011-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch
 0012-ceph-osd-postinst-do-not-always-reload-all-sysctl-se.patch
 0013-debian-recursively-adjust-permissions-of-var-lib-cep.patch
 0014-ceph-crash-change-order-of-client-names.patch
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

