From 48b2ab7558ff6feaabb8c77b5d2a12cefa62e05d Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Mon, 3 Sep 2018 13:15:51 +0200
Subject: [PATCH 1/2] radosgw: Restart radosgw on cert (re-)creation

Without this change, the radosgw might not be using the certs
that have just been (re-) created.
---
 .../ceph/recipes/radosgw_civetweb.rb          | 70 +++++++++----------
 1 file changed, 35 insertions(+), 35 deletions(-)

diff --git a/chef/cookbooks/ceph/recipes/radosgw_civetweb.rb b/chef/cookbooks/ceph/recipes/radosgw_civetweb.rb
index d9d7215..819d6a6 100644
--- a/chef/cookbooks/ceph/recipes/radosgw_civetweb.rb
+++ b/chef/cookbooks/ceph/recipes/radosgw_civetweb.rb
@@ -12,48 +12,48 @@
   package "openssl"
   ruby_block "generate_certs for radosgw" do
     block do
-      unless ::File.exist?(certfile) && ::File.exist?(keyfile)
-        require "fileutils"
+      require "fileutils"
 
-        Chef::Log.info("Generating SSL certificate for radosgw...")
+      Chef::Log.info("Generating SSL certificate for radosgw...")
 
-        [:certfile, :keyfile].each do |k|
-          dir = File.dirname(node[:ceph][:radosgw][:ssl][k])
-          FileUtils.mkdir_p(dir) unless File.exist?(dir)
-        end
+      [:certfile, :keyfile].each do |k|
+        dir = File.dirname(node[:ceph][:radosgw][:ssl][k])
+        FileUtils.mkdir_p(dir) unless File.exist?(dir)
+      end
 
-        # Generate private key
-        `openssl genrsa -out #{keyfile} 4096`
-        if $?.exitstatus != 0
-          message = "SSL private key generation failed"
-          Chef::Log.fatal(message)
-          raise message
-        end
-        FileUtils.chown "root", node[:ceph][:group], keyfile
-        FileUtils.chmod 0640, keyfile
+      # Generate private key
+      `openssl genrsa -out #{keyfile} 4096`
+      if $?.exitstatus != 0
+        message = "SSL private key generation failed"
+        Chef::Log.fatal(message)
+        raise message
+      end
+      FileUtils.chown "root", node[:ceph][:group], keyfile
+      FileUtils.chmod 0640, keyfile
 
-        # Generate certificate signing requests (CSR)
-        conf_dir = File.dirname certfile
-        ssl_csr_file = "#{conf_dir}/signing_key.csr"
-        ssl_subject = "\"/C=US/ST=Unset/L=Unset/O=Unset/CN=#{node[:fqdn]}\""
-        `openssl req -new -key #{keyfile} -out #{ssl_csr_file} -subj #{ssl_subject}`
-        if $?.exitstatus != 0
-          message = "SSL certificate signed requests generation failed"
-          Chef::Log.fatal(message)
-          raise message
-        end
+      # Generate certificate signing requests (CSR)
+      conf_dir = File.dirname certfile
+      ssl_csr_file = "#{conf_dir}/signing_key.csr"
+      ssl_subject = "\"/C=US/ST=Unset/L=Unset/O=Unset/CN=#{node[:fqdn]}\""
+      `openssl req -new -key #{keyfile} -out #{ssl_csr_file} -subj #{ssl_subject}`
+      if $?.exitstatus != 0
+        message = "SSL certificate signed requests generation failed"
+        Chef::Log.fatal(message)
+        raise message
+      end
 
-        # Generate self-signed certificate with above CSR
-        `openssl x509 -req -days 3650 -in #{ssl_csr_file} -signkey #{keyfile} -out #{certfile}`
-        if $?.exitstatus != 0
-          message = "SSL self-signed certificate generation failed"
-          Chef::Log.fatal(message)
-          raise message
-        end
+      # Generate self-signed certificate with above CSR
+      `openssl x509 -req -days 3650 -in #{ssl_csr_file} -signkey #{keyfile} -out #{certfile}`
+      if $?.exitstatus != 0
+        message = "SSL self-signed certificate generation failed"
+        Chef::Log.fatal(message)
+        raise message
+      end
 
-        File.delete ssl_csr_file # Nobody should even try to use this
-      end # unless files exist
+      File.delete ssl_csr_file # Nobody should even try to use this
     end # block
+    not_if { ::File.exist?(certfile) && ::File.exist?(keyfile) }
+    notifies :restart, "service[radosgw]"
   end # ruby_block
 else # if generate_certs
   unless ::File.exist? certfile

From 598251ddf15d8d8912c2124e675bbeeb1a4b4db7 Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Mon, 3 Sep 2018 13:16:59 +0200
Subject: [PATCH 2/2] radosgw: Generate slightly saner root RSA key

The default root key of 4096 RSA bits is not very performant,
apparently openssl isn't able to optimize that. Since all the
rest of the self generated certs use 2048, and that should be
secure for a while (especially for a service that does not setup
a valid cert and that isn't being checked by the client) that should
be plenty enough.

Improves connection performance by factor (!) 2.5.
---
 chef/cookbooks/ceph/recipes/radosgw_civetweb.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chef/cookbooks/ceph/recipes/radosgw_civetweb.rb b/chef/cookbooks/ceph/recipes/radosgw_civetweb.rb
index 819d6a6..1a5a692 100644
--- a/chef/cookbooks/ceph/recipes/radosgw_civetweb.rb
+++ b/chef/cookbooks/ceph/recipes/radosgw_civetweb.rb
@@ -22,7 +22,7 @@
       end
 
       # Generate private key
-      `openssl genrsa -out #{keyfile} 4096`
+      `openssl genrsa -out #{keyfile} 2048`
       if $?.exitstatus != 0
         message = "SSL private key generation failed"
         Chef::Log.fatal(message)