doc/mgr/dashboard: add note that only RSA keys are supported for TLS

The dashboard module fails to start when configured with ECDSA/EC
private keys due to pyOpenSSL limitations ("key type unsupported").
Add a note to the SSL/TLS documentation advising users to use
RSA keys until ECDSA is supported.

References: https://tracker.ceph.com/issues/73324

Signed-off-by: Martin Koch <koch@synyx.de>

diff --git a/doc/mgr/dashboard.rst b/doc/mgr/dashboard.rst
index 2244e79e3af3f22af931cdec9ee11b86f4bc3f7b..ca8ccff886ce62618a790550c22dbb389f4d5adb 100644 (file)
--- a/doc/mgr/dashboard.rst
+++ b/doc/mgr/dashboard.rst
@@ -244,6 +244,19 @@ For example, a key pair can be generated with a command similar to:
    -subj "/O=IT/CN=ceph-mgr-dashboard" -days 3650 \
    -keyout dashboard.key -out dashboard.crt -extensions v3_ca
 
+.. note::
+
+   Currently, the Ceph Dashboard supports only RSA private keys for SSL/TLS
+   certificates. If you attempt to configure the dashboard with an ECDSA/EC
+   key, the module will fail to start with an error similar to:
+
+   ``MGR_MODULE_ERROR: Module 'dashboard' has failed: key type unsupported``
+
+   This limitation exists because the verification routine in the Ceph Manager
+   uses pyOpenSSL, which supports only RSA keys in its
+   ``PKey.check()`` method. Until this restriction is lifted, generate or
+   request certificates with RSA keys.
+
 The ``dashboard.crt`` file should then be signed by a CA. Once that is done, you
 can enable it for Ceph manager instances by running the following commands: