Bug 1341694

Summary: Document that OSP-d need to trust OverCloud CA cert
Product: Red Hat OpenStack Reporter: David Juran <djuran>
Component: documentationAssignee: Dan Macpherson <dmacpher>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Lopes <mlopes>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0 (Liberty)CC: adahms, djuran, dmacpher, mlopes, srevivo
Target Milestone: gaKeywords: Documentation, ZStream
Target Release: 9.0 (Mitaka)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-31 14:15:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Juran 2016-06-01 14:14:39 UTC 
Description of problem:
When deploying an OverCloud with SSL enables, as described in https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/director-installation-and-usage/611-enabling-ssl-tls-on-the-overcloud, and if the CA signing the OverCloud cert isn't already trusted by the OSP-d, the deployment will fail since the tripleo-client won't be able to connect to the OverCloud to create the endpoints.

We should document that the CA-cert (and any intermediates which might be used) should be dropped into /etc/pki/ca-trust/source/anchors, and then 'update-ca-trust' should be ran.
Comment 2 Andrew Dahms 2016-08-10 23:58:13 UTC 
Assigning to Martin for review.
Comment 3 Martin Lopes 2016-08-11 04:21:15 UTC 
Checking with Dan.
Comment 7 Dan Macpherson 2016-08-18 02:14:00 UTC 
@David Juran, I've got an updated version of the SSL/TLS cert config here:

https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/director-installation-and-usage/appendix-a-ssl-tls-certificate-configuration

I've tested it and backported to OSP8 and 7. 

Is there any chance you can have a look at this page? Please let me know if there's anything that needs to be corrected.
Comment 13 Dan Macpherson 2016-08-30 07:39:16 UTC 
I've pushed an update to restructure the SSL/TLS section:

https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/single/director-installation-and-usage/#appe-SSLTLS_Certificate_Configuration

David, how does it look now?
Comment 14 David Juran 2016-08-30 13:53:32 UTC 
Not sure why the commandline didn't work, I'm fairly sure I've used it, but I think the main docs, regarding the injection of the CA cert into the trust achors now look good (-:
Comment 15 Dan Macpherson 2016-08-30 16:47:35 UTC 
Cool.

Any chance you still have access to the cert files you generated? If so, can you check them with the following command...

# openssl x509 -text -in [CERT FILE]

... and post the results of the X509v3 extensions section? If you've got a section for "X509v3 Subject Alternative Name", that means I've done something wrong in my test.

Otherwise, am I okay to close this BZ?
Comment 17 Dan Macpherson 2016-08-31 14:15:05 UTC 
Closing BZ. Will djuran over IRC.