Bug 1371614

Summary: [DOCS] SSSD certificate requirements not clear
Product: OpenShift Container Platform Reporter: Steven Walter <stwalter>
Component: DocumentationAssignee: Ashley Hardin <ahardin>
Status: CLOSED CURRENTRELEASE QA Contact: Chuan Yu <chuyu>
Severity: low Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 3.2.0CC: aos-bugs, jokerman, mmccomas, wsun
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-24 11:42:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Steven Walter 2016-08-30 15:50:52 UTC 
Document URL: 
https://docs.openshift.com/enterprise/3.2/install_config/advanced_ldap_configuration/sssd_for_ldap_failover.html

Section Number and Name: 
sssd-phase-1-certificate-generation

Describe the issue: 
It is unclear, first off, why the `oadm ca create-server-cert` is shown twice, nearly identically. Additionally, there are directions to create a ca to sign the cert but no example of how to do this. Step 2 in this section does not have a code example (I think it should be the oadm ca create-server-cert command but I am not certain). Generally, this section is not clear and could use a rework of the step-by-step directions.

Suggestions for improvement: 


Additional information:
Comment 4 Steven Walter 2016-09-01 14:16:09 UTC 
I *believe* the steps should look something like this:

mkdir -p /etc/origin/proxy/
oadm ca create-signer-cert \
  --cert='/etc/origin/proxy/proxyca.crt' \
  --key='/etc/origin/proxy/proxyca.key' \
  --name='openshift-proxy-signer@UNIQUESTRING' \
  --serial='/etc/origin/proxy/proxyca.serial.txt'

(making UNIQUESTRING a unique string, of course)

Followed by:

oadm ca create-server-cert \
    --cert='/etc/origin/proxy/proxy.example.com.crt' \
    --key='/etc/origin/proxy/proxy.example.com.key' \
    --hostnames=proxy.example.com,1.2.3.4 \
    --signer-cert=/etc/origin/proxy/proxyca.crt \
    --signer-key='/etc/origin/proxy/proxyca.key' \
    --signer-serial='/etc/origin/proxy/proxyca.serial.txt'

By doing it in this order (rather than the order listed originally in the docs), you create a certificate authority which then signs the server cert.

If you want I can pretty this up and work on a PR if I get some free time as well
Comment 6 Ashley Hardin 2016-10-03 16:38:18 UTC 
These updates were recently addressed in response to a customer request:
https://github.com/openshift/openshift-docs/pull/2970

Asking QE to verify this work.
Comment 7 Chuan Yu 2016-10-24 07:32:11 UTC 
Check with openshift v3.2.2.0, all work fine.
Comment 8 Ashley Hardin 2016-10-24 11:42:58 UTC 
Thank you for verifying! This content was previously published at:
https://access.redhat.com/documentation/en/openshift-container-platform/3.3/paged/installation-and-configuration/chapter-14-advanced-ldap-configuration#setting-up-for-ldap-failover