Bug 1385196

Summary: Documentation: errors wrt configuring TLS/SSL Certificates.
Product: Red Hat OpenStack Reporter: Warren <wusui>
Component: documentationAssignee: Dan Macpherson <dmacpher>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0 (Mitaka)CC: dcadzow, dgilbert, dmacpher, mburns, rhel-osp-director-maint, srevivo, wusui
Target Milestone: ---Keywords: Reopened
Target Release: ---Flags: wusui: needinfo+
wusui: needinfo+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-21 22:28:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Warren 2016-10-15 02:36:25 UTC 
Description of problem:
https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/director-installation-and-usage/appendix-a-ssl-tls-certificate-configuration has several related issues.

Version-Release number of selected component (if applicable):
OSPD 9

How reproducible:
100% of the time

Steps to Reproduce:
1. Start with a reimaged RHEL 7.2 machine.
2. Follow the steps in https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/director-installation-and-usage/chapter-4-installing-the-undercloud#sect-Configuring_the_Director
3. This installs the undercloud.  When you get to Section 4.6, go to Appendix A in order to set undercloud_service_certificate
4. Follow the steps in https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/director-installation-and-usage/appendix-a-ssl-tls-certificate-configuration

5. When you get to Step A.5, this operation fails: openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.crt.pem

Actual results:

Using configuration from openssl.cnf
Error opening CA private key /etc/pki/CA/private/cakey.pem
139637833467808:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/etc/pki/CA/private/cakey.pem','r')
139637833467808:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load CA private key

Expected results:

The openssl command should succeed.

Additional info:

Note that in order to work around this, several other issues popped up.

First I ran the operation as sudo.  It looked like a file was missing, so I
put the expected file there by doing

sudo cp ca.key.pem /etc/pki/CA/private/cakey.pem

Note that the file did not have the same name as what I copied.  I am not sure if this action is correct.

Then I got:

sudo openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.crt.pem
Using configuration from openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'

So I did sudo touch /etc/pki/CA/index.txt

I then got:

sudo openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.crt.pem
Using configuration from openssl.cnf
unable to load number from /etc/pki/CA/serial
error while loading serial number
140664789718944:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:



So I did sudo vi /etc/pki/CA/ssudo vi /etc/pki/CA/serial
erial and put a 1 in there.



After that, things looked good:


sudo openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.crt.pem
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 19 (0x13)
        Validity
            Not Before: Oct 15 02:10:33 2016 GMT
            Not After : Oct 13 02:10:33 2026 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = California
            organizationName          = Red Hat
            organizationalUnitName    = Red Hat
            commonName                = 10.8.128.63
            emailAddress              = wusui
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                IP Address:10.8.128.63, DNS:10.8.128.63
Certificate is to be certified until Oct 13 02:10:33 2026 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Comment 1 Dan Macpherson 2016-12-12 04:13:45 UTC 
Merging BZ#1394452 with this BZ and taking it, since it's documentation-specific

Comment from Warren:

Description of problem:

https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/single/director-installation-and-usage/#appe-SSLTLS_Certificate_Configuration appears to not be correct in a few places.


Version-Release number of selected component (if applicable):


How reproducible:
100% of the time

Steps to Reproduce:
1. Follow the instructions in the doc.

Actual results:

First off, all the issues in bugzilla 1385196 still happen in this case

In addition, the openstack user could not write to /etc/pki/CA/newcerts.
I manually changed its permission to 0777 (probably NOT recommended) just
to work around the problem.

Also, there is a definite documentation error.  The command:

openssl req  -key ca.key.pem -new -x509 -days 7300 -extensions v3_ca -out ca.crt.pem

and the command

openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.cert.pem

refer to a file as ca.crt.pem and ca.cert.pem -- I think that it should be ca.cert.pem because that's what the openstack undercloud install operation expects later.
Comment 2 Dan Macpherson 2016-12-12 04:14:32 UTC 
*** Bug 1394453 has been marked as a duplicate of this bug. ***
Comment 3 Dan Macpherson 2016-12-13 03:41:12 UTC 

*** This bug has been marked as a duplicate of bug 1389766 ***
Comment 4 Dan Macpherson 2016-12-13 03:41:46 UTC 
Whoops, meant to be the other way around!
Comment 5 Dan Macpherson 2016-12-13 03:42:09 UTC 
*** Bug 1389766 has been marked as a duplicate of this bug. ***
Comment 6 Dan Macpherson 2017-07-25 04:47:55 UTC 
I've backported some of the components from OSP10's procedure and integrated them into OSP9's procedure. The published OSP9 doc is here:

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/9/html/director_installation_and_usage/appe-ssltls_certificate_configuration

Here are a list of things that have been updated:

1. Generation of the signing server files (index.txt and serial)
2. Missing --keyfile in the "openssl ca" file
3. The "openssl ca" command needs to be run as sudo
4. Corrected the cert names

Warren, how does the documentation above look now?
Comment 7 Dan Macpherson 2017-08-23 03:53:45 UTC 
No response in over a month. Closing this BZ, but if further changes are required, please feel free to reopen.
Comment 8 Warren 2018-01-15 18:03:11 UTC 
The doc changes look good.
Comment 9 Dan Macpherson 2018-01-21 22:28:18 UTC 
Thanks, Warren!