Bug 1608391

Summary: TLS-Everywhere - Docs points to old deprecated templates
Product: Red Hat OpenStack Reporter: Federico Iezzi <fiezzi>
Component: documentationAssignee: Roger Heslop <rheslop>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 13.0 (Queens)CC: jagee, mburns, ooichman, pkesavar, rheslop, srevivo
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-20 19:38:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Federico Iezzi 2018-07-25 12:33:58 UTC 
Description of problem:
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/integrate_with_identity_service/idm-novajoin#configure_overcloud_to_use_novajoin

Those templates have been deprecated

 - /usr/share/openstack-tripleo-heat-templates/environments/enable-internal-tls.yaml
 - /usr/share/openstack-tripleo-heat-templates/environments/tls-everywhere-endpoints-dns.yaml

And replaced respectivelly by
 - /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml
 - /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml


The new enable-internal-tls.yaml has major differences.
Comment 1 Federico Iezzi 2018-07-25 15:06:53 UTC 
The following one is also deprecated.
/usr/share/openstack-tripleo-heat-templates/environments/enable-tls.yaml

And replaced by this one:
/usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml

In the docs, is specifically mentioned "./tripleo-heat-templates/environments/enable-tls.yaml" aka the deprecated version
Comment 2 Oren Oichman 2018-08-15 12:24:30 UTC 
HI ,
we sorted the configuration issue ,

Now on the compute node the command: openssl crl -in /etc/pki/CA/crl/overcloud-crl.bin -inform DER -outform PEM -out /etc/pki/CA/crl/overcloud-crl.pem has completed successfully
but on the control node it failed with an error "unable to load CRL"
we notice that the overcloud-crl.bin is a different file from the compute node.
the overcloud-crl.bin in the controller contains an HTML reference which an openssl error :

Problem Processing your request

The Certificate Manager encountered a problem while processing your request. the following is a detailed message of the error that occurred.
          you must select an option from the form.
please consult your local administrator for futher assistant . the Certificate System log may provide further information.

we deleted the configuration with 

openstack overcloud delete --yes

and redeployed again, we hit the same errors and this time on both nodes.
we are working with a 3 IPA Servers with multi master replica and the ipa-ca A record directs to all nodes
Comment 5 Roger Heslop 2020-03-20 19:38:19 UTC 
Checked the linked documentation and all subsequent documentation on versions not deprecated.
All referenced paths point to the now valid /usr/share/openstack-tripleo-heat-templates/environments/ssl/ directory for tls template files.

Closing as CURRENT_RELEASE
Comment 6 Roger Heslop 2020-03-20 19:56:17 UTC 
Checked the linked documentation and all subsequent documentation on versions not deprecated.
All referenced paths point to the now valid /usr/share/openstack-tripleo-heat-templates/environments/ssl/ directory for tls template files.

Closing as CURRENT_RELEASE
Comment 7 Red Hat Bugzilla 2023-09-14 04:32:05 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days