Description of problem: When deploying an OverCloud with SSL enables, as described in https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/director-installation-and-usage/611-enabling-ssl-tls-on-the-overcloud, and if the CA signing the OverCloud cert isn't already trusted by the OSP-d, the deployment will fail since the tripleo-client won't be able to connect to the OverCloud to create the endpoints. We should document that the CA-cert (and any intermediates which might be used) should be dropped into /etc/pki/ca-trust/source/anchors, and then 'update-ca-trust' should be ran.
Assigning to Martin for review.
Checking with Dan.
@David Juran, I've got an updated version of the SSL/TLS cert config here: https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/director-installation-and-usage/appendix-a-ssl-tls-certificate-configuration I've tested it and backported to OSP8 and 7. Is there any chance you can have a look at this page? Please let me know if there's anything that needs to be corrected.
I've pushed an update to restructure the SSL/TLS section: https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/single/director-installation-and-usage/#appe-SSLTLS_Certificate_Configuration David, how does it look now?
Not sure why the commandline didn't work, I'm fairly sure I've used it, but I think the main docs, regarding the injection of the CA cert into the trust achors now look good (-:
Cool. Any chance you still have access to the cert files you generated? If so, can you check them with the following command... # openssl x509 -text -in [CERT FILE] ... and post the results of the X509v3 extensions section? If you've got a section for "X509v3 Subject Alternative Name", that means I've done something wrong in my test. Otherwise, am I okay to close this BZ?
Closing BZ. Will djuran over IRC.