Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1350736

Summary: [Doc] openssl commands need to explicitly set extensions
Product: Red Hat OpenStack Reporter: Jaison Raju <jraju>
Component: documentationAssignee: Dan Macpherson <dmacpher>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.0 (Liberty)CC: dmacpher, jraju, mburns, panbalag, srevivo
Target Milestone: gaKeywords: Documentation, ZStream
Target Release: 8.0 (Liberty)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-29 04:53:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jaison Raju 2016-06-28 09:19:30 UTC 
Description of problem:
The documentation states: openssl req -new -x509 -key server-key.pem -out server-cert.pem -days 3650 -config ~/openssl.cnf

However, when specifying the req_distinguished_name in the openssl.cnf, it seems to ifnore the extensions unless you explicitly tell it use v3:
openssl req -new -x509 -key server-key.pem -out server-cert.pem -days 3650 -extensions v3_req -config ~/openssl.cnf

Version-Release number of selected component (if applicable):
RHOS 7 & RHOS 8
https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/director-installation-and-usage/appendix-a-ssl-tls-certificate-configuration

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:
 X509v3 extensions is not included unless extensions are included in the command line .

Expected results:
 X509v3 extensions is not present if the extensions are only mentioned in the openssl.cnf file 

Additional info:
The following section is missing in cert if '-extensions v3_req' is not used in command line too .

        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                IP Address:192.168.0.1, DNS:instack.localdomain, DNS:vip.localdomain
Comment 2 Dan Macpherson 2016-08-03 03:03:18 UTC 
I've tested out SSL for Mitaka. It seems not only do you need to specify the v3_req extension, you also can't use v3 self-signed certs. v1 works, but it seems the requirements for v3 are a bit more strict.

I'll be pushing through an update that includes commands to create your own cert auth if you're not using an external one.