Hide Forgot
Description of problem: https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/director-installation-and-usage/appendix-a-ssl-tls-certificate-configuration has several related issues. Version-Release number of selected component (if applicable): OSPD 9 How reproducible: 100% of the time Steps to Reproduce: 1. Start with a reimaged RHEL 7.2 machine. 2. Follow the steps in https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/director-installation-and-usage/chapter-4-installing-the-undercloud#sect-Configuring_the_Director 3. This installs the undercloud. When you get to Section 4.6, go to Appendix A in order to set undercloud_service_certificate 4. Follow the steps in https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/director-installation-and-usage/appendix-a-ssl-tls-certificate-configuration 5. When you get to Step A.5, this operation fails: openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.crt.pem Actual results: Using configuration from openssl.cnf Error opening CA private key /etc/pki/CA/private/cakey.pem 139637833467808:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/etc/pki/CA/private/cakey.pem','r') 139637833467808:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load CA private key Expected results: The openssl command should succeed. Additional info: Note that in order to work around this, several other issues popped up. First I ran the operation as sudo. It looked like a file was missing, so I put the expected file there by doing sudo cp ca.key.pem /etc/pki/CA/private/cakey.pem Note that the file did not have the same name as what I copied. I am not sure if this action is correct. Then I got: sudo openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.crt.pem Using configuration from openssl.cnf /etc/pki/CA/index.txt: No such file or directory unable to open '/etc/pki/CA/index.txt' So I did sudo touch /etc/pki/CA/index.txt I then got: sudo openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.crt.pem Using configuration from openssl.cnf unable to load number from /etc/pki/CA/serial error while loading serial number 140664789718944:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215: So I did sudo vi /etc/pki/CA/ssudo vi /etc/pki/CA/serial erial and put a 1 in there. After that, things looked good: sudo openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.crt.pem Using configuration from openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 19 (0x13) Validity Not Before: Oct 15 02:10:33 2016 GMT Not After : Oct 13 02:10:33 2026 GMT Subject: countryName = US stateOrProvinceName = California organizationName = Red Hat organizationalUnitName = Red Hat commonName = 10.8.128.63 emailAddress = wusui X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: IP Address:10.8.128.63, DNS:10.8.128.63 Certificate is to be certified until Oct 13 02:10:33 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Merging BZ#1394452 with this BZ and taking it, since it's documentation-specific Comment from Warren: Description of problem: https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/single/director-installation-and-usage/#appe-SSLTLS_Certificate_Configuration appears to not be correct in a few places. Version-Release number of selected component (if applicable): How reproducible: 100% of the time Steps to Reproduce: 1. Follow the instructions in the doc. Actual results: First off, all the issues in bugzilla 1385196 still happen in this case In addition, the openstack user could not write to /etc/pki/CA/newcerts. I manually changed its permission to 0777 (probably NOT recommended) just to work around the problem. Also, there is a definite documentation error. The command: openssl req -key ca.key.pem -new -x509 -days 7300 -extensions v3_ca -out ca.crt.pem and the command openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.cert.pem refer to a file as ca.crt.pem and ca.cert.pem -- I think that it should be ca.cert.pem because that's what the openstack undercloud install operation expects later.
*** Bug 1394453 has been marked as a duplicate of this bug. ***
*** This bug has been marked as a duplicate of bug 1389766 ***
Whoops, meant to be the other way around!
*** Bug 1389766 has been marked as a duplicate of this bug. ***
I've backported some of the components from OSP10's procedure and integrated them into OSP9's procedure. The published OSP9 doc is here: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/9/html/director_installation_and_usage/appe-ssltls_certificate_configuration Here are a list of things that have been updated: 1. Generation of the signing server files (index.txt and serial) 2. Missing --keyfile in the "openssl ca" file 3. The "openssl ca" command needs to be run as sudo 4. Corrected the cert names Warren, how does the documentation above look now?
No response in over a month. Closing this BZ, but if further changes are required, please feel free to reopen.
The doc changes look good.
Thanks, Warren!