Description of problem:
"APPENDIX A. SSL/TLS CERTIFICATE CONFIGURATION" of the "Director Installation and Usage Guide"  needs some clarification. I had a customer work through this and could not make it work. Here is the additional details that I suggest as a result of what was not working for my customer:
1) undercloud.conf should not have either 'generate_service_certificate' or 'certificate_generation_ca' set. If they exist they should be removed because the instructions as stated won't work with those parameters set.
2) The only properties that *must* be set are (for example):
stateOrProvinceName_default = Minnesota
commonName_default = 192.168.24.2
The doc as written is non-specific about what parameters *must* be set which causes confusion.
Also, the openssl.cnf that ships with the 10z7 release of OSP 10 does not have 'commonName_default' - it must be added.
3) My customer was retro fitting this into an already deployed undercloud. He did not realize he needed to do an 'openstack undercloud install' to install this configuration. There should be a note to that effect in this appendix also.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Put 'generate_service_certificate = true' and 'certificate_generation_ca = local'in undercloud.conf
2. Follow the instructions as written
'openstack undercloud install' fails (if done)
'openstack undercloud install' succeeds and enables ssl on undercloud public endpoints.
A lot of these suggestions could also apply to more recent versions of our docs. Changing the version and scoping the following:
1. Add a note to the following section regarding the use of 'generate_service_certificate' and 'certificate_generation_ca':
Basically, customers should not set these params if generating their own certificate manually.
2. Add a note to the following section to refer to openssl config documentation for a more in-depth information about openssl.conf:
The command to view the openssl config doc is "man -S5 config".
I'm hesitant to advocate for what openssl params are required and what are not because:
a) That's really outside the scope of OSP documentation
b) The example in the docs has been tested and has been verified as working in the field
c) If a customer is really concerned about ssl/tls certification, they should get their certificates signed by a trusted CA, not generate their own CA
d) If a customer just wants to use a local cert but doesn't know much about openssl or what to set in their openssl.conf, it might be easier to use 'generate_service_certificate' and 'certificate_generation_ca' to auto-generate the certs
A fix for this issue has been pushed to our documentation and published ont he customer portal. If this issue has not been properly resolved, please feel free to reopen this BZ and let us know your concern.