Bug 1576965 - SSL/TLS CERTIFICATE CONFIGURATION for undercloud needs clarification
Summary: SSL/TLS CERTIFICATE CONFIGURATION for undercloud needs clarification
Status: NEW
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: RHOS Documentation Team
QA Contact: RHOS Documentation Team
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-10 20:56 UTC by Chris Fields
Modified: 2020-06-08 05:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Description Chris Fields 2018-05-10 20:56:17 UTC
Description of problem:

"APPENDIX A. SSL/TLS CERTIFICATE CONFIGURATION" of the "Director Installation and Usage Guide" [1] needs some clarification.  I had a customer work through this and could not make it work.  Here is the additional details that I suggest as a result of what was not working for my customer: 

1) undercloud.conf should not have either 'generate_service_certificate' or 'certificate_generation_ca' set.  If they exist they should be removed because the instructions as stated won't work with those parameters set.  

2) The only properties that *must* be set are (for example): 

stateOrProvinceName_default = Minnesota
commonName_default	    =

The doc as written is non-specific about what parameters *must* be set which causes confusion.  

Also, the openssl.cnf that ships with the 10z7 release of OSP 10 does not have 'commonName_default' - it must be added.  

3) My customer was retro fitting this into an already deployed undercloud. He did not realize he needed to do an 'openstack undercloud install' to install this configuration.  There should be a note to that effect in this appendix also.    

[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/director_installation_and_usage/appe-ssltls_certificate_configuration 

Version-Release number of selected component (if applicable):

OSP 10

How reproducible:


Steps to Reproduce:
1. Put  'generate_service_certificate = true' and 'certificate_generation_ca = local'in undercloud.conf
2. Follow the instructions as written

Actual results:

'openstack undercloud install' fails (if done)

Expected results:

'openstack undercloud install' succeeds and enables ssl on undercloud public endpoints.  
Additional info:

Note You need to log in before you can comment on or make changes to this bug.