Bug 1576965 - SSL/TLS CERTIFICATE CONFIGURATION for undercloud needs clarification
Summary: SSL/TLS CERTIFICATE CONFIGURATION for undercloud needs clarification
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 16.1 (Train)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Dan Macpherson
QA Contact: RHOS Documentation Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-10 20:56 UTC by Chris Fields
Modified: 2021-06-10 16:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-04-10 16:37:29 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Chris Fields 2018-05-10 20:56:17 UTC
Description of problem:

"APPENDIX A. SSL/TLS CERTIFICATE CONFIGURATION" of the "Director Installation and Usage Guide" [1] needs some clarification.  I had a customer work through this and could not make it work.  Here is the additional details that I suggest as a result of what was not working for my customer: 

1) undercloud.conf should not have either 'generate_service_certificate' or 'certificate_generation_ca' set.  If they exist they should be removed because the instructions as stated won't work with those parameters set.  

2) The only properties that *must* be set are (for example): 

stateOrProvinceName_default = Minnesota
commonName_default	    = 192.168.24.2

The doc as written is non-specific about what parameters *must* be set which causes confusion.  

Also, the openssl.cnf that ships with the 10z7 release of OSP 10 does not have 'commonName_default' - it must be added.  

3) My customer was retro fitting this into an already deployed undercloud. He did not realize he needed to do an 'openstack undercloud install' to install this configuration.  There should be a note to that effect in this appendix also.    

[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/director_installation_and_usage/appe-ssltls_certificate_configuration 

Version-Release number of selected component (if applicable):

OSP 10

How reproducible:

100%

Steps to Reproduce:
1. Put  'generate_service_certificate = true' and 'certificate_generation_ca = local'in undercloud.conf
2. Follow the instructions as written
3. 

Actual results:

'openstack undercloud install' fails (if done)

Expected results:

'openstack undercloud install' succeeds and enables ssl on undercloud public endpoints.  
Additional info:

Comment 2 Dan Macpherson 2021-03-03 13:08:35 UTC
A lot of these suggestions could also apply to more recent versions of our docs. Changing the version and scoping the following:

1. Add a note to the following section regarding the use of 'generate_service_certificate' and 'certificate_generation_ca':

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html/director_installation_and_usage/configuring-custom-ssl-tls-certificates

Basically, customers should not set these params if generating their own certificate manually.

2. Add a note to the following section to refer to openssl config documentation for a more in-depth information about openssl.conf:

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html/director_installation_and_usage/configuring-custom-ssl-tls-certificates#creating-an-ssl-tls-certificate-signing-request

The command to view the openssl config doc is "man -S5 config".

I'm hesitant to advocate for what openssl params are required and what are not because:

a) That's really outside the scope of OSP documentation
b) The example in the docs has been tested and has been verified as working in the field
c) If a customer is really concerned about ssl/tls certification, they should get their certificates signed by a trusted CA, not generate their own CA
d) If a customer just wants to use a local cert but doesn't know much about openssl or what to set in their openssl.conf, it might be easier to use 'generate_service_certificate' and 'certificate_generation_ca' to auto-generate the certs

Comment 4 Dan Macpherson 2021-04-10 16:37:29 UTC
A fix for this issue has been pushed to our documentation and published ont he customer portal. If this issue has not been properly resolved, please feel free to reopen this BZ and let us know your concern.


Note You need to log in before you can comment on or make changes to this bug.