Bug 1608391 - TLS-Everywhere - Docs points to old deprecated templates
Summary: TLS-Everywhere - Docs points to old deprecated templates
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Roger Heslop
QA Contact: RHOS Documentation Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-25 12:33 UTC by Federico Iezzi
Modified: 2023-09-14 04:32 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-20 19:38:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Federico Iezzi 2018-07-25 12:33:58 UTC 
Description of problem:
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/integrate_with_identity_service/idm-novajoin#configure_overcloud_to_use_novajoin

Those templates have been deprecated

 - /usr/share/openstack-tripleo-heat-templates/environments/enable-internal-tls.yaml
 - /usr/share/openstack-tripleo-heat-templates/environments/tls-everywhere-endpoints-dns.yaml

And replaced respectivelly by
 - /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml
 - /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml


The new enable-internal-tls.yaml has major differences.
Comment 1 Federico Iezzi 2018-07-25 15:06:53 UTC 
The following one is also deprecated.
/usr/share/openstack-tripleo-heat-templates/environments/enable-tls.yaml

And replaced by this one:
/usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml

In the docs, is specifically mentioned "./tripleo-heat-templates/environments/enable-tls.yaml" aka the deprecated version
Comment 2 Oren Oichman 2018-08-15 12:24:30 UTC 
HI ,
we sorted the configuration issue ,

Now on the compute node the command: openssl crl -in /etc/pki/CA/crl/overcloud-crl.bin -inform DER -outform PEM -out /etc/pki/CA/crl/overcloud-crl.pem has completed successfully
but on the control node it failed with an error "unable to load CRL"
we notice that the overcloud-crl.bin is a different file from the compute node.
the overcloud-crl.bin in the controller contains an HTML reference which an openssl error :

Problem Processing your request

The Certificate Manager encountered a problem while processing your request. the following is a detailed message of the error that occurred.
          you must select an option from the form.
please consult your local administrator for futher assistant . the Certificate System log may provide further information.

we deleted the configuration with 

openstack overcloud delete --yes

and redeployed again, we hit the same errors and this time on both nodes.
we are working with a 3 IPA Servers with multi master replica and the ipa-ca A record directs to all nodes
Comment 5 Roger Heslop 2020-03-20 19:38:19 UTC 
Checked the linked documentation and all subsequent documentation on versions not deprecated.
All referenced paths point to the now valid /usr/share/openstack-tripleo-heat-templates/environments/ssl/ directory for tls template files.

Closing as CURRENT_RELEASE
Comment 6 Roger Heslop 2020-03-20 19:56:17 UTC 
Checked the linked documentation and all subsequent documentation on versions not deprecated.
All referenced paths point to the now valid /usr/share/openstack-tripleo-heat-templates/environments/ssl/ directory for tls template files.

Closing as CURRENT_RELEASE
Comment 7 Red Hat Bugzilla 2023-09-14 04:32:05 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.