Fix reference to generating a private CA

Also fix a typo while here.

Change-Id: I65d058842fb1bdfccc41f5d7b5a175cdf4ef4969

doc/source/admin/tls.rst

@@ -286,8 +286,6 @@ disable verification of the backend certificate:
 
   kolla_verify_tls_backend: "no"
 
-.. _admin-tls-generating-a-private-ca:
-
 Generating TLS certificates with Let's Encrypt
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -308,7 +306,7 @@ to the HAProxy containers using SSH.
 
 .. note::
 
-  If ``letsencrypt_email`` is not valid email, letsencrypt role will
+  If ``letsencrypt_email`` is not a valid email, the ``letsencrypt`` role will
   not work correctly.
 
 .. note::
@@ -332,6 +330,8 @@ certificate requests.
   ``letsencrypt_internal_cert_server`` is reachable from the controller
   if you configure it for internal certificate requests.
 
+.. _admin-tls-generating-a-private-ca:
+
 Generating a Private Certificate Authority
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~