<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hello,<div class=""><br class=""></div><div class="">I have a question on how to setup LetsEncrypt with OpenStack Ansible. We are still on OpenStack Ussuri.</div><div class=""><br class=""></div><div class="">We added the following variables to user_variables.yml.</div><div class=""><div class=""><br class=""></div><div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">====</span></div><div class="">haproxy_ssl_letsencrypt_enable: True</div><div class="">haproxy_ssl_letsencrypt_install_method: "distro"</div><div class="">haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888"</div><div class="">haproxy_ssl_letsencrypt_email: <a href="mailto:email@example.com" class="">email@example.com</a></div><div class="">haproxy_interval: 2000</div><div class=""><br class=""></div><div class="">user avatar user avatar </div><div class="">haproxy_extra_services:</div><div class=""> # an internal only service for acme-challenge whose backend is certbot on the haproxy host</div><div class=""> - service:</div><div class=""> haproxy_service_name: letsencrypt</div><div class=""> haproxy_backend_nodes:</div><div class=""> - name: localhost</div><div class=""> ip_addr: {{ ansible_host }} #certbot binds to the internal IP</div><div class=""> backend_rise: 1 #quick rise and fall time for multinode deployment to succeed</div><div class=""> backend_fall: 2</div><div class=""> haproxy_bind:</div><div class=""> - 127.0.0.1 #bind to 127.0.0.1 as the local internal address will be used by certbot</div><div class=""> haproxy_port: 8888 #certbot is configured with http-01-port to be 8888</div><div class=""> haproxy_balance_type: http</div></div><div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">====</span></div><div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><br class=""></span></div><div class=""><font color="#000000" class="">Yet, Horizon config for HAproxy is already defined in the default vars (<a href="https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml" style="caret-color: rgb(0, 0, 0);" class="">https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml</a>) and we don’t know where ta add the required ACL to redirect the traffic from 80 port to 8888:</font></div><div class=""><font color="#000000" class=""><br class=""></font></div><div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">======</span></div><div class=""><div class="">haproxy_frontend_acls: #use a frontend ACL specify the backend to use for acme-challenge</div><div class=""> letsencrypt-acl:</div><div class=""> rule: "path_beg /.well-known/acme-challenge/"</div><div class=""> backend_name: letsencrypt</div></div><div class=""><font color="#000000" class=""><div class="">====================================</div><div class=""><br class=""></div><div class="">We know that this is fixed in OpenStack Ansible Victoria. Is it possible with Ussuri tho ?</div><div class=""><br class=""></div><div class="">Many thanks,</div><div class="">Best,</div><div class="">Marc-Antoine Godde</div><div class=""><br class=""></div><div class=""><br class=""></div></font></div></body></html>