<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Thanks for your huge help. It’s is exactly what we wanted to try. We’ll feel more confident.<div class=""><br class=""></div><div class="">Best,</div><div class="">Marc-Antoine<br class=""><div class=""><br class=""></div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">Le 21 févr. 2022 à 18:52, Jonathan Rosser <<a href="mailto:jonathan.rosser@rd.bbc.co.uk" class="">jonathan.rosser@rd.bbc.co.uk</a>> a écrit :</div><br class="Apple-interchange-newline"><div class="">
  
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
  
  <div class=""><p class="">Hi Marc-Antoine,</p><p class="">For setting the horizon acl, see
<a class="moz-txt-link-freetext" href="https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html">https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html</a></p><p class="">Specifically:</p><p class="">"Copy the whole variable haproxy_default_services from
      /opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml to
      /etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml and
      update the section for horizon to include the ACL redirects
      http-01 challenges to the HAProxy letsencrypt backend as follows:
      ......"</p><p class="">It is correct that this is not necessary in later releases and
      the letsencrypt support is more straightforward to configure in
      Victoria.</p><p class="">You can also join #openstack-ansible IRC channel for some
      real-time help if needed.</p><p class="">Jonathan.<br class="">
    </p>
    <div class="moz-cite-prefix">On 21/02/2022 17:25, Marc-Antoine Godde
      wrote:<br class="">
    </div>
    <blockquote type="cite" cite="mid:D307F242-6045-4062-B78E-81DA7CBBBD7B@viarezo.fr" class="">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
      Hello,
      <div class=""><br class="">
      </div>
      <div class="">I have a question on how to setup LetsEncrypt with
        OpenStack Ansible. We are still on OpenStack Ussuri.</div>
      <div class=""><br class="">
      </div>
      <div class="">We added the following variables to
        user_variables.yml.</div>
      <div class="">
        <div class=""><br class="">
        </div>
        <div class=""><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">====</span></div>
        <div class="">haproxy_ssl_letsencrypt_enable: True</div>
        <div class="">haproxy_ssl_letsencrypt_install_method: "distro"</div>
        <div class="">haproxy_ssl_letsencrypt_setup_extra_params:
          "--http-01-address {{ ansible_host }} --http-01-port 8888"</div>
        <div class="">haproxy_ssl_letsencrypt_email: <a href="mailto:email@example.com" class="moz-txt-link-freetext" moz-do-not-send="true">email@example.com</a></div>
        <div class="">haproxy_interval: 2000</div>
        <div class=""><br class="">
        </div>
        <div class="">user avatar user avatar </div>
        <div class="">haproxy_extra_services:</div>
        <div class="">  # an internal only service for acme-challenge
          whose backend is certbot on the haproxy host</div>
        <div class="">  - service:</div>
        <div class="">      haproxy_service_name: letsencrypt</div>
        <div class="">      haproxy_backend_nodes:</div>
        <div class="">        - name: localhost</div>
        <div class="">          ip_addr: {{ ansible_host }}            
                     #certbot binds to the internal IP</div>
        <div class="">      backend_rise: 1                            
                     #quick rise and fall time for multinode deployment
          to succeed</div>
        <div class="">      backend_fall: 2</div>
        <div class="">      haproxy_bind:</div>
        <div class="">        - 127.0.0.1                              
                     #bind to 127.0.0.1 as the local internal address
           will be used by certbot</div>
        <div class="">      haproxy_port: 8888                          
                    #certbot is configured with http-01-port to be 8888</div>
        <div class="">      haproxy_balance_type: http</div>
      </div>
      <div class=""><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">====</span></div>
      <div class=""><span style="caret-color: rgb(0, 0, 0);" class=""><br class="">
        </span></div>
      <div class=""><font class="">Yet, Horizon config
          for HAproxy is already defined in the default vars (<a href="https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml" style="caret-color: rgb(0, 0, 0);" class="moz-txt-link-freetext" moz-do-not-send="true">https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml</a>)
          and we don’t know where ta add the required ACL to redirect
          the traffic from 80 port to 8888:</font></div>
      <div class=""><font class=""><br class="">
        </font></div>
      <div class=""><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span></div>
      <div class="">
        <div class="">haproxy_frontend_acls:                            
              #use a frontend ACL specify the backend to use for
          acme-challenge</div>
        <div class="">  letsencrypt-acl:</div>
        <div class="">    rule: "path_beg /.well-known/acme-challenge/"</div>
        <div class="">    backend_name: letsencrypt</div>
      </div>
      <div class=""><font class="">
          <div class="">====================================</div>
          <div class=""><br class="">
          </div>
          <div class="">We know that this is fixed in OpenStack Ansible
            Victoria. Is it possible with Ussuri tho ?</div>
          <div class=""><br class="">
          </div>
          <div class="">Many thanks,</div>
          <div class="">Best,</div>
          <div class="">Marc-Antoine Godde</div>
          <div class=""><br class="">
          </div>
          <div class=""><br class="">
          </div>
        </font></div>
    </blockquote>
  </div>

</div></blockquote></div><br class=""></div></div></body></html>