<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hello Jonathan,<div class=""><br class=""></div><div class="">Thanks for the tips. It is interesting that you point this out, it was indeed one of my concern. If I understood the process correctly, Certbot will run on each HAproxy node and request LetsEncypt to issue certificate on each node. This means that we ask many certificates for the same domain (for instance <a href="http://openstack.example.com" class="">openstack.example.com</a>). This must impact the following rate limit of LetsEncrypt:</div><div class=""><br class=""></div><div class="">"Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains. » <i class="">LetsEncrypt Website</i></div><div class=""><i class=""><br class=""></i></div><div class=""><span style="font-style: normal;" class="">Does that mean that the the deployment is limited to 5 HAProxy nodes ? Normally we are safe tho, we have 3.</span></div><div class=""><span style="font-style: normal;" class=""><br class=""></span></div><div class="">Concerning, the timeout values, we’ll make sure to check them out. We’ll upgrade to Wallaby or Xena by the end of the year in any case.</div><div class=""><br class=""></div><div class="">Thanks,</div><div class="">Marc-Antoine<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">Le 22 févr. 2022 à 10:35, Jonathan Rosser <<a href="mailto:jonathan.rosser@rd.bbc.co.uk" class="">jonathan.rosser@rd.bbc.co.uk</a>> a écrit :</div><br class="Apple-interchange-newline"><div class="">
  
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
  
  <div class=""><p class="">Hi Marc-Antione,</p><p class="">No problem. I would recommend adding --staging to
      haproxy_ssl_letsencrypt_setup_extra_params whilst you get the
      letsencrypt support working. You will not get a proper certificate
      with that flag but it will bypass the letsencrypt rate limit so
      you can have as many tests as you need.<br class="">
    </p><p class="">It would be also worth checking the timeout values on later
      branches, Ussuri is now in extended-maintenance so not receiving
      back ported bug fixes.</p><p class="">See for example
<a class="moz-txt-link-freetext" href="https://github.com/openstack/openstack-ansible/blob/stable/xena/inventory/group_vars/haproxy/haproxy.yml#L248-L258">https://github.com/openstack/openstack-ansible/blob/stable/xena/inventory/group_vars/haproxy/haproxy.yml#L248-L258</a><br class="">
      <br class="">
    </p>
    <div class="moz-cite-prefix">On 21/02/2022 18:51, Marc-Antoine Godde
      wrote:<br class="">
    </div>
    <blockquote type="cite" cite="mid:258D844F-72E6-415A-A7CA-858491021DD8@viarezo.fr" class="">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
      Thanks for your huge help. It’s is exactly what we wanted to try.
      We’ll feel more confident.
      <div class=""><br class="">
      </div>
      <div class="">Best,</div>
      <div class="">Marc-Antoine<br class="">
        <div class=""><br class="">
        </div>
        <div class=""><br class="">
          <div class=""><br class="">
            <blockquote type="cite" class="">
              <div class="">Le 21 févr. 2022 à 18:52, Jonathan Rosser
                <<a href="mailto:jonathan.rosser@rd.bbc.co.uk" class="moz-txt-link-freetext" moz-do-not-send="true">jonathan.rosser@rd.bbc.co.uk</a>>
                a écrit :</div>
              <br class="Apple-interchange-newline">
              <div class="">
                <meta http-equiv="Content-Type" content="text/html;
                  charset=UTF-8" class="">
                <div class=""><p class="">Hi Marc-Antoine,</p><p class="">For setting the horizon acl, see
                    <a class="moz-txt-link-freetext" href="https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html" moz-do-not-send="true">https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html</a></p><p class="">Specifically:</p><p class="">"Copy the whole variable
                    haproxy_default_services from
                    /opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml
                    to
                    /etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml
                    and update the section for horizon to include the
                    ACL redirects http-01 challenges to the HAProxy
                    letsencrypt backend as follows: ......"</p><p class="">It is correct that this is not necessary
                    in later releases and the letsencrypt support is
                    more straightforward to configure in Victoria.</p><p class="">You can also join #openstack-ansible IRC
                    channel for some real-time help if needed.</p><p class="">Jonathan.<br class="">
                  </p>
                  <div class="moz-cite-prefix">On 21/02/2022 17:25,
                    Marc-Antoine Godde wrote:<br class="">
                  </div>
                  <blockquote type="cite" cite="mid:D307F242-6045-4062-B78E-81DA7CBBBD7B@viarezo.fr" class="">
                    <meta http-equiv="Content-Type" content="text/html;
                      charset=UTF-8" class="">
                    Hello,
                    <div class=""><br class="">
                    </div>
                    <div class="">I have a question on how to setup
                      LetsEncrypt with OpenStack Ansible. We are still
                      on OpenStack Ussuri.</div>
                    <div class=""><br class="">
                    </div>
                    <div class="">We added the following variables to
                      user_variables.yml.</div>
                    <div class="">
                      <div class=""><br class="">
                      </div>
                      <div class=""><span style="caret-color: rgb(0, 0,
                          0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">====</span></div>
                      <div class="">haproxy_ssl_letsencrypt_enable: True</div>
                      <div class="">haproxy_ssl_letsencrypt_install_method:
                        "distro"</div>
                      <div class="">haproxy_ssl_letsencrypt_setup_extra_params:
                        "--http-01-address {{ ansible_host }}
                        --http-01-port 8888"</div>
                      <div class="">haproxy_ssl_letsencrypt_email: <a href="mailto:email@example.com" class="moz-txt-link-freetext" moz-do-not-send="true">email@example.com</a></div>
                      <div class="">haproxy_interval: 2000</div>
                      <div class=""><br class="">
                      </div>
                      <div class="">user avatar user avatar </div>
                      <div class="">haproxy_extra_services:</div>
                      <div class="">  # an internal only service for
                        acme-challenge whose backend is certbot on the
                        haproxy host</div>
                      <div class="">  - service:</div>
                      <div class="">      haproxy_service_name:
                        letsencrypt</div>
                      <div class="">      haproxy_backend_nodes:</div>
                      <div class="">        - name: localhost</div>
                      <div class="">          ip_addr: {{ ansible_host
                        }}                        #certbot binds to the
                        internal IP</div>
                      <div class="">      backend_rise: 1              
                                                 #quick rise and fall
                        time for multinode deployment to succeed</div>
                      <div class="">      backend_fall: 2</div>
                      <div class="">      haproxy_bind:</div>
                      <div class="">        - 127.0.0.1                
                                                 #bind to 127.0.0.1 as
                        the local internal address  will be used by
                        certbot</div>
                      <div class="">      haproxy_port: 8888            
                                                #certbot is configured
                        with http-01-port to be 8888</div>
                      <div class="">      haproxy_balance_type: http</div>
                    </div>
                    <div class=""><span style="caret-color: rgb(0, 0,
                        0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">====</span></div>
                    <div class=""><span style="caret-color: rgb(0, 0,
                        0);" class=""><br class="">
                      </span></div>
                    <div class=""><font class="">Yet, Horizon config for
                        HAproxy is already defined in the default vars (<a href="https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml" style="caret-color: rgb(0, 0, 0);" class="moz-txt-link-freetext" moz-do-not-send="true">https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml</a>)
                        and we don’t know where ta add the required ACL
                        to redirect the traffic from 80 port to 8888:</font></div>
                    <div class=""><font class=""><br class="">
                      </font></div>
                    <div class=""><span style="caret-color: rgb(0, 0,
                        0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span><span style="caret-color: rgb(0, 0, 0);" class="">======</span></div>
                    <div class="">
                      <div class="">haproxy_frontend_acls:              
                                          #use a frontend ACL specify
                        the backend to use for acme-challenge</div>
                      <div class="">  letsencrypt-acl:</div>
                      <div class="">    rule: "path_beg
                        /.well-known/acme-challenge/"</div>
                      <div class="">    backend_name: letsencrypt</div>
                    </div>
                    <div class=""><font class="">
                        <div class="">====================================</div>
                        <div class=""><br class="">
                        </div>
                        <div class="">We know that this is fixed in
                          OpenStack Ansible Victoria. Is it possible
                          with Ussuri tho ?</div>
                        <div class=""><br class="">
                        </div>
                        <div class="">Many thanks,</div>
                        <div class="">Best,</div>
                        <div class="">Marc-Antoine Godde</div>
                        <div class=""><br class="">
                        </div>
                        <div class=""><br class="">
                        </div>
                      </font></div>
                  </blockquote>
                </div>
              </div>
            </blockquote>
          </div>
          <br class="">
        </div>
      </div>
    </blockquote>
  </div>

</div></blockquote></div><br class=""></div></body></html>