<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Marc-Antione,</p>
<p>No problem. I would recommend adding --staging to
haproxy_ssl_letsencrypt_setup_extra_params whilst you get the
letsencrypt support working. You will not get a proper certificate
with that flag but it will bypass the letsencrypt rate limit so
you can have as many tests as you need.<br>
</p>
<p>It would be also worth checking the timeout values on later
branches, Ussuri is now in extended-maintenance so not receiving
back ported bug fixes.</p>
<p>See for example
<a class="moz-txt-link-freetext" href="https://github.com/openstack/openstack-ansible/blob/stable/xena/inventory/group_vars/haproxy/haproxy.yml#L248-L258">https://github.com/openstack/openstack-ansible/blob/stable/xena/inventory/group_vars/haproxy/haproxy.yml#L248-L258</a><br>
<br>
</p>
<div class="moz-cite-prefix">On 21/02/2022 18:51, Marc-Antoine Godde
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:258D844F-72E6-415A-A7CA-858491021DD8@viarezo.fr">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Thanks for your huge help. It’s is exactly what we wanted to try.
We’ll feel more confident.
<div class=""><br class="">
</div>
<div class="">Best,</div>
<div class="">Marc-Antoine<br class="">
<div class=""><br class="">
</div>
<div class=""><br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">Le 21 févr. 2022 à 18:52, Jonathan Rosser
<<a href="mailto:jonathan.rosser@rd.bbc.co.uk"
class="moz-txt-link-freetext" moz-do-not-send="true">jonathan.rosser@rd.bbc.co.uk</a>>
a écrit :</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div class="">
<p class="">Hi Marc-Antoine,</p>
<p class="">For setting the horizon acl, see
<a class="moz-txt-link-freetext"
href="https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html"
moz-do-not-send="true">https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html</a></p>
<p class="">Specifically:</p>
<p class="">"Copy the whole variable
haproxy_default_services from
/opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml
to
/etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml
and update the section for horizon to include the
ACL redirects http-01 challenges to the HAProxy
letsencrypt backend as follows: ......"</p>
<p class="">It is correct that this is not necessary
in later releases and the letsencrypt support is
more straightforward to configure in Victoria.</p>
<p class="">You can also join #openstack-ansible IRC
channel for some real-time help if needed.</p>
<p class="">Jonathan.<br class="">
</p>
<div class="moz-cite-prefix">On 21/02/2022 17:25,
Marc-Antoine Godde wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:D307F242-6045-4062-B78E-81DA7CBBBD7B@viarezo.fr"
class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
Hello,
<div class=""><br class="">
</div>
<div class="">I have a question on how to setup
LetsEncrypt with OpenStack Ansible. We are still
on OpenStack Ussuri.</div>
<div class=""><br class="">
</div>
<div class="">We added the following variables to
user_variables.yml.</div>
<div class="">
<div class=""><br class="">
</div>
<div class=""><span style="caret-color: rgb(0, 0,
0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">====</span></div>
<div class="">haproxy_ssl_letsencrypt_enable: True</div>
<div class="">haproxy_ssl_letsencrypt_install_method:
"distro"</div>
<div class="">haproxy_ssl_letsencrypt_setup_extra_params:
"--http-01-address {{ ansible_host }}
--http-01-port 8888"</div>
<div class="">haproxy_ssl_letsencrypt_email: <a
href="mailto:email@example.com"
class="moz-txt-link-freetext"
moz-do-not-send="true">email@example.com</a></div>
<div class="">haproxy_interval: 2000</div>
<div class=""><br class="">
</div>
<div class="">user avatar user avatar </div>
<div class="">haproxy_extra_services:</div>
<div class=""> # an internal only service for
acme-challenge whose backend is certbot on the
haproxy host</div>
<div class=""> - service:</div>
<div class=""> haproxy_service_name:
letsencrypt</div>
<div class=""> haproxy_backend_nodes:</div>
<div class=""> - name: localhost</div>
<div class=""> ip_addr: {{ ansible_host
}} #certbot binds to the
internal IP</div>
<div class=""> backend_rise: 1
#quick rise and fall
time for multinode deployment to succeed</div>
<div class=""> backend_fall: 2</div>
<div class=""> haproxy_bind:</div>
<div class=""> - 127.0.0.1
#bind to 127.0.0.1 as
the local internal address will be used by
certbot</div>
<div class=""> haproxy_port: 8888
#certbot is configured
with http-01-port to be 8888</div>
<div class=""> haproxy_balance_type: http</div>
</div>
<div class=""><span style="caret-color: rgb(0, 0,
0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">====</span></div>
<div class=""><span style="caret-color: rgb(0, 0,
0);" class=""><br class="">
</span></div>
<div class=""><font class="">Yet, Horizon config for
HAproxy is already defined in the default vars (<a
href="https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml"
style="caret-color: rgb(0, 0, 0);"
class="moz-txt-link-freetext"
moz-do-not-send="true">https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml</a>)
and we don’t know where ta add the required ACL
to redirect the traffic from 80 port to 8888:</font></div>
<div class=""><font class=""><br class="">
</font></div>
<div class=""><span style="caret-color: rgb(0, 0,
0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);" class="">======</span></div>
<div class="">
<div class="">haproxy_frontend_acls:
#use a frontend ACL specify
the backend to use for acme-challenge</div>
<div class=""> letsencrypt-acl:</div>
<div class=""> rule: "path_beg
/.well-known/acme-challenge/"</div>
<div class=""> backend_name: letsencrypt</div>
</div>
<div class=""><font class="">
<div class="">====================================</div>
<div class=""><br class="">
</div>
<div class="">We know that this is fixed in
OpenStack Ansible Victoria. Is it possible
with Ussuri tho ?</div>
<div class=""><br class="">
</div>
<div class="">Many thanks,</div>
<div class="">Best,</div>
<div class="">Marc-Antoine Godde</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
</font></div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</body>
</html>