<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Yes, in a standard deployment this would request 3 identical
      certificates which would be inside the rate limit.</p>
    <p>This keeps the complexity down and decouples the haproxy nodes
      from each other during the deployment. The compromise is
      requesting a fresh certificate per haproxy instance.</p>
    <p>In some situations it might be possible to add a haproxy instance
      specific additional domain name to each certificate by passing a
      templated value to haproxy_ssl_letsencrypt_setup_extra_params
      making each certificate unique. openstack-ansible exposes all of
      these role defaults for you to override through user_variables.yml
      as necessary.<br>
    </p>
    <blockquote type="cite"
      cite="mid:8C92B8B1-F0AF-4CB4-9C01-FD4BAA6BA913@viarezo.fr">
      <div class=""><i class=""><br class="">
        </i></div>
      <div class=""><span style="font-style: normal;" class="">Does that
          mean that the the deployment is limited to 5 HAProxy nodes ?
          Normally we are safe tho, we have 3.</span></div>
      <div class=""><span style="font-style: normal;" class=""><br
            class="">
        </span></div>
      <div class="">Concerning, the timeout values, we’ll make sure to
        check them out. We’ll upgrade to Wallaby or Xena by the end of
        the year in any case.</div>
      <div class=""><br class="">
      </div>
      <div class="">Thanks,</div>
      <div class="">Marc-Antoine<br class="">
        <div><br class="">
          <blockquote type="cite" class="">
            <div class="">Le 22 févr. 2022 à 10:35, Jonathan Rosser <<a
                href="mailto:jonathan.rosser@rd.bbc.co.uk"
                class="moz-txt-link-freetext" moz-do-not-send="true">jonathan.rosser@rd.bbc.co.uk</a>>
              a écrit :</div>
            <br class="Apple-interchange-newline">
            <div class="">
              <meta http-equiv="Content-Type" content="text/html;
                charset=UTF-8" class="">
              <div class="">
                <p class="">Hi Marc-Antione,</p>
                <p class="">No problem. I would recommend adding
                  --staging to
                  haproxy_ssl_letsencrypt_setup_extra_params whilst you
                  get the letsencrypt support working. You will not get
                  a proper certificate with that flag but it will bypass
                  the letsencrypt rate limit so you can have as many
                  tests as you need.<br class="">
                </p>
                <p class="">It would be also worth checking the timeout
                  values on later branches, Ussuri is now in
                  extended-maintenance so not receiving back ported bug
                  fixes.</p>
                <p class="">See for example
                  <a class="moz-txt-link-freetext"
href="https://github.com/openstack/openstack-ansible/blob/stable/xena/inventory/group_vars/haproxy/haproxy.yml#L248-L258"
                    moz-do-not-send="true">https://github.com/openstack/openstack-ansible/blob/stable/xena/inventory/group_vars/haproxy/haproxy.yml#L248-L258</a><br
                    class="">
                  <br class="">
                </p>
                <div class="moz-cite-prefix">On 21/02/2022 18:51,
                  Marc-Antoine Godde wrote:<br class="">
                </div>
                <blockquote type="cite"
                  cite="mid:258D844F-72E6-415A-A7CA-858491021DD8@viarezo.fr"
                  class="">
                  <meta http-equiv="Content-Type" content="text/html;
                    charset=UTF-8" class="">
                  Thanks for your huge help. It’s is exactly what we
                  wanted to try. We’ll feel more confident.
                  <div class=""><br class="">
                  </div>
                  <div class="">Best,</div>
                  <div class="">Marc-Antoine<br class="">
                    <div class=""><br class="">
                    </div>
                    <div class=""><br class="">
                      <div class=""><br class="">
                        <blockquote type="cite" class="">
                          <div class="">Le 21 févr. 2022 à 18:52,
                            Jonathan Rosser <<a
                              href="mailto:jonathan.rosser@rd.bbc.co.uk"
                              class="moz-txt-link-freetext"
                              moz-do-not-send="true">jonathan.rosser@rd.bbc.co.uk</a>>
                            a écrit :</div>
                          <br class="Apple-interchange-newline">
                          <div class="">
                            <meta http-equiv="Content-Type"
                              content="text/html; charset=UTF-8"
                              class="">
                            <div class="">
                              <p class="">Hi Marc-Antoine,</p>
                              <p class="">For setting the horizon acl,
                                see <a class="moz-txt-link-freetext"
href="https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html"
                                  moz-do-not-send="true">https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html</a></p>
                              <p class="">Specifically:</p>
                              <p class="">"Copy the whole variable
                                haproxy_default_services from
                                /opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml
                                to
                                /etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml
                                and update the section for horizon to
                                include the ACL redirects http-01
                                challenges to the HAProxy letsencrypt
                                backend as follows: ......"</p>
                              <p class="">It is correct that this is not
                                necessary in later releases and the
                                letsencrypt support is more
                                straightforward to configure in
                                Victoria.</p>
                              <p class="">You can also join
                                #openstack-ansible IRC channel for some
                                real-time help if needed.</p>
                              <p class="">Jonathan.<br class="">
                              </p>
                              <div class="moz-cite-prefix">On 21/02/2022
                                17:25, Marc-Antoine Godde wrote:<br
                                  class="">
                              </div>
                              <blockquote type="cite"
                                cite="mid:D307F242-6045-4062-B78E-81DA7CBBBD7B@viarezo.fr"
                                class="">
                                <meta http-equiv="Content-Type"
                                  content="text/html; charset=UTF-8"
                                  class="">
                                Hello,
                                <div class=""><br class="">
                                </div>
                                <div class="">I have a question on how
                                  to setup LetsEncrypt with OpenStack
                                  Ansible. We are still on OpenStack
                                  Ussuri.</div>
                                <div class=""><br class="">
                                </div>
                                <div class="">We added the following
                                  variables to user_variables.yml.</div>
                                <div class="">
                                  <div class=""><br class="">
                                  </div>
                                  <div class=""><span
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="">======</span><span
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="">======</span><span
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="">======</span><span
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="">======</span><span
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="">======</span><span
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="">======</span><span
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="">======</span><span
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="">======</span><span
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="">======</span><span
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="">======</span><span
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="">======</span><span
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="">======</span><span
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="">======</span><span
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="">====</span></div>
                                  <div class="">haproxy_ssl_letsencrypt_enable:
                                    True</div>
                                  <div class="">haproxy_ssl_letsencrypt_install_method:
                                    "distro"</div>
                                  <div class="">haproxy_ssl_letsencrypt_setup_extra_params:
                                    "--http-01-address {{ ansible_host
                                    }} --http-01-port 8888"</div>
                                  <div class="">haproxy_ssl_letsencrypt_email:
                                    <a href="mailto:email@example.com"
                                      class="moz-txt-link-freetext"
                                      moz-do-not-send="true">email@example.com</a></div>
                                  <div class="">haproxy_interval: 2000</div>
                                  <div class=""><br class="">
                                  </div>
                                  <div class="">user avatar user avatar </div>
                                  <div class="">haproxy_extra_services:</div>
                                  <div class="">  # an internal only
                                    service for acme-challenge whose
                                    backend is certbot on the haproxy
                                    host</div>
                                  <div class="">  - service:</div>
                                  <div class="">     
                                    haproxy_service_name: letsencrypt</div>
                                  <div class="">     
                                    haproxy_backend_nodes:</div>
                                  <div class="">        - name:
                                    localhost</div>
                                  <div class="">          ip_addr: {{
                                    ansible_host }}                    
                                       #certbot binds to the internal IP</div>
                                  <div class="">      backend_rise: 1  
                                                                       
                                     #quick rise and fall time for
                                    multinode deployment to succeed</div>
                                  <div class="">      backend_fall: 2</div>
                                  <div class="">      haproxy_bind:</div>
                                  <div class="">        - 127.0.0.1    
                                                                       
                                     #bind to 127.0.0.1 as the local
                                    internal address  will be used by
                                    certbot</div>
                                  <div class="">      haproxy_port: 8888
                                                                       
                                    #certbot is configured with
                                    http-01-port to be 8888</div>
                                  <div class="">     
                                    haproxy_balance_type: http</div>
                                </div>
                                <div class=""><span style="caret-color:
                                    rgb(0, 0, 0);" class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">====</span></div>
                                <div class=""><span style="caret-color:
                                    rgb(0, 0, 0);" class=""><br class="">
                                  </span></div>
                                <div class=""><font class="">Yet,
                                    Horizon config for HAproxy
                                    is already defined in the default
                                    vars (<a
href="https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml"
                                      style="caret-color: rgb(0, 0, 0);"
                                      class="moz-txt-link-freetext"
                                      moz-do-not-send="true">https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml</a>)
                                    and we don’t know where ta add the
                                    required ACL to redirect the traffic
                                    from 80 port to 8888:</font></div>
                                <div class=""><font class=""><br
                                      class="">
                                  </font></div>
                                <div class=""><span style="caret-color:
                                    rgb(0, 0, 0);" class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span><span
                                    style="caret-color: rgb(0, 0, 0);"
                                    class="">======</span></div>
                                <div class="">
                                  <div class="">haproxy_frontend_acls:  
                                                                  #use a
                                    frontend ACL specify the backend to
                                    use for acme-challenge</div>
                                  <div class="">  letsencrypt-acl:</div>
                                  <div class="">    rule: "path_beg
                                    /.well-known/acme-challenge/"</div>
                                  <div class="">    backend_name:
                                    letsencrypt</div>
                                </div>
                                <div class=""><font class="">
                                    <div class="">====================================</div>
                                    <div class=""><br class="">
                                    </div>
                                    <div class="">We know that this is
                                      fixed in OpenStack Ansible
                                      Victoria. Is it possible with
                                      Ussuri tho ?</div>
                                    <div class=""><br class="">
                                    </div>
                                    <div class="">Many thanks,</div>
                                    <div class="">Best,</div>
                                    <div class="">Marc-Antoine Godde</div>
                                    <div class=""><br class="">
                                    </div>
                                    <div class=""><br class="">
                                    </div>
                                  </font></div>
                              </blockquote>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                      <br class="">
                    </div>
                  </div>
                </blockquote>
              </div>
            </div>
          </blockquote>
        </div>
        <br class="">
      </div>
    </blockquote>
  </body>
</html>