<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Yes, in a standard deployment this would request 3 identical
certificates which would be inside the rate limit.</p>
<p>This keeps the complexity down and decouples the haproxy nodes
from each other during the deployment. The compromise is
requesting a fresh certificate per haproxy instance.</p>
<p>In some situations it might be possible to add a haproxy instance
specific additional domain name to each certificate by passing a
templated value to haproxy_ssl_letsencrypt_setup_extra_params
making each certificate unique. openstack-ansible exposes all of
these role defaults for you to override through user_variables.yml
as necessary.<br>
</p>
<blockquote type="cite"
cite="mid:8C92B8B1-F0AF-4CB4-9C01-FD4BAA6BA913@viarezo.fr">
<div class=""><i class=""><br class="">
</i></div>
<div class=""><span style="font-style: normal;" class="">Does that
mean that the the deployment is limited to 5 HAProxy nodes ?
Normally we are safe tho, we have 3.</span></div>
<div class=""><span style="font-style: normal;" class=""><br
class="">
</span></div>
<div class="">Concerning, the timeout values, we’ll make sure to
check them out. We’ll upgrade to Wallaby or Xena by the end of
the year in any case.</div>
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<div class="">Marc-Antoine<br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">Le 22 févr. 2022 à 10:35, Jonathan Rosser <<a
href="mailto:jonathan.rosser@rd.bbc.co.uk"
class="moz-txt-link-freetext" moz-do-not-send="true">jonathan.rosser@rd.bbc.co.uk</a>>
a écrit :</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div class="">
<p class="">Hi Marc-Antione,</p>
<p class="">No problem. I would recommend adding
--staging to
haproxy_ssl_letsencrypt_setup_extra_params whilst you
get the letsencrypt support working. You will not get
a proper certificate with that flag but it will bypass
the letsencrypt rate limit so you can have as many
tests as you need.<br class="">
</p>
<p class="">It would be also worth checking the timeout
values on later branches, Ussuri is now in
extended-maintenance so not receiving back ported bug
fixes.</p>
<p class="">See for example
<a class="moz-txt-link-freetext"
href="https://github.com/openstack/openstack-ansible/blob/stable/xena/inventory/group_vars/haproxy/haproxy.yml#L248-L258"
moz-do-not-send="true">https://github.com/openstack/openstack-ansible/blob/stable/xena/inventory/group_vars/haproxy/haproxy.yml#L248-L258</a><br
class="">
<br class="">
</p>
<div class="moz-cite-prefix">On 21/02/2022 18:51,
Marc-Antoine Godde wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:258D844F-72E6-415A-A7CA-858491021DD8@viarezo.fr"
class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
Thanks for your huge help. It’s is exactly what we
wanted to try. We’ll feel more confident.
<div class=""><br class="">
</div>
<div class="">Best,</div>
<div class="">Marc-Antoine<br class="">
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">Le 21 févr. 2022 à 18:52,
Jonathan Rosser <<a
href="mailto:jonathan.rosser@rd.bbc.co.uk"
class="moz-txt-link-freetext"
moz-do-not-send="true">jonathan.rosser@rd.bbc.co.uk</a>>
a écrit :</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8"
class="">
<div class="">
<p class="">Hi Marc-Antoine,</p>
<p class="">For setting the horizon acl,
see <a class="moz-txt-link-freetext"
href="https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html"
moz-do-not-send="true">https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html</a></p>
<p class="">Specifically:</p>
<p class="">"Copy the whole variable
haproxy_default_services from
/opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml
to
/etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml
and update the section for horizon to
include the ACL redirects http-01
challenges to the HAProxy letsencrypt
backend as follows: ......"</p>
<p class="">It is correct that this is not
necessary in later releases and the
letsencrypt support is more
straightforward to configure in
Victoria.</p>
<p class="">You can also join
#openstack-ansible IRC channel for some
real-time help if needed.</p>
<p class="">Jonathan.<br class="">
</p>
<div class="moz-cite-prefix">On 21/02/2022
17:25, Marc-Antoine Godde wrote:<br
class="">
</div>
<blockquote type="cite"
cite="mid:D307F242-6045-4062-B78E-81DA7CBBBD7B@viarezo.fr"
class="">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8"
class="">
Hello,
<div class=""><br class="">
</div>
<div class="">I have a question on how
to setup LetsEncrypt with OpenStack
Ansible. We are still on OpenStack
Ussuri.</div>
<div class=""><br class="">
</div>
<div class="">We added the following
variables to user_variables.yml.</div>
<div class="">
<div class=""><br class="">
</div>
<div class=""><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">====</span></div>
<div class="">haproxy_ssl_letsencrypt_enable:
True</div>
<div class="">haproxy_ssl_letsencrypt_install_method:
"distro"</div>
<div class="">haproxy_ssl_letsencrypt_setup_extra_params:
"--http-01-address {{ ansible_host
}} --http-01-port 8888"</div>
<div class="">haproxy_ssl_letsencrypt_email:
<a href="mailto:email@example.com"
class="moz-txt-link-freetext"
moz-do-not-send="true">email@example.com</a></div>
<div class="">haproxy_interval: 2000</div>
<div class=""><br class="">
</div>
<div class="">user avatar user avatar </div>
<div class="">haproxy_extra_services:</div>
<div class=""> # an internal only
service for acme-challenge whose
backend is certbot on the haproxy
host</div>
<div class=""> - service:</div>
<div class="">
haproxy_service_name: letsencrypt</div>
<div class="">
haproxy_backend_nodes:</div>
<div class=""> - name:
localhost</div>
<div class=""> ip_addr: {{
ansible_host }}
#certbot binds to the internal IP</div>
<div class=""> backend_rise: 1
#quick rise and fall time for
multinode deployment to succeed</div>
<div class=""> backend_fall: 2</div>
<div class=""> haproxy_bind:</div>
<div class=""> - 127.0.0.1
#bind to 127.0.0.1 as the local
internal address will be used by
certbot</div>
<div class=""> haproxy_port: 8888
#certbot is configured with
http-01-port to be 8888</div>
<div class="">
haproxy_balance_type: http</div>
</div>
<div class=""><span style="caret-color:
rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">====</span></div>
<div class=""><span style="caret-color:
rgb(0, 0, 0);" class=""><br class="">
</span></div>
<div class=""><font class="">Yet,
Horizon config for HAproxy
is already defined in the default
vars (<a
href="https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml"
style="caret-color: rgb(0, 0, 0);"
class="moz-txt-link-freetext"
moz-do-not-send="true">https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml</a>)
and we don’t know where ta add the
required ACL to redirect the traffic
from 80 port to 8888:</font></div>
<div class=""><font class=""><br
class="">
</font></div>
<div class=""><span style="caret-color:
rgb(0, 0, 0);" class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span><span
style="caret-color: rgb(0, 0, 0);"
class="">======</span></div>
<div class="">
<div class="">haproxy_frontend_acls:
#use a
frontend ACL specify the backend to
use for acme-challenge</div>
<div class=""> letsencrypt-acl:</div>
<div class=""> rule: "path_beg
/.well-known/acme-challenge/"</div>
<div class=""> backend_name:
letsencrypt</div>
</div>
<div class=""><font class="">
<div class="">====================================</div>
<div class=""><br class="">
</div>
<div class="">We know that this is
fixed in OpenStack Ansible
Victoria. Is it possible with
Ussuri tho ?</div>
<div class=""><br class="">
</div>
<div class="">Many thanks,</div>
<div class="">Best,</div>
<div class="">Marc-Antoine Godde</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
</font></div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
</body>
</html>