[Openstack-operators] osa Mitaka api SSL end points

Andy McCrae andy.mccrae at gmail.com
Tue Feb 28 11:42:18 UTC 2017 

On 28 February 2017 at 09:59, Grant Morley <grant at absolutedevops.io> wrote:

> Hi All,
>
> We have an OSA Mitaka deployment and for some reason all of the end points
> ( keystone, neutron, glance etc.. ) are all reporting as HTTP rather than
> HTTPS. The only thing that seems to have worked with HTTPS is Horizon ( I
> know that isn't an api endpoint, just for clarification).
>
> We have placed our SSL certs in the correct directory for the deployment
> "/etc/openstack_deploy/ssl/" but for some reason when the setup has run it
> is only using HTTP as below:
>
> +----------------------------------+-----------+------------
> --+----------------+---------+-----------+------------------
> ----------------------------+
> | ID                               | Region    | Service Name | Service
> Type   | Enabled | Interface | URL
> |
> +----------------------------------+-----------+------------
> --+----------------+---------+-----------+------------------
> ----------------------------+
> | 0b7ca91c06334207b3199eeca432d5fe | lon1      | cinder       |
> volume         | True    | admin     | http://10.6.0.3:8776/v1/%(
> tenant_id)s        |
> | 0f7440688cbc4d1f8f3c62158889729d | lon1      | keystone     |
> identity       | True    | internal  | http://10.6.0.3:5000/v3
> |
>
> Is there something else I have missed or do I need to put our SSL certs in
> a different directory for OSA to setup the endpoints with HTTPS on haproxy?
>
> Grateful for any help.
>
> Regards,
>
> Grant
>

Hi Grant,

I took a look back at the stable/mitaka branch for OSA - we do default the
value to be http, so if you don't override the setting it will be setup as
http.
That's changed since, but you can overwrite this by setting
"openstack_service_publicuri_proto: https" which would then set the public
endpoints to be https.
Although the paste you have above implies you want all endpoints to be
https - as it stands I don't believe there is support for that - that is to
say that
internal traffic (internal/admin endpoints) would be http, and your public
endpoint (terminating at your LB - haproxy if you are using the built in
one) would be
https.

There are a few exceptions in keystone, rabbitmq, horizon and HAProxy:
https://docs.openstack.org/developer/openstack-ansible/mitaka/install-guide/configure-sslcertificates.html

Here are some docs about securing haproxy with ssl-certificates that may be
helpful:
https://docs.openstack.org/developer/openstack-ansible/mitaka/install-guide/configure-haproxy.html#securing-haproxy-communication-with-ssl-certificates

If you're stuck or running into issues feel free to jump into the
#openstack-ansible channel on Freenode IRC, there are usually quite a few
people around to help and answer questions.

Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20170228/17dace63/attachment.html>

More information about the OpenStack-operators mailing list