<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 28 February 2017 at 09:59, Grant Morley <span dir="ltr"><<a href="mailto:grant@absolutedevops.io" target="_blank">grant@absolutedevops.io</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>Hi All,</p>
<p>We have an OSA Mitaka deployment and for some reason all of the
end points ( keystone, neutron, glance etc.. ) are all reporting
as HTTP rather than HTTPS. The only thing that seems to have
worked with HTTPS is Horizon ( I know that isn't an api endpoint,
just for clarification).</p>
<p>We have placed our SSL certs in the correct directory for the
deployment "/etc/openstack_deploy/ssl/" but for some reason when
the setup has run it is only using HTTP as below:</p>
<p>+-----------------------------<wbr>-----+-----------+------------<wbr>--+----------------+---------+<wbr>-----------+------------------<wbr>----------------------------+<br>
| ID <wbr> | Region | Service Name |
Service Type | Enabled | Interface |
URL <wbr> |<br>
+-----------------------------<wbr>-----+-----------+------------<wbr>--+----------------+---------+<wbr>-----------+------------------<wbr>----------------------------+<br>
| 0b7ca91c06334207b3199eeca432d5<wbr>fe | lon1 | cinder |
volume | True | admin |
<a class="gmail-m_8587663293326111461moz-txt-link-freetext" href="http://10.6.0.3:8776/v1/%(tenant_id)s" target="_blank">http://10.6.0.3:8776/v1/%(<wbr>tenant_id)s</a> |<br>
| 0f7440688cbc4d1f8f3c6215888972<wbr>9d | lon1 | keystone |
identity | True | internal |
<a class="gmail-m_8587663293326111461moz-txt-link-freetext" href="http://10.6.0.3:5000/v3" target="_blank">http://10.6.0.3:5000/v3</a> <wbr> |</p>
<p>Is there something else I have missed or do I need to put our SSL
certs in a different directory for OSA to setup the endpoints with
HTTPS on haproxy?</p>
<p>Grateful for any help.</p>
<p>Regards,</p>
<p>Grant</p></div></blockquote><div> </div><div>Hi Grant,</div><div><br></div><div>I took a look back at the stable/mitaka branch for OSA - we do default the value to be http, so if you don't override the setting it will be setup as http.</div><div>That's changed since, but you can overwrite this by setting "openstack_service_publicuri_proto: https" which would then set the public endpoints to be https.</div><div>Although the paste you have above implies you want all endpoints to be https - as it stands I don't believe there is support for that - that is to say that </div><div>internal traffic (internal/admin endpoints) would be http, and your public endpoint (terminating at your LB - haproxy if you are using the built in one) would be</div><div>https. </div><div><br></div><div>There are a few exceptions in keystone, rabbitmq, horizon and HAProxy: <a href="https://docs.openstack.org/developer/openstack-ansible/mitaka/install-guide/configure-sslcertificates.html">https://docs.openstack.org/developer/openstack-ansible/mitaka/install-guide/configure-sslcertificates.html</a></div><div><br></div><div>Here are some docs about securing haproxy with ssl-certificates that may be helpful: <a href="https://docs.openstack.org/developer/openstack-ansible/mitaka/install-guide/configure-haproxy.html#securing-haproxy-communication-with-ssl-certificates">https://docs.openstack.org/developer/openstack-ansible/mitaka/install-guide/configure-haproxy.html#securing-haproxy-communication-with-ssl-certificates</a></div><div><br></div><div>If you're stuck or running into issues feel free to jump into the #openstack-ansible channel on Freenode IRC, there are usually quite a few people around to help and answer questions.</div><div><br></div><div>Andy</div><div><br></div><div><br></div></div><br></div></div>