Running into somewhat of the same issues, This use case is very badly documented currently, I have tested this deployment under 2024.1 I have found you need the following so far kolla_enable_tls_external: "yes" letsencrypt_email: "xxx" enable_letsencrypt: yes letsencrypt_cert_server: "https://acme-v02.api.letsencrypt.org/directory" # attempt to renew Let's Encrypt certificate every 12 hours letsencrypt_cron_renew_schedule: "0 */12 * * *" All other TLS configuration options should be left to their defaults A good sign that this worked is to check /var/log/kolla/letsencrypt/letsencrypt-lego.log [/etc/haproxy/certificates/haproxy.pem - update] Transaction /var/lib/haproxy/haproxy.pem -> /etc/haproxy/certificates/haproxy.pem successful. ________________________________ From: Jonathan Proulx <jon@csail.mit.edu> Sent: Wednesday, May 22, 2024 9:03 AM To: Michal Arbet <michal.arbet@ultimum.io> Cc: OpenStack Discuss <openstack-discuss@lists.openstack.org> Subject: Re: [kolla-ansible][letsencrypt] containers are running but not getting certificates. On Tue, May 21, 2024 at 09:04:23PM +0200, Michal Arbet wrote: :Btw, did you follow docs ? been reading https://docs.openstack.org/kolla-ansible/2023.2/admin/tls.html I'm a bit unclear which sections apply with letsencrypt info and which it replaces (probably the config snip I sent will show my possibly flawed understanding). -Jon :Michal Arbet :Openstack Engineer : :Ultimum Technologies a.s. :Na Poříčí 1047/26, 11000 Praha 1 :Czech Republic : :+420 604 228 897 :michal.arbet@ultimum.io :*https://ultimum.io <https://ultimum.io/>* : :LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter :<https://twitter.com/ultimumtech> | Facebook :<https://www.facebook.com/ultimumtechnologies/timeline> : : :út 21. 5. 2024 v 21:03 odesílatel Michal Arbet <michal.arbet@ultimum.io> :napsal: : :> Hi, :> :> Can u send me content of /etc/kolla ? :> :> And also config in globals regarding tls ? :> :> Kevko :> Michal Arbet :> Openstack Engineer :> :> Ultimum Technologies a.s. :> Na Poříčí 1047/26, 11000 Praha 1 :> Czech Republic :> :> +420 604 228 897 :> michal.arbet@ultimum.io :> *https://ultimum.io <https://ultimum.io/>* :> :> LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter :> <https://twitter.com/ultimumtech> | Facebook :> <https://www.facebook.com/ultimumtechnologies/timeline> :> :> :> po 20. 5. 2024 v 22:23 odesílatel Jonathan Proulx <jon@csail.mit.edu> :> napsal: :> :>> On Mon, May 20, 2024 at 01:44:24PM -0400, Jonathan Proulx wrote: :>> :Hi All, :>> : :>> :I'm trying to do a test multinode deploy using 2023.2 :>> : :>> :I have letsencrypt_webserver and letsencrypt_lego contsainers running :>> :and I'm seeing random traffic in the :>> :/var/log/kolla/letsencrypt/letsencrypt-webserver-access.log so fairly :>> :confident they're plumbed through to the public internet properly, but :>> :I don't seem to be getting certificates. :>> : :>> :how can I trigger a renewal attempt so I can maybe see what I've :>> :screwed up? :>> :>> Of course as soon as I ask I find the answer and more questions. :>> :>> `exec`ing the /usr/bin/letsencrypt-certificates line from :>> `/usr/local/bin/letsencrypt-lego-run.sh` in the letsencrypt_lego :>> container does get a letsencrypt cert into th haproxy container as :>> `/etc/haproxy/certificates/haproxy-internal.pem` however there's also :>> a `/etc/haproxy/certificates/haproxy.pem` that is self-signed. :>> :>> :>> What my `kolla-ansible deploy` is actually dying on is currently: :>> :>> fatal: [control0]: FAILED! => {"msg": "An unhandled exception occurred :>> while templating '{{ lookup('first_found', certs) }}'. Error was a <class :>> 'ansible.errors.AnsibleLookupError'>, original message: No file was found :>> when using first_found."} :>> :>> so perhaps there's something I need ot turn "off" in `globals.yml`? :>> :>> :>> -- :>> Jonathan Proulx (he/him) :>> Sr. Technical Architect :>> The Infrastructure Group :>> MIT CSAIL :>> :> -- Jonathan Proulx (he/him) Sr. Technical Architect The Infrastructure Group MIT CSAIL