Running into somewhat of the same issues, This use case is very badly documented currently, I have tested this deployment under 2024.1


I have found you need the following so far

kolla_enable_tls_external: "yes"
letsencrypt_email: "xxx"
enable_letsencrypt: yes
letsencrypt_cert_server: "https://acme-v02.api.letsencrypt.org/directory"
# attempt to renew Let's Encrypt certificate every 12 hours
letsencrypt_cron_renew_schedule:  "0   */12   *   *   *"



All other TLS configuration options should be left to their defaults

A good sign that this worked is to check /var/log/kolla/letsencrypt/letsencrypt-lego.log
 [/etc/haproxy/certificates/haproxy.pem - update] Transaction /var/lib/haproxy/haproxy.pem -> /etc/haproxy/certificates/haproxy.pem successful.


From: Jonathan Proulx <jon@csail.mit.edu>
Sent: Wednesday, May 22, 2024 9:03 AM
To: Michal Arbet <michal.arbet@ultimum.io>
Cc: OpenStack Discuss <openstack-discuss@lists.openstack.org>
Subject: Re: [kolla-ansible][letsencrypt] containers are running but not getting certificates.
 
On Tue, May 21, 2024 at 09:04:23PM +0200, Michal Arbet wrote:
:Btw, did you follow docs ?

been reading https://docs.openstack.org/kolla-ansible/2023.2/admin/tls.html

I'm a bit unclear which sections apply with letsencrypt info and which
it replaces (probably the config snip I sent will show my possibly
flawed understanding).

-Jon

:Michal Arbet
:Openstack Engineer
:
:Ultimum Technologies a.s.
:Na Poříčí 1047/26, 11000 Praha 1
:Czech Republic
:
:+420 604 228 897
:michal.arbet@ultimum.io
:*https://ultimum.io <https://ultimum.io/>*
:
:LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter
:<https://twitter.com/ultimumtech> | Facebook
:<https://www.facebook.com/ultimumtechnologies/timeline>
:
:
:út 21. 5. 2024 v 21:03 odesílatel Michal Arbet <michal.arbet@ultimum.io>
:napsal:
:
:> Hi,
:>
:> Can u send me content of /etc/kolla ?
:>
:> And also config in globals regarding tls ?
:>
:> Kevko
:> Michal Arbet
:> Openstack Engineer
:>
:> Ultimum Technologies a.s.
:> Na Poříčí 1047/26, 11000 Praha 1
:> Czech Republic
:>
:> +420 604 228 897
:> michal.arbet@ultimum.io
:> *https://ultimum.io <https://ultimum.io/>*
:>
:> LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter
:> <https://twitter.com/ultimumtech> | Facebook
:> <https://www.facebook.com/ultimumtechnologies/timeline>
:>
:>
:> po 20. 5. 2024 v 22:23 odesílatel Jonathan Proulx <jon@csail.mit.edu>
:> napsal:
:>
:>> On Mon, May 20, 2024 at 01:44:24PM -0400, Jonathan Proulx wrote:
:>> :Hi All,
:>> :
:>> :I'm trying to do a test multinode deploy using 2023.2
:>> :
:>> :I have letsencrypt_webserver and letsencrypt_lego contsainers running
:>> :and I'm seeing random traffic in the
:>> :/var/log/kolla/letsencrypt/letsencrypt-webserver-access.log so fairly
:>> :confident they're plumbed through to the public internet properly, but
:>> :I don't seem to be getting certificates.
:>> :
:>> :how can I trigger a renewal attempt so I can maybe see what I've
:>> :screwed up?
:>>
:>> Of course as soon as I ask I find the answer and more questions.
:>>
:>> `exec`ing the /usr/bin/letsencrypt-certificates line from
:>> `/usr/local/bin/letsencrypt-lego-run.sh` in the letsencrypt_lego
:>> container does get a letsencrypt cert into th haproxy container as
:>> `/etc/haproxy/certificates/haproxy-internal.pem` however there's also
:>> a `/etc/haproxy/certificates/haproxy.pem` that is self-signed.
:>>
:>>
:>> What my `kolla-ansible deploy` is actually dying on is currently:
:>>
:>> fatal: [control0]: FAILED! => {"msg": "An unhandled exception occurred
:>> while templating '{{ lookup('first_found', certs) }}'. Error was a <class
:>> 'ansible.errors.AnsibleLookupError'>, original message: No file was found
:>> when using first_found."}
:>>
:>> so perhaps there's something I need ot turn "off" in `globals.yml`?
:>>
:>>
:>> --
:>> Jonathan Proulx (he/him)
:>> Sr. Technical Architect
:>> The Infrastructure Group
:>> MIT CSAIL
:>>
:>

--
Jonathan Proulx (he/him)
Sr. Technical Architect
The Infrastructure Group
MIT CSAIL