Hi Marc-Antoine, For setting the horizon acl, see https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html Specifically: "Copy the whole variable haproxy_default_services from /opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml to /etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml and update the section for horizon to include the ACL redirects http-01 challenges to the HAProxy letsencrypt backend as follows: ......" It is correct that this is not necessary in later releases and the letsencrypt support is more straightforward to configure in Victoria. You can also join #openstack-ansible IRC channel for some real-time help if needed. Jonathan. On 21/02/2022 17:25, Marc-Antoine Godde wrote:
Hello,
I have a question on how to setup LetsEncrypt with OpenStack Ansible. We are still on OpenStack Ussuri.
We added the following variables to user_variables.yml.
================================================================================== haproxy_ssl_letsencrypt_enable: True haproxy_ssl_letsencrypt_install_method: "distro" haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888" haproxy_ssl_letsencrypt_email: email@example.com haproxy_interval: 2000
user avatar user avatar haproxy_extra_services: # an internal only service for acme-challenge whose backend is certbot on the haproxy host - service: haproxy_service_name: letsencrypt haproxy_backend_nodes: - name: localhost ip_addr: {{ ansible_host }} #certbot binds to the internal IP backend_rise: 1 #quick rise and fall time for multinode deployment to succeed backend_fall: 2 haproxy_bind: - 127.0.0.1 #bind to 127.0.0.1 as the local internal address will be used by certbot haproxy_port: 8888 #certbot is configured with http-01-port to be 8888 haproxy_balance_type: http ==================================================================================
Yet, Horizon config for HAproxy is already defined in the default vars (https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/...) and we don’t know where ta add the required ACL to redirect the traffic from 80 port to 8888:
==================================== haproxy_frontend_acls: #use a frontend ACL specify the backend to use for acme-challenge letsencrypt-acl: rule: "path_beg /.well-known/acme-challenge/" backend_name: letsencrypt ====================================
We know that this is fixed in OpenStack Ansible Victoria. Is it possible with Ussuri tho ?
Many thanks, Best, Marc-Antoine Godde