I have a question on how to setup LetsEncrypt with OpenStack Ansible. We are still on OpenStack Ussuri.

We added the following variables to user_variables.yml.

==================================================================================

haproxy_ssl_letsencrypt_enable: True

haproxy_ssl_letsencrypt_install_method: "distro"

haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888"

haproxy_ssl_letsencrypt_email: email@example.com

haproxy_interval: 2000

user avatar user avatar

haproxy_extra_services:

# an internal only service for acme-challenge whose backend is certbot on the haproxy host

- service:

haproxy_service_name: letsencrypt

haproxy_backend_nodes:

- name: localhost

ip_addr: {{ ansible_host }} #certbot binds to the internal IP

backend_rise: 1 #quick rise and fall time for multinode deployment to succeed

backend_fall: 2

haproxy_bind:

- 127.0.0.1 #bind to 127.0.0.1 as the local internal address will be used by certbot

haproxy_port: 8888 #certbot is configured with http-01-port to be 8888

haproxy_balance_type: http

==================================================================================

Yet, Horizon config for HAproxy is already defined in the default vars (https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml) and we don’t know where ta add the required ACL to redirect the traffic from 80 port to 8888:

====================================

haproxy_frontend_acls: #use a frontend ACL specify the backend to use for acme-challenge

letsencrypt-acl:

rule: "path_beg /.well-known/acme-challenge/"

backend_name: letsencrypt

====================================

We know that this is fixed in OpenStack Ansible Victoria. Is it possible with Ussuri tho ?

Many thanks,

Best,

Marc-Antoine Godde