Hi again, What about those directives in globals.yml ? kolla_enable_tls_internal: "yes" kolla_enable_tls_external: "yes" kolla_certificates_dir: "{{ node_config }}/certificates" kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem" kolla_admin_openrc_cacert: "{{ kolla_certificates_dir }}/ca.pem" kolla_copy_ca_into_containers: "yes" ##################### # Backend TLS options ##################### kolla_enable_tls_backend: "yes" kolla_verify_tls_backend: "no" kolla_tls_backend_cert: "{{ kolla_certificates_dir }}/backend-cert.pem" kolla_tls_backend_key: "{{ kolla_certificates_dir }}/backend-key.pem" Should I keep them? Or will they be populated by let's encrypt certificate files? I have a machine that I use to deploy my openstack, I call it deployer, can I install certbot on it and use it to validate my domain? Should I use this documentation with it : *https://docs.openstack.org/kolla-ansible/latest/admin/acme.html <https://docs.openstack.org/kolla-ansible/latest/admin/acme.html>* and put the IP address of my deployer machine in the *acme_client_servers* list? Regards. Le lun. 18 mars 2024 à 15:08, wodel youchi <wodel.youchi@gmail.com> a écrit :
Hi,
Thanks Michal, could you give me more details about the local part???
Regards.
Le lun. 18 mars 2024 à 12:04, Michal Arbet <michal.arbet@ultimum.io> a écrit :
Hi,
It does, but you need to provide your local ACME server which will verify your local dns domains for http-01 acme challenge. That's the reason why it works out-of-the box for external, because there is external acme by default.
Michal Arbet Openstack Engineer
Ultimum Technologies a.s. Na Poříčí 1047/26, 11000 Praha 1 Czech Republic
+420 604 228 897 michal.arbet@ultimum.io *https://ultimum.io <https://ultimum.io/>*
LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter <https://twitter.com/ultimumtech> | Facebook <https://www.facebook.com/ultimumtechnologies/timeline>
ne 17. 3. 2024 v 17:34 odesílatel wodel youchi <wodel.youchi@gmail.com> napsal:
Hi,
I deployed openstack using a self-signed certificate generated by kolla. I am using the encryption both internally and externally.
Then I tried to use let's encrypt on the same platform, and it seemed to work, but only on the external URL of openstack (horizon portal).
Then I undeployed my openstack, and I tried to redeploy it again, this time Keystone couldn't be deployed, it complained about not being able to verify the self-signed certificate.
I had to disable the let's encrypt lines on the globals.yml to be able to deploy openstack.
My question is : - Does using let's encrypt cover both internal and external traffic of openstack on all ports or just the 443? - If it does, how to configure globals.yml , especially the lines concerning the certificates? - If it does not, it covers only Horizon on 443, how could someone combine the use of self-signed to let's encrypt use? is it even possible?
Regards.