Hi again,

What about those directives in globals.yml ?

kolla_enable_tls_internal: "yes"
kolla_enable_tls_external: "yes"
kolla_certificates_dir: "{{ node_config }}/certificates"

kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
kolla_admin_openrc_cacert: "{{ kolla_certificates_dir }}/ca.pem"

kolla_copy_ca_into_containers: "yes"

#####################
# Backend TLS options
#####################

kolla_enable_tls_backend: "yes"
kolla_verify_tls_backend: "no"
kolla_tls_backend_cert: "{{ kolla_certificates_dir }}/backend-cert.pem"
kolla_tls_backend_key: "{{ kolla_certificates_dir }}/backend-key.pem"

Should I keep them?

Or will they be populated by let's encrypt certificate files?

I have a machine that I use to deploy my openstack, I call it deployer, can I install certbot on it and use it to validate my domain?

Should I use this documentation with it : https://docs.openstack.org/kolla-ansible/latest/admin/acme.html and put the IP address of my deployer machine in the acme_client_servers list?

Regards.

Le lun. 18 mars 2024 à 15:08, wodel youchi <wodel.youchi@gmail.com> a écrit :

Hi,

Thanks Michal, could you give me more details about the local part???

Regards.

Le lun. 18 mars 2024 à 12:04, Michal Arbet <michal.arbet@ultimum.io> a écrit :
Hi,

It does, but you need to provide your local ACME server which will verify your local dns domains for http-01 acme challenge.
That's the reason why it works out-of-the box for external, because there is external acme by default.

Michal Arbet
Openstack Engineer

Ultimum Technologies a.s.
Na Poříčí 1047/26, 11000 Praha 1
Czech Republic

+420 604 228 897
michal.arbet@ultimum.io
https://ultimum.io

LinkedIn | Twitter | Facebook

ne 17. 3. 2024 v 17:34 odesílatel wodel youchi <wodel.youchi@gmail.com> napsal:
Hi,

I deployed openstack using a self-signed certificate generated by kolla.
I am using the encryption both internally and externally.

Then I tried to use let's encrypt on the same platform, and it seemed to work, but only on the external URL of openstack (horizon portal).

Then I undeployed my openstack, and I tried to redeploy it again, this time Keystone couldn't be deployed, it complained about not being able to verify the self-signed certificate.

I had to disable the let's encrypt lines on the globals.yml to be able to deploy openstack.

My question is :
- Does using let's encrypt cover both internal and external traffic of openstack on all ports or just the 443?
- If it does, how to configure globals.yml , especially the lines concerning the certificates?
- If it does not, it covers only Horizon on 443, how could someone combine the use of self-signed to let's encrypt use? is it even possible?

Regards.