Hi, It's obvious that you can't get a certificate for an internal endpoint because the public ACME server can't reach your internal domain right ? So they can't verify you are the owner. If you setup your own ACME server ..it will work ..and you will just change the ACME server from letsencrypt public one to your local one in configuration. For now the acme server is pointed to https://acme-v02.api.letsencrypt.org/directory In CI we are testing internal certificate and it works https://github.com/openstack/kolla-ansible/blob/30331f90f6da377debb92ec4aec4... <<< Check how the entire process work here -> https://letsencrypt.org/docs/challenge-types/ TLDR - Install your ACME server, propagate your trusted CA, change letsencrypt_cert_server to your server and issue your own certificate internally, don't use public service of https://acme-v02.api.letsencrypt.org Thanks Michal Arbet Openstack Engineer Ultimum Technologies a.s. Na Poříčí 1047/26, 11000 Praha 1 Czech Republic +420 604 228 897 michal.arbet@ultimum.io *https://ultimum.io <https://ultimum.io/>* LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter <https://twitter.com/ultimumtech> | Facebook <https://www.facebook.com/ultimumtechnologies/timeline> út 30. 7. 2024 v 21:59 odesílatel <jjjamesg@proton.me> napsal:
So with the settings:
kolla_internal_fqdn: "int.cloud.example.com" kolla_external_fqdn: "cloud.example.com" kolla_enable_tls_internal: "yes" kolla_enable_tls_external: "yes" kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem" haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}" haproxy_backend_cacert_dir: "/etc/ssl/certs" openstack_cacert: "/etc/ssl/certs/ca-certificates.crt"
It currently pulls only for the external vip but not the internal so clearly i'm missing something, although i can get it to pull in a hacky way by editing letsencrypt-lego-run.sh to pull int.cloud.example.com
No matter what i try i can't get any version of this working with anything other than self signed certs:
kolla_enable_tls_backend: "yes" kolla_verify_tls_backend: "yes" kolla_tls_backend_cert: "{{ kolla_certificates_dir }}/backend-cert.pem" kolla_tls_backend_key: "{{ kolla_certificates_dir }}/backend-key.pem" kolla_copy_ca_into_containers: "yes"
The note at: https://docs.openstack.org/kolla-ansible/2024.1/admin/tls.html states:
The back-end TLS cert/key can be the same certificate that is used for the VIP, as long as those certificates are configured to allow requests from both the VIP and internal networks.
Yet, i can't figure out how to do that or what combination of keys to use from the vip certs to get that working
For now it's running with kolla_enable_tls_backend: no and a manually pulled internal cert but this is not ideal, anyone any pointers?