Hi,

It's obvious that you can't get a certificate for an internal endpoint because the public ACME server can't reach your internal domain right ?  So they can't verify you are the owner.
If you setup your own ACME server ..it will work ..and you will just change the ACME server from letsencrypt public one to your local one in configuration.

For now the acme server is pointed to https://acme-v02.api.letsencrypt.org/directory 
In CI we are testing internal certificate and it works  https://github.com/openstack/kolla-ansible/blob/30331f90f6da377debb92ec4aec4a267eff145f8/tests/deploy.sh#L9-L35 <<<

Check how the entire process work here -> https://letsencrypt.org/docs/challenge-types/

TLDR - Install your ACME server, propagate your trusted CA, change letsencrypt_cert_server to your server and issue your own certificate internally, don't use public service of https://acme-v02.api.letsencrypt.org

Thanks


Michal Arbet
Openstack Engineer

Ultimum Technologies a.s.
Na Poříčí 1047/26, 11000 Praha 1
Czech Republic

+420 604 228 897 
michal.arbet@ultimum.io
https://ultimum.io



út 30. 7. 2024 v 21:59 odesílatel <jjjamesg@proton.me> napsal:
So with the settings:

kolla_internal_fqdn: "int.cloud.example.com"
kolla_external_fqdn: "cloud.example.com"
kolla_enable_tls_internal: "yes"
kolla_enable_tls_external: "yes"
kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}"
haproxy_backend_cacert_dir: "/etc/ssl/certs"
openstack_cacert: "/etc/ssl/certs/ca-certificates.crt"


It currently pulls only for the external vip but not the internal so clearly i'm missing something, although i can get it to pull in a hacky way by editing letsencrypt-lego-run.sh to pull int.cloud.example.com

No matter what i try i can't get any version of this working with anything other than self signed certs:

kolla_enable_tls_backend: "yes"
kolla_verify_tls_backend: "yes"
kolla_tls_backend_cert: "{{ kolla_certificates_dir }}/backend-cert.pem"
kolla_tls_backend_key: "{{ kolla_certificates_dir }}/backend-key.pem"
kolla_copy_ca_into_containers: "yes"

The note at: https://docs.openstack.org/kolla-ansible/2024.1/admin/tls.html states:

The back-end TLS cert/key can be the same certificate that is used for the VIP, as long as those certificates are configured to allow requests from both the VIP and internal networks.

Yet, i can't figure out how to do that or what combination of keys to use from the vip certs to get that working

For now it's running with kolla_enable_tls_backend: no and a manually pulled internal cert but this is not ideal, anyone any pointers?