Thanks Radosław, I figured out later that "certificates" are used to generate self-signed certificates. I have a similar ip address on both internal/external vip in that case how does it work? I am seeing in doc which is saying. "If there is only a single network configured in your topology (as opposed to separate internal and external networks), TLS can only be enabled using the internal network configuration variables." Based on the above sentence I should use only kolla_enable_tls_internal: "yes" in global.yml correct? no need to use external. I am trying to find a good working example to deploy third party SSL which is not in the official doc. On Thu, Sep 29, 2022 at 4:01 AM Radosław Piliszek < radoslaw.piliszek@gmail.com> wrote:
The ``certificates`` command is for generating certificates (the help is explicit on it). For all-things-deployment one just needs to run ``deploy`` again.
Radek -yoctozepto
On Wed, 28 Sept 2022 at 23:02, Satish Patel <satish.txt@gmail.com> wrote:
Folks,
I have GoDaddy SSL cert and trying to deploy with kolla but little big
confused with this doc https://docs.openstack.org/kolla-ansible/latest/admin/tls.html
I have a single interface for internal/external vip and try following
config to deploy SSL/TLS for haproxy and other services.
--- openstack_release: "wallaby" kolla_internal_vip_address: "10.73.0.180" kolla_external_vip_address: "{{ kolla_internal_vip_address }}" network_interface: "eth0" neutron_external_interface: "eth1"
# TLS kolla_enable_tls_internal: "yes" kolla_certificates_dir: "/etc/kolla/certificates" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir
}}/my_company_cert.pem"
When i run "kolla-ansible -i multinode certificates" command it deploy
something but then i found it generated certificate itself (self-sign) in /etc/kolla/cacertificates directory and override my third-party cert
When I tried in the browser https://foobar.com it didn't connect to 443
port that means it did not enable SSL. Am I missing something here?