[kolla-ansible][2023.2] Need some information about using let's encrypt
Hi, I deployed openstack using a self-signed certificate generated by kolla. I am using the encryption both internally and externally. Then I tried to use let's encrypt on the same platform, and it seemed to work, but only on the external URL of openstack (horizon portal). Then I undeployed my openstack, and I tried to redeploy it again, this time Keystone couldn't be deployed, it complained about not being able to verify the self-signed certificate. I had to disable the let's encrypt lines on the globals.yml to be able to deploy openstack. My question is : - Does using let's encrypt cover both internal and external traffic of openstack on all ports or just the 443? - If it does, how to configure globals.yml , especially the lines concerning the certificates? - If it does not, it covers only Horizon on 443, how could someone combine the use of self-signed to let's encrypt use? is it even possible? Regards.
Hi, It does, but you need to provide your local ACME server which will verify your local dns domains for http-01 acme challenge. That's the reason why it works out-of-the box for external, because there is external acme by default. Michal Arbet Openstack Engineer Ultimum Technologies a.s. Na Poříčí 1047/26, 11000 Praha 1 Czech Republic +420 604 228 897 michal.arbet@ultimum.io *https://ultimum.io <https://ultimum.io/>* LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter <https://twitter.com/ultimumtech> | Facebook <https://www.facebook.com/ultimumtechnologies/timeline> ne 17. 3. 2024 v 17:34 odesílatel wodel youchi <wodel.youchi@gmail.com> napsal:
Hi,
I deployed openstack using a self-signed certificate generated by kolla. I am using the encryption both internally and externally.
Then I tried to use let's encrypt on the same platform, and it seemed to work, but only on the external URL of openstack (horizon portal).
Then I undeployed my openstack, and I tried to redeploy it again, this time Keystone couldn't be deployed, it complained about not being able to verify the self-signed certificate.
I had to disable the let's encrypt lines on the globals.yml to be able to deploy openstack.
My question is : - Does using let's encrypt cover both internal and external traffic of openstack on all ports or just the 443? - If it does, how to configure globals.yml , especially the lines concerning the certificates? - If it does not, it covers only Horizon on 443, how could someone combine the use of self-signed to let's encrypt use? is it even possible?
Regards.
Hi, Thanks Michal, could you give me more details about the local part??? Regards. Le lun. 18 mars 2024 à 12:04, Michal Arbet <michal.arbet@ultimum.io> a écrit :
Hi,
It does, but you need to provide your local ACME server which will verify your local dns domains for http-01 acme challenge. That's the reason why it works out-of-the box for external, because there is external acme by default.
Michal Arbet Openstack Engineer
Ultimum Technologies a.s. Na Poříčí 1047/26, 11000 Praha 1 Czech Republic
+420 604 228 897 michal.arbet@ultimum.io *https://ultimum.io <https://ultimum.io/>*
LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter <https://twitter.com/ultimumtech> | Facebook <https://www.facebook.com/ultimumtechnologies/timeline>
ne 17. 3. 2024 v 17:34 odesílatel wodel youchi <wodel.youchi@gmail.com> napsal:
Hi,
I deployed openstack using a self-signed certificate generated by kolla. I am using the encryption both internally and externally.
Then I tried to use let's encrypt on the same platform, and it seemed to work, but only on the external URL of openstack (horizon portal).
Then I undeployed my openstack, and I tried to redeploy it again, this time Keystone couldn't be deployed, it complained about not being able to verify the self-signed certificate.
I had to disable the let's encrypt lines on the globals.yml to be able to deploy openstack.
My question is : - Does using let's encrypt cover both internal and external traffic of openstack on all ports or just the 443? - If it does, how to configure globals.yml , especially the lines concerning the certificates? - If it does not, it covers only Horizon on 443, how could someone combine the use of self-signed to let's encrypt use? is it even possible?
Regards.
Hi again, What about those directives in globals.yml ? kolla_enable_tls_internal: "yes" kolla_enable_tls_external: "yes" kolla_certificates_dir: "{{ node_config }}/certificates" kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem" kolla_admin_openrc_cacert: "{{ kolla_certificates_dir }}/ca.pem" kolla_copy_ca_into_containers: "yes" ##################### # Backend TLS options ##################### kolla_enable_tls_backend: "yes" kolla_verify_tls_backend: "no" kolla_tls_backend_cert: "{{ kolla_certificates_dir }}/backend-cert.pem" kolla_tls_backend_key: "{{ kolla_certificates_dir }}/backend-key.pem" Should I keep them? Or will they be populated by let's encrypt certificate files? I have a machine that I use to deploy my openstack, I call it deployer, can I install certbot on it and use it to validate my domain? Should I use this documentation with it : *https://docs.openstack.org/kolla-ansible/latest/admin/acme.html <https://docs.openstack.org/kolla-ansible/latest/admin/acme.html>* and put the IP address of my deployer machine in the *acme_client_servers* list? Regards. Le lun. 18 mars 2024 à 15:08, wodel youchi <wodel.youchi@gmail.com> a écrit :
Hi,
Thanks Michal, could you give me more details about the local part???
Regards.
Le lun. 18 mars 2024 à 12:04, Michal Arbet <michal.arbet@ultimum.io> a écrit :
Hi,
It does, but you need to provide your local ACME server which will verify your local dns domains for http-01 acme challenge. That's the reason why it works out-of-the box for external, because there is external acme by default.
Michal Arbet Openstack Engineer
Ultimum Technologies a.s. Na Poříčí 1047/26, 11000 Praha 1 Czech Republic
+420 604 228 897 michal.arbet@ultimum.io *https://ultimum.io <https://ultimum.io/>*
LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter <https://twitter.com/ultimumtech> | Facebook <https://www.facebook.com/ultimumtechnologies/timeline>
ne 17. 3. 2024 v 17:34 odesílatel wodel youchi <wodel.youchi@gmail.com> napsal:
Hi,
I deployed openstack using a self-signed certificate generated by kolla. I am using the encryption both internally and externally.
Then I tried to use let's encrypt on the same platform, and it seemed to work, but only on the external URL of openstack (horizon portal).
Then I undeployed my openstack, and I tried to redeploy it again, this time Keystone couldn't be deployed, it complained about not being able to verify the self-signed certificate.
I had to disable the let's encrypt lines on the globals.yml to be able to deploy openstack.
My question is : - Does using let's encrypt cover both internal and external traffic of openstack on all ports or just the 443? - If it does, how to configure globals.yml , especially the lines concerning the certificates? - If it does not, it covers only Horizon on 443, how could someone combine the use of self-signed to let's encrypt use? is it even possible?
Regards.
participants (2)
-
Michal Arbet
-
wodel youchi