LetsEncrypt OS Ansible Ussuri
Hello, I have a question on how to setup LetsEncrypt with OpenStack Ansible. We are still on OpenStack Ussuri. We added the following variables to user_variables.yml. ================================================================================== haproxy_ssl_letsencrypt_enable: True haproxy_ssl_letsencrypt_install_method: "distro" haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888" haproxy_ssl_letsencrypt_email: email@example.com haproxy_interval: 2000 user avatar user avatar haproxy_extra_services: # an internal only service for acme-challenge whose backend is certbot on the haproxy host - service: haproxy_service_name: letsencrypt haproxy_backend_nodes: - name: localhost ip_addr: {{ ansible_host }} #certbot binds to the internal IP backend_rise: 1 #quick rise and fall time for multinode deployment to succeed backend_fall: 2 haproxy_bind: - 127.0.0.1 #bind to 127.0.0.1 as the local internal address will be used by certbot haproxy_port: 8888 #certbot is configured with http-01-port to be 8888 haproxy_balance_type: http ================================================================================== Yet, Horizon config for HAproxy is already defined in the default vars (https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/... <https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml>) and we don’t know where ta add the required ACL to redirect the traffic from 80 port to 8888: ==================================== haproxy_frontend_acls: #use a frontend ACL specify the backend to use for acme-challenge letsencrypt-acl: rule: "path_beg /.well-known/acme-challenge/" backend_name: letsencrypt ==================================== We know that this is fixed in OpenStack Ansible Victoria. Is it possible with Ussuri tho ? Many thanks, Best, Marc-Antoine Godde
Hi Marc-Antoine, For setting the horizon acl, see https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html Specifically: "Copy the whole variable haproxy_default_services from /opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml to /etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml and update the section for horizon to include the ACL redirects http-01 challenges to the HAProxy letsencrypt backend as follows: ......" It is correct that this is not necessary in later releases and the letsencrypt support is more straightforward to configure in Victoria. You can also join #openstack-ansible IRC channel for some real-time help if needed. Jonathan. On 21/02/2022 17:25, Marc-Antoine Godde wrote:
Hello,
I have a question on how to setup LetsEncrypt with OpenStack Ansible. We are still on OpenStack Ussuri.
We added the following variables to user_variables.yml.
================================================================================== haproxy_ssl_letsencrypt_enable: True haproxy_ssl_letsencrypt_install_method: "distro" haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888" haproxy_ssl_letsencrypt_email: email@example.com haproxy_interval: 2000
user avatar user avatar haproxy_extra_services: # an internal only service for acme-challenge whose backend is certbot on the haproxy host - service: haproxy_service_name: letsencrypt haproxy_backend_nodes: - name: localhost ip_addr: {{ ansible_host }} #certbot binds to the internal IP backend_rise: 1 #quick rise and fall time for multinode deployment to succeed backend_fall: 2 haproxy_bind: - 127.0.0.1 #bind to 127.0.0.1 as the local internal address will be used by certbot haproxy_port: 8888 #certbot is configured with http-01-port to be 8888 haproxy_balance_type: http ==================================================================================
Yet, Horizon config for HAproxy is already defined in the default vars (https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/...) and we don’t know where ta add the required ACL to redirect the traffic from 80 port to 8888:
==================================== haproxy_frontend_acls: #use a frontend ACL specify the backend to use for acme-challenge letsencrypt-acl: rule: "path_beg /.well-known/acme-challenge/" backend_name: letsencrypt ====================================
We know that this is fixed in OpenStack Ansible Victoria. Is it possible with Ussuri tho ?
Many thanks, Best, Marc-Antoine Godde
Thanks for your huge help. It’s is exactly what we wanted to try. We’ll feel more confident. Best, Marc-Antoine
Le 21 févr. 2022 à 18:52, Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk> a écrit :
Hi Marc-Antoine,
For setting the horizon acl, see https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html <https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html> Specifically:
"Copy the whole variable haproxy_default_services from /opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml to /etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml and update the section for horizon to include the ACL redirects http-01 challenges to the HAProxy letsencrypt backend as follows: ......"
It is correct that this is not necessary in later releases and the letsencrypt support is more straightforward to configure in Victoria.
You can also join #openstack-ansible IRC channel for some real-time help if needed.
Jonathan.
On 21/02/2022 17:25, Marc-Antoine Godde wrote:
Hello,
I have a question on how to setup LetsEncrypt with OpenStack Ansible. We are still on OpenStack Ussuri.
We added the following variables to user_variables.yml.
================================================================================== haproxy_ssl_letsencrypt_enable: True haproxy_ssl_letsencrypt_install_method: "distro" haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888" haproxy_ssl_letsencrypt_email: email@example.com <mailto:email@example.com> haproxy_interval: 2000
user avatar user avatar haproxy_extra_services: # an internal only service for acme-challenge whose backend is certbot on the haproxy host - service: haproxy_service_name: letsencrypt haproxy_backend_nodes: - name: localhost ip_addr: {{ ansible_host }} #certbot binds to the internal IP backend_rise: 1 #quick rise and fall time for multinode deployment to succeed backend_fall: 2 haproxy_bind: - 127.0.0.1 #bind to 127.0.0.1 as the local internal address will be used by certbot haproxy_port: 8888 #certbot is configured with http-01-port to be 8888 haproxy_balance_type: http ==================================================================================
Yet, Horizon config for HAproxy is already defined in the default vars (https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/... <https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml>) and we don’t know where ta add the required ACL to redirect the traffic from 80 port to 8888:
==================================== haproxy_frontend_acls: #use a frontend ACL specify the backend to use for acme-challenge letsencrypt-acl: rule: "path_beg /.well-known/acme-challenge/" backend_name: letsencrypt ====================================
We know that this is fixed in OpenStack Ansible Victoria. Is it possible with Ussuri tho ?
Many thanks, Best, Marc-Antoine Godde
Hi Marc-Antione, No problem. I would recommend adding --staging to haproxy_ssl_letsencrypt_setup_extra_params whilst you get the letsencrypt support working. You will not get a proper certificate with that flag but it will bypass the letsencrypt rate limit so you can have as many tests as you need. It would be also worth checking the timeout values on later branches, Ussuri is now in extended-maintenance so not receiving back ported bug fixes. See for example https://github.com/openstack/openstack-ansible/blob/stable/xena/inventory/gr... On 21/02/2022 18:51, Marc-Antoine Godde wrote:
Thanks for your huge help. It’s is exactly what we wanted to try. We’ll feel more confident.
Best, Marc-Antoine
Le 21 févr. 2022 à 18:52, Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk> a écrit :
Hi Marc-Antoine,
For setting the horizon acl, see https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html
Specifically:
"Copy the whole variable haproxy_default_services from /opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml to /etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml and update the section for horizon to include the ACL redirects http-01 challenges to the HAProxy letsencrypt backend as follows: ......"
It is correct that this is not necessary in later releases and the letsencrypt support is more straightforward to configure in Victoria.
You can also join #openstack-ansible IRC channel for some real-time help if needed.
Jonathan.
On 21/02/2022 17:25, Marc-Antoine Godde wrote:
Hello,
I have a question on how to setup LetsEncrypt with OpenStack Ansible. We are still on OpenStack Ussuri.
We added the following variables to user_variables.yml.
================================================================================== haproxy_ssl_letsencrypt_enable: True haproxy_ssl_letsencrypt_install_method: "distro" haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888" haproxy_ssl_letsencrypt_email: email@example.com haproxy_interval: 2000
user avatar user avatar haproxy_extra_services: # an internal only service for acme-challenge whose backend is certbot on the haproxy host - service: haproxy_service_name: letsencrypt haproxy_backend_nodes: - name: localhost ip_addr: {{ ansible_host }} #certbot binds to the internal IP backend_rise: 1 #quick rise and fall time for multinode deployment to succeed backend_fall: 2 haproxy_bind: - 127.0.0.1 #bind to 127.0.0.1 as the local internal address will be used by certbot haproxy_port: 8888 #certbot is configured with http-01-port to be 8888 haproxy_balance_type: http ==================================================================================
Yet, Horizon config for HAproxy is already defined in the default vars (https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/...) and we don’t know where ta add the required ACL to redirect the traffic from 80 port to 8888:
==================================== haproxy_frontend_acls: #use a frontend ACL specify the backend to use for acme-challenge letsencrypt-acl: rule: "path_beg /.well-known/acme-challenge/" backend_name: letsencrypt ====================================
We know that this is fixed in OpenStack Ansible Victoria. Is it possible with Ussuri tho ?
Many thanks, Best, Marc-Antoine Godde
Hello Jonathan, Thanks for the tips. It is interesting that you point this out, it was indeed one of my concern. If I understood the process correctly, Certbot will run on each HAproxy node and request LetsEncypt to issue certificate on each node. This means that we ask many certificates for the same domain (for instance openstack.example.com <http://openstack.example.com/>). This must impact the following rate limit of LetsEncrypt: "Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains. » LetsEncrypt Website Does that mean that the the deployment is limited to 5 HAProxy nodes ? Normally we are safe tho, we have 3. Concerning, the timeout values, we’ll make sure to check them out. We’ll upgrade to Wallaby or Xena by the end of the year in any case. Thanks, Marc-Antoine
Le 22 févr. 2022 à 10:35, Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk> a écrit :
Hi Marc-Antione,
No problem. I would recommend adding --staging to haproxy_ssl_letsencrypt_setup_extra_params whilst you get the letsencrypt support working. You will not get a proper certificate with that flag but it will bypass the letsencrypt rate limit so you can have as many tests as you need.
It would be also worth checking the timeout values on later branches, Ussuri is now in extended-maintenance so not receiving back ported bug fixes.
See for example https://github.com/openstack/openstack-ansible/blob/stable/xena/inventory/gr... <https://github.com/openstack/openstack-ansible/blob/stable/xena/inventory/group_vars/haproxy/haproxy.yml#L248-L258>
On 21/02/2022 18:51, Marc-Antoine Godde wrote:
Thanks for your huge help. It’s is exactly what we wanted to try. We’ll feel more confident.
Best, Marc-Antoine
Le 21 févr. 2022 à 18:52, Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk <mailto:jonathan.rosser@rd.bbc.co.uk>> a écrit :
Hi Marc-Antoine,
For setting the horizon acl, see https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html <https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html> Specifically:
"Copy the whole variable haproxy_default_services from /opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml to /etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml and update the section for horizon to include the ACL redirects http-01 challenges to the HAProxy letsencrypt backend as follows: ......"
It is correct that this is not necessary in later releases and the letsencrypt support is more straightforward to configure in Victoria.
You can also join #openstack-ansible IRC channel for some real-time help if needed.
Jonathan.
On 21/02/2022 17:25, Marc-Antoine Godde wrote:
Hello,
I have a question on how to setup LetsEncrypt with OpenStack Ansible. We are still on OpenStack Ussuri.
We added the following variables to user_variables.yml.
================================================================================== haproxy_ssl_letsencrypt_enable: True haproxy_ssl_letsencrypt_install_method: "distro" haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888" haproxy_ssl_letsencrypt_email: email@example.com <mailto:email@example.com> haproxy_interval: 2000
user avatar user avatar haproxy_extra_services: # an internal only service for acme-challenge whose backend is certbot on the haproxy host - service: haproxy_service_name: letsencrypt haproxy_backend_nodes: - name: localhost ip_addr: {{ ansible_host }} #certbot binds to the internal IP backend_rise: 1 #quick rise and fall time for multinode deployment to succeed backend_fall: 2 haproxy_bind: - 127.0.0.1 #bind to 127.0.0.1 as the local internal address will be used by certbot haproxy_port: 8888 #certbot is configured with http-01-port to be 8888 haproxy_balance_type: http ==================================================================================
Yet, Horizon config for HAproxy is already defined in the default vars (https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/... <https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml>) and we don’t know where ta add the required ACL to redirect the traffic from 80 port to 8888:
==================================== haproxy_frontend_acls: #use a frontend ACL specify the backend to use for acme-challenge letsencrypt-acl: rule: "path_beg /.well-known/acme-challenge/" backend_name: letsencrypt ====================================
We know that this is fixed in OpenStack Ansible Victoria. Is it possible with Ussuri tho ?
Many thanks, Best, Marc-Antoine Godde
Yes, in a standard deployment this would request 3 identical certificates which would be inside the rate limit. This keeps the complexity down and decouples the haproxy nodes from each other during the deployment. The compromise is requesting a fresh certificate per haproxy instance. In some situations it might be possible to add a haproxy instance specific additional domain name to each certificate by passing a templated value to haproxy_ssl_letsencrypt_setup_extra_params making each certificate unique. openstack-ansible exposes all of these role defaults for you to override through user_variables.yml as necessary.
/ / Does that mean that the the deployment is limited to 5 HAProxy nodes ? Normally we are safe tho, we have 3.
Concerning, the timeout values, we’ll make sure to check them out. We’ll upgrade to Wallaby or Xena by the end of the year in any case.
Thanks, Marc-Antoine
Le 22 févr. 2022 à 10:35, Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk> a écrit :
Hi Marc-Antione,
No problem. I would recommend adding --staging to haproxy_ssl_letsencrypt_setup_extra_params whilst you get the letsencrypt support working. You will not get a proper certificate with that flag but it will bypass the letsencrypt rate limit so you can have as many tests as you need.
It would be also worth checking the timeout values on later branches, Ussuri is now in extended-maintenance so not receiving back ported bug fixes.
See for example https://github.com/openstack/openstack-ansible/blob/stable/xena/inventory/gr...
On 21/02/2022 18:51, Marc-Antoine Godde wrote:
Thanks for your huge help. It’s is exactly what we wanted to try. We’ll feel more confident.
Best, Marc-Antoine
Le 21 févr. 2022 à 18:52, Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk> a écrit :
Hi Marc-Antoine,
For setting the horizon acl, see https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html
Specifically:
"Copy the whole variable haproxy_default_services from /opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml to /etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml and update the section for horizon to include the ACL redirects http-01 challenges to the HAProxy letsencrypt backend as follows: ......"
It is correct that this is not necessary in later releases and the letsencrypt support is more straightforward to configure in Victoria.
You can also join #openstack-ansible IRC channel for some real-time help if needed.
Jonathan.
On 21/02/2022 17:25, Marc-Antoine Godde wrote:
Hello,
I have a question on how to setup LetsEncrypt with OpenStack Ansible. We are still on OpenStack Ussuri.
We added the following variables to user_variables.yml.
================================================================================== haproxy_ssl_letsencrypt_enable: True haproxy_ssl_letsencrypt_install_method: "distro" haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888" haproxy_ssl_letsencrypt_email: email@example.com haproxy_interval: 2000
user avatar user avatar haproxy_extra_services: # an internal only service for acme-challenge whose backend is certbot on the haproxy host - service: haproxy_service_name: letsencrypt haproxy_backend_nodes: - name: localhost ip_addr: {{ ansible_host }} #certbot binds to the internal IP backend_rise: 1 #quick rise and fall time for multinode deployment to succeed backend_fall: 2 haproxy_bind: - 127.0.0.1 #bind to 127.0.0.1 as the local internal address will be used by certbot haproxy_port: 8888 #certbot is configured with http-01-port to be 8888 haproxy_balance_type: http ==================================================================================
Yet, Horizon config for HAproxy is already defined in the default vars (https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/...) and we don’t know where ta add the required ACL to redirect the traffic from 80 port to 8888:
==================================== haproxy_frontend_acls: #use a frontend ACL specify the backend to use for acme-challenge letsencrypt-acl: rule: "path_beg /.well-known/acme-challenge/" backend_name: letsencrypt ====================================
We know that this is fixed in OpenStack Ansible Victoria. Is it possible with Ussuri tho ?
Many thanks, Best, Marc-Antoine Godde
participants (2)
-
Jonathan Rosser
-
Marc-Antoine Godde