[openstack-ansible] LetsEncrypt OS Ansible Ussuri
Jonathan Rosser
jonathan.rosser at rd.bbc.co.uk
Tue Feb 22 09:35:34 UTC 2022
Hi Marc-Antione,
No problem. I would recommend adding --staging to
haproxy_ssl_letsencrypt_setup_extra_params whilst you get the
letsencrypt support working. You will not get a proper certificate with
that flag but it will bypass the letsencrypt rate limit so you can have
as many tests as you need.
It would be also worth checking the timeout values on later branches,
Ussuri is now in extended-maintenance so not receiving back ported bug
fixes.
See for example
https://github.com/openstack/openstack-ansible/blob/stable/xena/inventory/group_vars/haproxy/haproxy.yml#L248-L258
On 21/02/2022 18:51, Marc-Antoine Godde wrote:
> Thanks for your huge help. It’s is exactly what we wanted to try.
> We’ll feel more confident.
>
> Best,
> Marc-Antoine
>
>
>
>> Le 21 févr. 2022 à 18:52, Jonathan Rosser
>> <jonathan.rosser at rd.bbc.co.uk> a écrit :
>>
>> Hi Marc-Antoine,
>>
>> For setting the horizon acl, see
>> https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html
>>
>> Specifically:
>>
>> "Copy the whole variable haproxy_default_services from
>> /opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml to
>> /etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml and update
>> the section for horizon to include the ACL redirects http-01
>> challenges to the HAProxy letsencrypt backend as follows: ......"
>>
>> It is correct that this is not necessary in later releases and the
>> letsencrypt support is more straightforward to configure in Victoria.
>>
>> You can also join #openstack-ansible IRC channel for some real-time
>> help if needed.
>>
>> Jonathan.
>>
>> On 21/02/2022 17:25, Marc-Antoine Godde wrote:
>>> Hello,
>>>
>>> I have a question on how to setup LetsEncrypt with OpenStack
>>> Ansible. We are still on OpenStack Ussuri.
>>>
>>> We added the following variables to user_variables.yml.
>>>
>>> ==================================================================================
>>> haproxy_ssl_letsencrypt_enable: True
>>> haproxy_ssl_letsencrypt_install_method: "distro"
>>> haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{
>>> ansible_host }} --http-01-port 8888"
>>> haproxy_ssl_letsencrypt_email: email at example.com
>>> haproxy_interval: 2000
>>>
>>> user avatar user avatar
>>> haproxy_extra_services:
>>> # an internal only service for acme-challenge whose backend is
>>> certbot on the haproxy host
>>> - service:
>>> haproxy_service_name: letsencrypt
>>> haproxy_backend_nodes:
>>> - name: localhost
>>> ip_addr: {{ ansible_host }}
>>> #certbot binds to the internal IP
>>> backend_rise: 1 #quick rise and fall
>>> time for multinode deployment to succeed
>>> backend_fall: 2
>>> haproxy_bind:
>>> - 127.0.0.1 #bind to 127.0.0.1 as
>>> the local internal address will be used by certbot
>>> haproxy_port: 8888 #certbot is
>>> configured with http-01-port to be 8888
>>> haproxy_balance_type: http
>>> ==================================================================================
>>>
>>> Yet, Horizon config for HAproxy is already defined in the default
>>> vars
>>> (https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml)
>>> and we don’t know where ta add the required ACL to redirect the
>>> traffic from 80 port to 8888:
>>>
>>> ====================================
>>> haproxy_frontend_acls: #use a frontend ACL specify
>>> the backend to use for acme-challenge
>>> letsencrypt-acl:
>>> rule: "path_beg /.well-known/acme-challenge/"
>>> backend_name: letsencrypt
>>> ====================================
>>>
>>> We know that this is fixed in OpenStack Ansible Victoria. Is it
>>> possible with Ussuri tho ?
>>>
>>> Many thanks,
>>> Best,
>>> Marc-Antoine Godde
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220222/8a7c2b34/attachment-0001.htm>
More information about the openstack-discuss
mailing list