Open Stack

On Thu, May 4, 2023 at 7:14 AM Derek O keeffe <derekokeeffe85 at yahoo.ie>
wrote:

> Hi all,
>
> We're having a problem with renewing letsencrypt certs via certbot in an
> external Neutron network where a security group is locking down HTTP+HTTPS
> access to select IP ranges. As far as we know the IP address for the
> Certbot ACME challenge server is always changing and therefore a static
> security group can't be set up to allow in traffic from that server. We
> have experimented with using UFW rules instead thinking we may be able to
> write a script to open port 80 periodically
> to allow the ACME challenge through, then close it back up, but it hasn't
> worked as we'd hoped either (either all traffic is blocked or the security
> group immediately takes precedence). Is there any way to programmatically
> enable + disable a security group as needed using something like
> OpenstackSDK to achieve the same thing?
>
> Thanks in advance.
>
> Regards,
> Derek
>
>
Derek,
Instead of thinking about the security group rule being enabled or disabled
- maybe think about it existing or not existing. Prior to your certbot run,
you add a rule to a security group to allow 80 inbound and then when
certbot is done, you delete the rule.
Personally I like Ansible, but you could use literally anything to
accomplish this task - even bash.

https://docs.ansible.com/ansible/latest/collections/openstack/cloud/security_group_rule_info_module.html#ansible-collections-openstack-cloud-security-group-rule-info-module

-- 
~/DonnyD
"No mission too difficult. No sacrifice too great. Duty First"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230504/3446173c/attachment.htm>