2fd72a39e9
All docs are included. Change-Id: Ie29ff7ca340812c8dc0dac493518c87cf7bf137b Partially-Implements: blueprint letsencrypt-https
1.6 KiB
ACME http-01 challenge support
This guide describes how to configure Kolla Ansible to enable ACME http-01 challenge support. As of Victoria, Kolla Ansible supports configuring HAProxy Horizon frontend to proxy ACME http-01 challenge requests to selected external (not deployed by Kolla Ansible) ACME client servers. These can be ad-hoc or regular servers. This guide assumes general knowledge of ACME.
Do note ACME supports http-01 challenge only over official HTTP(S) ports, that is 80 (for HTTP) and 443 (for HTTPS). Only Horizon is normally deployed on such port with Kolla Ansible (other services use custom ports). This means that, as of now, running Horizon is mandatory to support ACME http-01 challenge.
How To (External ACME client)
You need to determine the IP address (and port) of the ACME client
server used for http-01 challenge (e.g. the host you use to run
certbot). The default port is usually 80 (HTTP). Assuming
the IP address of that host is 192.168.1.1, the config
would look like the following:
enable_horizon: "yes"
acme_client_servers:
- server certbot 192.168.1.1:80acme_client_servers is a list of HAProxy backend server
directives. The first parameter is the name of the backend server - it
can be arbitrary and is used for logging purposes.
After (re)deploying, you can proceed with running the client to host the http-01 challenge files. Please ensure Horizon frontend responds on the domain you request the certificate for.
To use the newly-generated key-cert pair, follow the tls guide.