On 28 February 2017 at 09:59, Grant Morley <gr...@absolutedevops.io> wrote:
> Hi All, > > We have an OSA Mitaka deployment and for some reason all of the end points > ( keystone, neutron, glance etc.. ) are all reporting as HTTP rather than > HTTPS. The only thing that seems to have worked with HTTPS is Horizon ( I > know that isn't an api endpoint, just for clarification). > > We have placed our SSL certs in the correct directory for the deployment > "/etc/openstack_deploy/ssl/" but for some reason when the setup has run it > is only using HTTP as below: > > +----------------------------------+-----------+------------ > --+----------------+---------+-----------+------------------ > ----------------------------+ > | ID | Region | Service Name | Service > Type | Enabled | Interface | URL > | > +----------------------------------+-----------+------------ > --+----------------+---------+-----------+------------------ > ----------------------------+ > | 0b7ca91c06334207b3199eeca432d5fe | lon1 | cinder | > volume | True | admin | http://10.6.0.3:8776/v1/%( > tenant_id)s | > | 0f7440688cbc4d1f8f3c62158889729d | lon1 | keystone | > identity | True | internal | http://10.6.0.3:5000/v3 > | > > Is there something else I have missed or do I need to put our SSL certs in > a different directory for OSA to setup the endpoints with HTTPS on haproxy? > > Grateful for any help. > > Regards, > > Grant > Hi Grant, I took a look back at the stable/mitaka branch for OSA - we do default the value to be http, so if you don't override the setting it will be setup as http. That's changed since, but you can overwrite this by setting "openstack_service_publicuri_proto: https" which would then set the public endpoints to be https. Although the paste you have above implies you want all endpoints to be https - as it stands I don't believe there is support for that - that is to say that internal traffic (internal/admin endpoints) would be http, and your public endpoint (terminating at your LB - haproxy if you are using the built in one) would be https. There are a few exceptions in keystone, rabbitmq, horizon and HAProxy: https://docs.openstack.org/developer/openstack-ansible/mitaka/install-guide/configure-sslcertificates.html Here are some docs about securing haproxy with ssl-certificates that may be helpful: https://docs.openstack.org/developer/openstack-ansible/mitaka/install-guide/configure-haproxy.html#securing-haproxy-communication-with-ssl-certificates If you're stuck or running into issues feel free to jump into the #openstack-ansible channel on Freenode IRC, there are usually quite a few people around to help and answer questions. Andy
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators