Skip to content

SSL Certificates for Instances

Users might need to obtain certificates for their instances to secure i.e. web servers. We recommend using Let's Encrypt certificates for your instances. This can be done in multiple ways, but we we will show two ways here in this guide.

Option 1: Automated using Ansible

The team at h-da.cloud provides an Ansible role that can be used to obtain certificates and setup auto renewal for the obtained certificates. This role can be found in GitLab. To use this role with Ansible add it to a requirements.yaml file in the following way: 

roles:
  - name: hdacloud.certs
    src: git+https://code.fbi.h-da.de/hdacloud/ansible_certbot

These requirements can then be installed using the command ansible-galaxy install -r <path_to_requirements>.

Creating a playbook

When the role is installed create a simple playbook that runs the role. This can be done in two ways. Either via le-go or certbot depending on whether you make use of the DNS challenge or a standalone web server to obtain the certificates.

We recommend this approach due to the fact, that you do not need to open up any ports on your instance in order to obtain certificates. Furthermore, using a DNS challenge instead of the web server makes it possible to obtain certificates for h_da internal services (i.e. instances with *-hdaonly security groups).

This guide shows how to make use of the OpenStack DNS servers within your project's zone to complete the ACME DNS challenge. In order to use this mode, you need to create an application credential first.

Creating an Application Credential

An application credential can either be obtained via the CLI or the web dashboard

Head over to Identity Application Credentials. Here click the +Create Application Credential button on the right. In the dialog enter a name and confirm.

When the credential is created it will show you the secret's ID as well as the secret itself.

><

><

Important

Take note of the application credential's secret here and store it somewhere safe, as you will not be able to access it again. For Ansible consider storing it in an Ansible Vault.

If you have not set up CLI access before, follow this guide and then return here. An application credential can then be created with the following command:

$ openstack application credential create <app_cred_name>

Important

Take note of the application credential's secret here and store it somewhere safe, as you will not be able to access it again. For Ansible consider storing it in an Ansible Vault.

Using the Ansible Role

Take the following task as an example:

Example Ansible Task
- name: Obtain LE Certificates
  ansible.builtin.import_role:
    name: hdacloud.certs
  vars:
    cert_fqdns:
      - "{{ your_fqdn }}"
    admin_email: "<email>"
    dns_challenge: true
    lego_version: "4.11.0"
    lego_dns_provider: "designate"
    dns_provider_auth_env_variables:
      OS_AUTH_URL: "https://h-da.cloud:13000"
      OS_REGION_NAME: "eu-central"
      OS_AUTH_TYP: "v3applicationcredential"
      OS_APPLICATION_CREDENTIAL_ID: "{{ os_application_credential_id }}"
      OS_APPLICATION_CREDENTIAL_SECRET: "{{ os_application_credential_secret }}"

This task will create a certificate for your provided FQDN using your previously created application credential. If you need the certificate to be valid for multiple FQDNs just add them to the list. However, if you need a single certificate per FQDN you will need to run the role in a loop.

More information on the role parameters can be found in it's repository.

When your certificates were obtained correctly you can find them here: /var/lib/lego/certificates/${your_fqdn}.*.

If you do not want to use the DNS challenge the role also implements a different way to obtain certificates using either a standalone web server provided by certbot or an existing one to complete the process of obtaining the certificate.

This requires your instance to allow inbound traffic on port 80. For this you might need to add a security group to your instance.

Using the Ansible Role

Depending on if you are running a web server on your instance already the variables passed to the ansible role differ slightly.

    - name: Obtain LE Certificates
      ansible.builtin.import_role:
        name: hdacloud.certbot
        vars:
          cert_fqdns:
            - "{{ your_fqdn }}"
          admin_email: "<email>"
          dns_challenge: false

    - name: Obtain LE Certificates
      ansible.builtin.import_role:
        name: hdacloud.certbot
        vars:
          cert_fqdns:
            - "{{ your_fqdn }}"
          admin_email: "<email>"
          dns_challenge: false
          certbot_webroot: <path_served_already> #(1)!
  1. Provide a path to a directory that is already being served by your web server on port 80

This task will create a certificate for your provided FQDN using your previously created application credential. If you need the certificate to be valid for multiple FQDNs just add them to the list. However, if you need a single certificate per FQDN you will need to run the role in a loop.

More information on the role parameters can be found in it's repository.

When your certificates were obtained correctly you can find them here: /etc/letsencrypt/live/${your_fqdn}/.

Option 2: Using certbot by itself

If you are not comfortable in using Ansible or just do not want to use the role, you can also use certbot by itself on your instance. As certbot provides a quick guide on how to use it to obtain a certificate and make it work with most of the common web servers, we will not go into detail here.

The certbot guide is available at certbot.eff.org/instructions. Here you can select your web server as well as the operating system you are running and will be provided with a quick guide to obtain a certificate.

Closing words

Obviously you can choose to obtain certificates in a different way than the options described here. This guide only serves as an orientation. However, note that the certificate functionality of the SD-Tool should not be used for OpenStack instances.