Set default external Let's Encrypt cert server

Currently, unless users set either external or internal cert server by themselves, enabling Let's Encrypt with ``enable_letsencrypt`` does nothing. This change makes the external certificate get managed by Let's Encrypt by default when Let's Encrypt is enabled. The server address is default Let's Encrypt ACME server [1] which was the former default before change [2]. [1] https://acme-v02.api.letsencrypt.org/directory [2] https://review.opendev.org/c/openstack/kolla-ansible/+/925971 Closes-bug: #2120451 Change-Id: I10e800aede5966e030ed8e661e2eb45b126ff678 Signed-off-by: Seunghun Lee <seunghun@stackhpc.com>
2025-08-12 14:47:36 +01:00
parent ce798ce680
commit 15dc0d0ede
3 changed files with 32 additions and 12 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -504,7 +504,7 @@ kuryr_port: "23750"

 letsencrypt_webserver_port: "8081"
 letsencrypt_managed_certs: "{{ '' if not enable_letsencrypt | bool else ('internal' if letsencrypt_internal_cert_server != '' and kolla_same_external_internal_vip | bool else ('internal,external' if letsencrypt_internal_cert_server != '' and letsencrypt_external_cert_server != '' else ('internal' if letsencrypt_internal_cert_server != '' else ('external' if letsencrypt_external_cert_server != '' and not kolla_same_external_internal_vip | bool else '')))) }}"
-letsencrypt_external_cert_server: ""
+letsencrypt_external_cert_server: "https://acme-v02.api.letsencrypt.org/directory"
 letsencrypt_internal_cert_server: ""

 magnum_internal_fqdn: "{{ kolla_internal_fqdn }}"
--- a/doc/source/admin/tls.rst
+++ b/doc/source/admin/tls.rst
@@ -316,19 +316,26 @@ to the HAProxy containers using SSH.
  with HAProxy.

 You can configure separate ACME servers for internal and external
-certificate requests.
+certificate requests by setting server URL on
+``letsencrypt_internal_cert_server`` and
+``letsencrypt_external_cert_server`` respectively.
+The default is external certificate ACME server set to
+``https://acme-v02.api.letsencrypt.org/directory``.

-.. code-block:: yaml
+.. list-table:: Let's Encrypt management
+   :widths: 28 72
+   :header-rows: 1

-  letsencrypt_external_cert_server: "<ACME server URL for external cert>"
-  letsencrypt_internal_cert_server: "<ACME server URL for internal cert>"
-
-.. note::
-
-  The ``letsencrypt_external_cert_server`` has a default value of
-  ``https://acme-v02.api.letsencrypt.org/directory``. Ensure that
-  ``letsencrypt_internal_cert_server`` is reachable from the controller
-  if you configure it for internal certificate requests.
+   * - Desired outcome
+     - Settings
+   * - External only (default)
+     - Enable Let's Encrypt; no further changes.
+   * - External + internal
+     - Set ``letsencrypt_internal_cert_server`` and ensure it is reachable
+       from the controller.
+   * - Internal only
+     - Set ``letsencrypt_external_cert_server: ""`` and set
+       ``letsencrypt_internal_cert_server``.

 .. _admin-tls-generating-a-private-ca:

--- a/releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml
+++ b/releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml
@@ -0,0 +1,13 @@
+---
+fixes:
+  - |
+    Restore the default Let's Encrypt ACME server for external certificates
+    so that enabling ``enable_letsencrypt`` works out of the box again
+    without explicitly setting ``letsencrypt_external_cert_server``. The
+    default is ``https://acme-v02.api.letsencrypt.org/directory``.
+upgrade:
+  - |
+    Deployments using a file-based external certificate and Let's Encrypt for
+    the internal certificate (separate VIPs) default to managing the external
+    certificate with Let's Encrypt. To retain a file-based external
+    certificate, set ``letsencrypt_external_cert_server: ""``.