Set default external Let's Encrypt cert server

Currently, unless users set either external or internal cert server by themselves, enabling Let's Encrypt with ``enable_letsencrypt`` does nothing. This change makes the external certificate get managed by Let's Encrypt by default when Let's Encrypt is enabled. The server address is default Let's Encrypt ACME server [1] which was the former default before change [2]. [1] https://acme-v02.api.letsencrypt.org/directory [2] https://review.opendev.org/c/openstack/kolla-ansible/+/925971 Closes-bug: #2120451 Change-Id: I10e800aede5966e030ed8e661e2eb45b126ff678 Signed-off-by: Seunghun Lee <seunghun@stackhpc.com>
2025-08-12 14:47:36 +01:00
parent ce798ce680
commit 15dc0d0ede
3 changed files with 32 additions and 12 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -504,7 +504,7 @@ kuryr_port: "23750"
 letsencrypt_webserver_port: "8081"
 letsencrypt_managed_certs: "{{ '' if not enable_letsencrypt | bool else ('internal' if letsencrypt_internal_cert_server != '' and kolla_same_external_internal_vip | bool else ('internal,external' if letsencrypt_internal_cert_server != '' and letsencrypt_external_cert_server != '' else ('internal' if letsencrypt_internal_cert_server != '' else ('external' if letsencrypt_external_cert_server != '' and not kolla_same_external_internal_vip | bool else '')))) }}"
-letsencrypt_external_cert_server: ""
+letsencrypt_external_cert_server: "https://acme-v02.api.letsencrypt.org/directory"
 letsencrypt_internal_cert_server: ""
 magnum_internal_fqdn: "{{ kolla_internal_fqdn }}"
--- a/doc/source/admin/tls.rst
+++ b/doc/source/admin/tls.rst
@@ -316,19 +316,26 @@ to the HAProxy containers using SSH.
  with HAProxy.
 You can configure separate ACME servers for internal and external
-certificate requests.
+certificate requests by setting server URL on
 ``letsencrypt_internal_cert_server`` and
 ``letsencrypt_external_cert_server`` respectively.
 The default is external certificate ACME server set to
 ``https://acme-v02.api.letsencrypt.org/directory``.
-.. code-block:: yaml
+.. list-table:: Let's Encrypt management
   :widths: 28 72
   :header-rows: 1
-  letsencrypt_external_cert_server: "<ACME server URL for external cert>"
+   * - Desired outcome
-  letsencrypt_internal_cert_server: "<ACME server URL for internal cert>"
+     - Settings
-
+   * - External only (default)
-.. note::
+     - Enable Let's Encrypt; no further changes.
-
+   * - External + internal
-  The ``letsencrypt_external_cert_server`` has a default value of
+     - Set ``letsencrypt_internal_cert_server`` and ensure it is reachable
-  ``https://acme-v02.api.letsencrypt.org/directory``. Ensure that
+       from the controller.
-  ``letsencrypt_internal_cert_server`` is reachable from the controller
+   * - Internal only
-  if you configure it for internal certificate requests.
+     - Set ``letsencrypt_external_cert_server: ""`` and set
       ``letsencrypt_internal_cert_server``.
 .. _admin-tls-generating-a-private-ca:
--- a/releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml
+++ b/releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml
@@ -0,0 +1,13 @@
 ---
 fixes:
  - |
    Restore the default Let's Encrypt ACME server for external certificates
    so that enabling ``enable_letsencrypt`` works out of the box again
    without explicitly setting ``letsencrypt_external_cert_server``. The
    default is ``https://acme-v02.api.letsencrypt.org/directory``.
 upgrade:
  - |
    Deployments using a file-based external certificate and Let's Encrypt for
    the internal certificate (separate VIPs) default to managing the external
    certificate with Let's Encrypt. To retain a file-based external
    certificate, set ``letsencrypt_external_cert_server: ""``.