diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 07a8ccb08b..7b5a4da658 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -504,7 +504,7 @@ kuryr_port: "23750" letsencrypt_webserver_port: "8081" letsencrypt_managed_certs: "{{ '' if not enable_letsencrypt | bool else ('internal' if letsencrypt_internal_cert_server != '' and kolla_same_external_internal_vip | bool else ('internal,external' if letsencrypt_internal_cert_server != '' and letsencrypt_external_cert_server != '' else ('internal' if letsencrypt_internal_cert_server != '' else ('external' if letsencrypt_external_cert_server != '' and not kolla_same_external_internal_vip | bool else '')))) }}" -letsencrypt_external_cert_server: "" +letsencrypt_external_cert_server: "https://acme-v02.api.letsencrypt.org/directory" letsencrypt_internal_cert_server: "" magnum_internal_fqdn: "{{ kolla_internal_fqdn }}" diff --git a/doc/source/admin/tls.rst b/doc/source/admin/tls.rst index b9e779f4bc..3183c45e8d 100644 --- a/doc/source/admin/tls.rst +++ b/doc/source/admin/tls.rst @@ -316,19 +316,26 @@ to the HAProxy containers using SSH. with HAProxy. You can configure separate ACME servers for internal and external -certificate requests. +certificate requests by setting server URL on +``letsencrypt_internal_cert_server`` and +``letsencrypt_external_cert_server`` respectively. +The default is external certificate ACME server set to +``https://acme-v02.api.letsencrypt.org/directory``. -.. code-block:: yaml +.. list-table:: Let's Encrypt management + :widths: 28 72 + :header-rows: 1 - letsencrypt_external_cert_server: "" - letsencrypt_internal_cert_server: "" - -.. note:: - - The ``letsencrypt_external_cert_server`` has a default value of - ``https://acme-v02.api.letsencrypt.org/directory``. Ensure that - ``letsencrypt_internal_cert_server`` is reachable from the controller - if you configure it for internal certificate requests. + * - Desired outcome + - Settings + * - External only (default) + - Enable Let's Encrypt; no further changes. + * - External + internal + - Set ``letsencrypt_internal_cert_server`` and ensure it is reachable + from the controller. + * - Internal only + - Set ``letsencrypt_external_cert_server: ""`` and set + ``letsencrypt_internal_cert_server``. .. _admin-tls-generating-a-private-ca: diff --git a/releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml b/releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml new file mode 100644 index 0000000000..07a1a3a4d3 --- /dev/null +++ b/releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml @@ -0,0 +1,13 @@ +--- +fixes: + - | + Restore the default Let's Encrypt ACME server for external certificates + so that enabling ``enable_letsencrypt`` works out of the box again + without explicitly setting ``letsencrypt_external_cert_server``. The + default is ``https://acme-v02.api.letsencrypt.org/directory``. +upgrade: + - | + Deployments using a file-based external certificate and Let's Encrypt for + the internal certificate (separate VIPs) default to managing the external + certificate with Let's Encrypt. To retain a file-based external + certificate, set ``letsencrypt_external_cert_server: ""``.