From 15dc0d0ede49dcfbb3b0ce04e6e0d1f25abdf28e Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 12 Aug 2025 14:47:36 +0100 Subject: [PATCH] Set default external Let's Encrypt cert server Currently, unless users set either external or internal cert server by themselves, enabling Let's Encrypt with ``enable_letsencrypt`` does nothing. This change makes the external certificate get managed by Let's Encrypt by default when Let's Encrypt is enabled. The server address is default Let's Encrypt ACME server [1] which was the former default before change [2]. [1] https://acme-v02.api.letsencrypt.org/directory [2] https://review.opendev.org/c/openstack/kolla-ansible/+/925971 Closes-bug: #2120451 Change-Id: I10e800aede5966e030ed8e661e2eb45b126ff678 Signed-off-by: Seunghun Lee --- ansible/group_vars/all.yml | 2 +- doc/source/admin/tls.rst | 29 ++++++++++++------- ...external-cert-server-d34f9d783082d7d7.yaml | 13 +++++++++ 3 files changed, 32 insertions(+), 12 deletions(-) create mode 100644 releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 07a8ccb08b..7b5a4da658 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -504,7 +504,7 @@ kuryr_port: "23750" letsencrypt_webserver_port: "8081" letsencrypt_managed_certs: "{{ '' if not enable_letsencrypt | bool else ('internal' if letsencrypt_internal_cert_server != '' and kolla_same_external_internal_vip | bool else ('internal,external' if letsencrypt_internal_cert_server != '' and letsencrypt_external_cert_server != '' else ('internal' if letsencrypt_internal_cert_server != '' else ('external' if letsencrypt_external_cert_server != '' and not kolla_same_external_internal_vip | bool else '')))) }}" -letsencrypt_external_cert_server: "" +letsencrypt_external_cert_server: "https://acme-v02.api.letsencrypt.org/directory" letsencrypt_internal_cert_server: "" magnum_internal_fqdn: "{{ kolla_internal_fqdn }}" diff --git a/doc/source/admin/tls.rst b/doc/source/admin/tls.rst index b9e779f4bc..3183c45e8d 100644 --- a/doc/source/admin/tls.rst +++ b/doc/source/admin/tls.rst @@ -316,19 +316,26 @@ to the HAProxy containers using SSH. with HAProxy. You can configure separate ACME servers for internal and external -certificate requests. +certificate requests by setting server URL on +``letsencrypt_internal_cert_server`` and +``letsencrypt_external_cert_server`` respectively. +The default is external certificate ACME server set to +``https://acme-v02.api.letsencrypt.org/directory``. -.. code-block:: yaml +.. list-table:: Let's Encrypt management + :widths: 28 72 + :header-rows: 1 - letsencrypt_external_cert_server: "" - letsencrypt_internal_cert_server: "" - -.. note:: - - The ``letsencrypt_external_cert_server`` has a default value of - ``https://acme-v02.api.letsencrypt.org/directory``. Ensure that - ``letsencrypt_internal_cert_server`` is reachable from the controller - if you configure it for internal certificate requests. + * - Desired outcome + - Settings + * - External only (default) + - Enable Let's Encrypt; no further changes. + * - External + internal + - Set ``letsencrypt_internal_cert_server`` and ensure it is reachable + from the controller. + * - Internal only + - Set ``letsencrypt_external_cert_server: ""`` and set + ``letsencrypt_internal_cert_server``. .. _admin-tls-generating-a-private-ca: diff --git a/releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml b/releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml new file mode 100644 index 0000000000..07a1a3a4d3 --- /dev/null +++ b/releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml @@ -0,0 +1,13 @@ +--- +fixes: + - | + Restore the default Let's Encrypt ACME server for external certificates + so that enabling ``enable_letsencrypt`` works out of the box again + without explicitly setting ``letsencrypt_external_cert_server``. The + default is ``https://acme-v02.api.letsencrypt.org/directory``. +upgrade: + - | + Deployments using a file-based external certificate and Let's Encrypt for + the internal certificate (separate VIPs) default to managing the external + certificate with Let's Encrypt. To retain a file-based external + certificate, set ``letsencrypt_external_cert_server: ""``.