Merge "Set default external Let's Encrypt cert server" into stable/2025.1

Zuul · openstack-gerrit · commit bf1fc3b4fed0 · 2025-08-19T12:30:21.000Z
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
@@ -503,7 +503,7 @@ kuryr_port: "23750"
 
 letsencrypt_webserver_port: "8081"
 letsencrypt_managed_certs: "{{ '' if not enable_letsencrypt | bool else ('internal' if letsencrypt_internal_cert_server != '' and kolla_same_external_internal_vip | bool else ('internal,external' if letsencrypt_internal_cert_server != '' and letsencrypt_external_cert_server != '' else ('internal' if letsencrypt_internal_cert_server != '' else ('external' if letsencrypt_external_cert_server != '' and not kolla_same_external_internal_vip | bool else '')))) }}"
-letsencrypt_external_cert_server: ""
+letsencrypt_external_cert_server: "https://acme-v02.api.letsencrypt.org/directory"
 letsencrypt_internal_cert_server: ""
 
 magnum_internal_fqdn: "{{ kolla_internal_fqdn }}"
diff --git a/doc/source/admin/tls.rst b/doc/source/admin/tls.rst
@@ -316,19 +316,26 @@ to the HAProxy containers using SSH.
   with HAProxy.
 
 You can configure separate ACME servers for internal and external
-certificate requests.
-
-.. code-block:: yaml
-
-  letsencrypt_external_cert_server: "<ACME server URL for external cert>"
-  letsencrypt_internal_cert_server: "<ACME server URL for internal cert>"
-
-.. note::
-
-  The ``letsencrypt_external_cert_server`` has a default value of
-  ``https://acme-v02.api.letsencrypt.org/directory``. Ensure that
-  ``letsencrypt_internal_cert_server`` is reachable from the controller
-  if you configure it for internal certificate requests.
+certificate requests by setting server URL on
+``letsencrypt_internal_cert_server`` and
+``letsencrypt_external_cert_server`` respectively.
+The default is external certificate ACME server set to
+``https://acme-v02.api.letsencrypt.org/directory``.
+
+.. list-table:: Let's Encrypt management
+   :widths: 28 72
+   :header-rows: 1
+
+   * - Desired outcome
+     - Settings
+   * - External only (default)
+     - Enable Let's Encrypt; no further changes.
+   * - External + internal
+     - Set ``letsencrypt_internal_cert_server`` and ensure it is reachable
+       from the controller.
+   * - Internal only
+     - Set ``letsencrypt_external_cert_server: ""`` and set
+       ``letsencrypt_internal_cert_server``.
 
 .. _admin-tls-generating-a-private-ca:
 
diff --git a/releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml b/releasenotes/notes/set-default-letsencrypt-external-cert-server-d34f9d783082d7d7.yaml
@@ -0,0 +1,13 @@
+---
+fixes:
+  - |
+    Restore the default Let's Encrypt ACME server for external certificates
+    so that enabling ``enable_letsencrypt`` works out of the box again
+    without explicitly setting ``letsencrypt_external_cert_server``. The
+    default is ``https://acme-v02.api.letsencrypt.org/directory``.
+upgrade:
+  - |
+    Deployments using a file-based external certificate and Let's Encrypt for
+    the internal certificate (separate VIPs) default to managing the external
+    certificate with Let's Encrypt. To retain a file-based external
+    certificate, set ``letsencrypt_external_cert_server: ""``.
