Update letsencrypt role docs to suggest a specific order

In reviews on https://review.opendev.org/819923 we discovered we are inconsistent in how we create certs. Suggest a specific course of action and record the reasoning. Change-Id: I974a1717a74e759ca8805dcb707efc7fe29ba53f
1 year ago · 7f96224ef9
parent e79dbbe6bb
commit 7f96224ef9
1 changed files with 5 additions and 3 deletions
--- a/playbooks/roles/letsencrypt-request-certs/README.rst
+++ b/playbooks/roles/letsencrypt-request-certs/README.rst
@ -39,7 +39,9 @@ provision process.
   certificate to create (i.e. a host can create multiple separate
   certificates).  Each key should have a list of hostnames valid for
   that certificate.  The certificate will be named for the *first*
-   entry.
+   entry.  Naming the cert for the service (rather than the hostname)
+   will simplify references to the file (for example in Apache
+   VirtualHost configs), so listing it first is preferred.

   For example:

@ -47,13 +49,13 @@ provision process.

     letsencrypt_certs:
       hostname-main-cert:
-         - hostname01.opendev.org
         - hostname.opendev.org
+         - hostname01.opendev.org
       hostname-secondary-cert:
         - foo.opendev.org

   will ultimately result in two certificates being provisioned on the
-   host in ``/etc/letsencrypt-certs/hostname01.opendev.org`` and
+   host in ``/etc/letsencrypt-certs/hostname.opendev.org`` and
   ``/etc/letsencrypt-certs/foo.opendev.org``.

   Note the creation role ``letsencrypt-create-certs`` will call a