diff --git a/inventory/groups.yaml b/inventory/groups.yaml
index 68c8b26e9c..e9570033d0 100644
--- a/inventory/groups.yaml
+++ b/inventory/groups.yaml
@@ -72,8 +72,7 @@ groups:
     - kdc[0-9]*.open*.org
   kubernetes:
     - opendev-k8s*.opendev.org
-#  letsencrypt:
-#    - TBD
+  letsencrypt: []
   logstash:
     - logstash[0-9]*.open*.org
   logstash-worker:
diff --git a/playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml b/playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml
index 1c4672d4c6..f1f062d7a1 100644
--- a/playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml
+++ b/playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml
@@ -17,13 +17,17 @@
 - debug:
     var: acme_output.stdout_lines
 
-# NOTE(ianw): The output is domain:key which we split into a tuple
-# here.  We don't make use of the domain part ATM; our default CNAME
-# setup points "_acme-challenge.host.acme.opendev.org" to just
-# "acme.opendev.org" so we put all the keys into "top-level" TXT
-# records directly at acme.opendev.org.  letsencyrpt doesn't care; it
-# just follows the CNAME and enumerates all the TXT records in
-# acme.opendev.org looking for one that matches.
+# NOTE(ianw): The output is challenge-domain:txt-key which we split
+# into a tuple here.  acme.sh by default puts the hostname into the
+# challenge domain it outputs.  For simplicity, we don't actually make
+# use of the full challenge-domain part; our default CNAME setup
+# points "_acme-challenge.host.opendev.org" to just "acme.opendev.org"
+# -- thus we put all the keys into "top-level" TXT records directly at
+# acme.opendev.org.  letsencyrpt doesn't care; it just follows the
+# CNAME and enumerates all the TXT records in acme.opendev.org looking
+# for one that matches.  So even though we don't put it in the dns
+# records, having the hostname the TXT record is for is handy for
+# debugging, etc, so we pass it through.
 - set_fact:
     acme_txt_required: '{{ acme_txt_required + [(item.split(":")[0], item.split(":")[1])] }}'
   loop: '{{ acme_output.stdout_lines }}'
diff --git a/playbooks/roles/letsencrypt-request-certs/tasks/main.yaml b/playbooks/roles/letsencrypt-request-certs/tasks/main.yaml
index 50090e2297..3e252ef6ca 100644
--- a/playbooks/roles/letsencrypt-request-certs/tasks/main.yaml
+++ b/playbooks/roles/letsencrypt-request-certs/tasks/main.yaml
@@ -16,7 +16,8 @@
 #
 # All required TXT keys are put into acme_txt_required
 
-- include_tasks: acme.yaml
+- name: Generate certificate creation/renewal requests
+  include_tasks: acme.yaml
   loop: "{{ query('dict', letsencrypt_certs) }}"
   loop_control:
     loop_var: cert