diff --git a/playbooks/roles/letsencrypt-create-certs/defaults/main.yaml b/playbooks/roles/letsencrypt-create-certs/defaults/main.yaml
index c273d03269..4c05902f44 100644
--- a/playbooks/roles/letsencrypt-create-certs/defaults/main.yaml
+++ b/playbooks/roles/letsencrypt-create-certs/defaults/main.yaml
@@ -1,2 +1,3 @@
 letsencrypt_use_staging: False
 letsencrypt_self_sign_only: False
+letsencrypt_self_generate_tokens: False
diff --git a/playbooks/roles/letsencrypt-request-certs/README.rst b/playbooks/roles/letsencrypt-request-certs/README.rst
index 57cb25e0fa..92695ef949 100644
--- a/playbooks/roles/letsencrypt-request-certs/README.rst
+++ b/playbooks/roles/letsencrypt-request-certs/README.rst
@@ -15,6 +15,17 @@ provision process.
 
 **Role Variables**
 
+.. zuul:rolevar:: letsencrypt_self_generate_tokens
+   :default: False
+
+   When set to ``True``, self-generate fake DNS-01 TXT tokens rather
+   than acquiring them through the ACME process with letsencrypt.
+   This avoids leaving "half-open" challenges during gate testing,
+   where we have no way to publish the DNS TXT records letsencrypt
+   gives us to complete the certificate issue.  This should be
+   ``True`` if ``letsencrypt_self_sign_only`` is ``True`` (unless you
+   wish to specifically test the ``acme.sh`` operation).
+
 .. zuul:rolevar:: letsencrypt_use_staging
 
    If set to True will use the letsencrypt staging environment, rather
diff --git a/playbooks/roles/letsencrypt-request-certs/defaults/main.yaml b/playbooks/roles/letsencrypt-request-certs/defaults/main.yaml
index 40f89a22be..371b55d6c3 100644
--- a/playbooks/roles/letsencrypt-request-certs/defaults/main.yaml
+++ b/playbooks/roles/letsencrypt-request-certs/defaults/main.yaml
@@ -1 +1,2 @@
-letsencrypt_use_staging: False
\ No newline at end of file
+letsencrypt_use_staging: False
+letsencrypt_self_generate_tokens: False