diff --git a/ansible/group_vars/cluster/settings.yml.example b/ansible/group_vars/cluster/settings.yml.example
index 57f70bd5221976ea03c6617fe7203c055b69c0bd..30b6ab2592ba03ba45651258773c2ef16df5f314 100644
--- a/ansible/group_vars/cluster/settings.yml.example
+++ b/ansible/group_vars/cluster/settings.yml.example
@@ -6,4 +6,12 @@ domain: "example.com"
 admin_email: "admin@example.com"
 # Label of this deployment.
 release_name: "test"
+# Keycloak administrator password. If you do not change this value, it gets
+# generated and stored in ./secrets/keycloak_admin_password. You can also choose
+# your own password and fill it in here instead.
 keycloak_password: "{{ lookup('password', './secrets/keycloak_admin_password') }}"
+# If this is "true" TLS certificates will be requested at the Let's Encrypt
+# staging server. If this is "false", you use Let's Encrypt's production server.
+# Note that LE's production server has stricter rate limits, so set this to
+# "true" when you are testing something.
+acme_staging: false
diff --git a/ansible/roles/configure_helmfile/templates/local.yaml.j2 b/ansible/roles/configure_helmfile/templates/local.yaml.j2
index 74cb2fd2043fc3e68e3c4adf3ccb58a2dbc856b9..b598f24419e1908d3642fff523765ea281a1b4cf 100644
--- a/ansible/roles/configure_helmfile/templates/local.yaml.j2
+++ b/ansible/roles/configure_helmfile/templates/local.yaml.j2
@@ -7,3 +7,5 @@ adminEmail: "{{ admin_email }}"
 # A label for the application releases. If you have multiple deployments
 # this allows you to distinguish them.
 releaseName: "{{ release_name }}"
+# Use Let's Encrypt staging server. Set this to `"false"` to use the live server
+acmeStaging: "{{ acme_staging }}"
diff --git a/test/ci-bootstrap.py b/test/ci-bootstrap.py
index 176b868f8e1064caa4db9c9ba02f1d3d7f9a1d66..2372188f2c1e4620c01355f92450d03631468479 100755
--- a/test/ci-bootstrap.py
+++ b/test/ci-bootstrap.py
@@ -177,6 +177,7 @@ if __name__ == "__main__":
     settings['ip_address'] = ip
     settings['domain'] = name + '.ci.openappstack.net'
     settings['admin_email'] = "admin@{0}".format(settings['domain'])
+    settings['acme_staging'] = "true"
 
     if not os.path.exists('./group_vars'):
         os.mkdir('./group_vars')