diff --git a/ansible/public-openrc.yml b/ansible/public-openrc.yml
index 49f60e739..4367773a0 100644
--- a/ansible/public-openrc.yml
+++ b/ansible/public-openrc.yml
@@ -8,9 +8,9 @@
     - public-openrc
   vars:
     public_api_proto: "{% if kolla_enable_tls_external | bool %}https{% else %}http{% endif %}"
-    public_api_vip_address: "{{ public_net_name | net_vip_address }}"
+    public_api_host: "{{ public_net_name | net_fqdn or public_net_name | net_vip_address }}"
     public_api_keystone_port: 5000
   roles:
     - role: public-openrc
       public_openrc_kolla_config_path: "{{ kolla_config_path }}"
-      public_openrc_auth_url: "{{ public_api_proto }}://{{ public_api_vip_address }}:{{ public_api_keystone_port }}"
+      public_openrc_auth_url: "{{ public_api_proto }}://{{ public_api_host }}:{{ public_api_keystone_port }}"
diff --git a/releasenotes/notes/use-public-fqdn-in-openrc-f7990958ceec817d.yaml b/releasenotes/notes/use-public-fqdn-in-openrc-f7990958ceec817d.yaml
new file mode 100644
index 000000000..999122468
--- /dev/null
+++ b/releasenotes/notes/use-public-fqdn-in-openrc-f7990958ceec817d.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    The ``public-openrc.sh`` file generated by Kayobe now uses the public
+    network FQDN for populating the OS_AUTH_URL variable instead of using the
+    public virtual IP address. If the FQDN variable is not set, the virtual IP
+    address remains used. This ensures better compatibility with TLS-enabled
+    deployments where certificates are generally tied to a hostname.