Reissue TLS certificates across the cloud


This page has been identified as being affected by the breaking changes introduced between versions 2.9.x and 3.x of the Juju client. Read support note Breaking changes between Juju 2.9.x and 3.x before continuing.


New certificates can be reissued to all cloud clients that are currently TLS-enabled. This is easily done with an action available to the vault charm.

One use case for this operation is when a cloud’s existing application certificates have expired.


This operation may cause momentary downtime for all API services that are being issued new certificates. Plan for a short maintenance window of approximately 15 minutes, including post-operation verification tests.

Certificate inspection

TLS certificates can be inspected with the openssl command with output compared before and after the operation. In these examples, the Glance API is listening on


  1. Expiration dates:

echo | openssl s_client -showcerts -connect 2>/dev/null \
   | openssl x509 -inform pem -noout -text | grep Validity -A2


    Not Before: Sep 24 20:19:38 2021 GMT
    Not After : Sep 24 19:20:08 2022 GMT
  1. Certificate chain:

echo | openssl s_client -showcerts -connect 2>/dev/null \
   | openssl x509 -inform pem -noout -text | sed -n '/-----BEGIN/,/-----END/p'




To reissue new certificates to all TLS-enabled clients run the reissue-certificates action on the leader unit:

juju run vault/leader reissue-certificates

The output to the juju status command for the model will show activity for each affected service as their corresponding endpoints get updated via hook calls, for example:

Unit                         Workload  Agent      Machine  Public address  Ports              Message
ceph-mon/0                   active    idle       0/lxd/0                         Unit is ready and clustered
ceph-mon/1                   active    idle       1/lxd/0                         Unit is ready and clustered
ceph-mon/2*                  active    idle       2/lxd/0                         Unit is ready and clustered
ceph-osd/0*                  active    idle       0                         Unit is ready (1 OSD)
ceph-osd/1                   active    idle       1                         Unit is ready (1 OSD)
ceph-osd/2                   active    idle       2                         Unit is ready (1 OSD)
cinder/0*                    active    executing  1/lxd/1      8776/tcp           Unit is ready
  cinder-ceph/0*             active    idle                               Unit is ready
  cinder-mysql-router/0*     active    idle                               Unit is ready
glance/0*                    active    executing  2/lxd/1      9292/tcp           Unit is ready
  glance-mysql-router/0*     active    idle                               Unit is ready
keystone/0*                  active    executing  0/lxd/1      5000/tcp           Unit is ready
  keystone-mysql-router/0*   active    idle                               Unit is ready
mysql-innodb-cluster/0       active    executing  0/lxd/2                         Unit is ready: Mode: R/O, Cluster is ONLINE and can tolerate up to ONE failure.
mysql-innodb-cluster/1       active    executing  1/lxd/2                         Unit is ready: Mode: R/O, Cluster is ONLINE and can tolerate up to ONE failure.
mysql-innodb-cluster/2*      active    executing  2/lxd/2                         Unit is ready: Mode: R/W, Cluster is ONLINE and can tolerate up to ONE failure.
neutron-api/0*               active    idle       1/lxd/3      9696/tcp           Unit is ready
  neutron-api-plugin-ovn/0*  active    executing                          Unit is ready
  neutron-mysql-router/0*    active    idle                               Unit is ready
nova-cloud-controller/0*     active    executing  0/lxd/3      8774/tcp,8775/tcp  Unit is ready
  nova-mysql-router/0*       active    idle                               Unit is ready
nova-compute/0*              active    idle       0                         Unit is ready
  ntp/0*                     active    idle            123/udp            chrony: Ready
  ovn-chassis/0*             active    executing                          Unit is ready
ovn-central/0                active    executing  0/lxd/4      6641/tcp,6642/tcp  Unit is ready (northd: active)
ovn-central/1                active    executing  1/lxd/4      6641/tcp,6642/tcp  Unit is ready
ovn-central/2*               active    executing  2/lxd/3      6641/tcp,6642/tcp  Unit is ready (leader: ovnnb_db, ovnsb_db)
placement/0*                 active    executing  2/lxd/4      8778/tcp           Unit is ready
  placement-mysql-router/0*  active    idle                               Unit is ready
rabbitmq-server/0*           active    idle       2/lxd/5      5672/tcp           Unit is ready
vault/0*                     active    idle       0/lxd/5      8200/tcp           Unit is ready (active: true, mlock: disabled)
  vault-mysql-router/0*      active    idle                               Unit is ready


Verify that cloud service endpoints are available and are using HTTPS:

openstack endpoint list

Sample output:

| ID                               | Region    | Service Name | Service Type | Enabled | Interface | URL                          |
| 181cc040c4c141d78a0f942dd584ac22 | RegionOne | keystone     | identity     | True    | public    |   |
| 235bd5e3831443afb4bf46929d1840c8 | RegionOne | placement    | placement    | True    | public    |      |
| 2dd78e0f745b4bd49f92256d95187a30 | RegionOne | keystone     | identity     | True    | admin     |  |
| 39773c0683da4a0bb60909c12e7db69a | RegionOne | nova         | compute      | True    | public    | |
| 49e72a65aa2f441db8e78e641bf6fe0c | RegionOne | placement    | placement    | True    | admin     |      |
| 566e4d3850c64da38274e53a556eebe9 | RegionOne | neutron      | network      | True    | public    |      |
| 7a803410e3344ce6912b7124b486ef4a | RegionOne | nova         | compute      | True    | admin     | |
| 823c22a4951549169714d9e368dfe760 | RegionOne | nova         | compute      | True    | internal  | |
| 9231f55f7d23442a9915a4321c3fc0e8 | RegionOne | placement    | placement    | True    | internal  |      |
| b0e384c7368f4110b770eb56c3d720e1 | RegionOne | neutron      | network      | True    | internal  |      |
| c658bd5a200d4111a31ae71e31503c35 | RegionOne | glance       | image        | True    | public    |      |
| ce49bdeb066b4e3bafa97eec7cfec657 | RegionOne | glance       | image        | True    | internal  |      |
| d320d4fc76574d2b806a8e88152b4ea1 | RegionOne | keystone     | identity     | True    | internal  |   |
| e6676dbb9e784e8880c00f6fbc8dd4b6 | RegionOne | glance       | image        | True    | admin     |      |
| ec5d565e34124cdd8e694aaef8705611 | RegionOne | neutron      | network      | True    | admin     |      |

Also check the successful resumption of cloud operations by running a routine battery of tests. The creation of a VM is a good choice.