In deployments that use vault as a data store for certificates, charms are expected to be able to consume a 'tls-certificates' relation in order to receive CA certificates.
$ juju status --relations vault | grep cert
vault:certificates aodh:certificates tls-certificates regular
vault:certificates ceph-radosgw:certificates tls-certificates regular
vault:certificates cinder:certificates tls-certificates regular
vault:certificates designate:certificates tls-certificates regular
vault:certificates glance:certificates tls-certificates regular
vault:certificates gnocchi:certificates tls-certificates regular
vault:certificates heat:certificates tls-certificates regular
vault:certificates keystone:certificates tls-certificates regular
vault:certificates neutron-api:certificates tls-certificates regular
vault:certificates nova-cloud-controller:certificates tls-certificates regular
vault:certificates openstack-dashboard:certificates tls-certificates regular
The ceilometer charm does not implement such a relation, and is thus unable to validate the keystone certificate.
The workaround is to explicitly set ssl_ca in the ceilometer charm for now.
Subscribing field-high, this affects all new deployments using vault