Comment 19 for bug 2015103

At the time of the identity-service-relation-changed hook failure, /etc/apache2/sites-enabled/openstack_https_frontend.conf hasn't been rendered since ApacheSSLContext won't render until there is certificate data on the relation.

At the time of the identity-service-relation-changed hook failure, we have:

$ juju exec --unit keystone/1 "relation-get -r certificates:245 - vault/0"
egress-subnets: 10.246.168.97/32
ingress-address: 10.246.168.97
private-address: 10.246.168.97

but show-unit shows the certificate data is available on the relation:

$ juju show-unit keystone/1
  - relation-id: 245
    endpoint: certificates
    related-endpoint: certificates
    application-data: {}
    related-units:
      vault/0:
        in-scope: true
        data:
          egress-subnets: 10.246.168.97/32
          ingress-address: 10.246.168.97
          ...
          keystone_1.processed_requests: '{"eth2.juju-ee22b4-4-lxd-7.nosilo.lab1.solutionsqa":
            {"cert": certificate data snipped>
            ...
          private-address: 10.246.168.97

After a lot of 'juju resolve --no-retry keystone/1' the relation-get started showing the certificate data and /etc/apache2/sites-enabled/openstack_https_frontend.conf was finally rendered as a result, and we see

$ netstat -dnlp | grep 353
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:35357 0.0.0.0:* LISTEN -
tcp6 0 0 :::35337 :::* LISTEN -
tcp6 0 0 :::35347 :::* LISTEN -
tcp6 0 0 :::35357 :::* LISTEN -