here you go: series: bionic applications: .. keystone: charm: cs:keystone-294 num_units: 1 to: - lxd:0 options: admin-password: dpcopopenstack openstack-origin: cloud:bionic-rocky os-public-hostname: dev.xxxx.xxxx.xxxx.net worker-multiplier: 0.25 annotations: gui-x: "500" gui-y: "0" .. vault: charm: cs:vault-12 series: xenial num_units: 1 to: - lxd:0 options: auto-generate-root-ca-cert: true totally-unsecure-auto-unlock: true annotations: gui-x: "750" gui-y: "250" machines: "0": constraints: root-disk=500000 instance-type=n1-highmem-16 relations: ... - - vault:shared-db - mysql:shared-db - - vault:certificates - keystone:certificates - - keystone:shared-db - mysql:shared-db ... BTW, I'm getting the same thing on this bundle too which we were using for other testing: machines: '0': series: bionic constraints: "instance-type=n1-standard-4 root-disk=500000" series: bionic variables: #openstack-origin: &openstack-origin distro openstack-origin: &openstack-origin cloud:bionic-rocky relations: - - keystone:shared-db - mysql:shared-db - - glance:shared-db - mysql:shared-db - - glance:identity-service - keystone:identity-service - - keystone - keystone-saml-mellon - - vault:shared-db - mysql:shared-db - - vault:certificates - keystone:certificates - - vault:certificates - glance:certificates - - vault:certificates - openstack-dashboard:certificates - - openstack-dashboard - keystone-saml-mellon - - keystone:websso-trusted-dashboard - openstack-dashboard:websso-trusted-dashboard - - openstack-dashboard:identity-service - keystone:identity-service applications: mysql: constraints: mem=3072M charm: cs:~openstack-charmers-next/percona-cluster num_units: 1 options: source: *openstack-origin to: - lxd:0 keystone: series: bionic charm: cs:~openstack-charmers-next/keystone num_units: 1 options: openstack-origin: *openstack-origin token-provider: 'fernet' token-expiration: 60 os-public-hostname: 'auth.xxxxvxx.customera.internal' to: - lxd:0 keystone-saml-mellon: series: bionic charm: cs:~openstack-charmers-next/keystone-saml-mellon num_units: 0 options: idp-name: 'samltest' protocol-name: 'mapped' user-facing-name: "samltest.id" subject-confirmation-data-address-check: False nameid-formats: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" resources: idp-metadata: './IdP_metadata_xxxx_domain.xml' sp-signing-keyinfo: './http_openstack_dev.xxxxxxx_5000_JustKeyInfo.xml' sp-private-key: './http_openstack_dev.xxxxxxxx_5000.pem' glance: charm: cs:~openstack-charmers-next/glance num_units: 1 options: openstack-origin: *openstack-origin to: - lxd:0 vault: num_units: 1 charm: cs:~openstack-charmers-next/vault options: # these options need changing for production auto-generate-root-ca-cert: true totally-unsecure-auto-unlock: true to: - lxd:0 openstack-dashboard: num_units: 1 charm: cs:~openstack-charmers-next/openstack-dashboard options: openstack-origin: *openstack-origin to: - lxd:0 which gives this: Model Controller Cloud/Region Version SLA Timestamp xxxxx-mellon1 google-controller google/us-east1 2.5.1 unsupported 13:28:44Z App Version Status Scale Charm Store Rev OS Notes glance 17.0.0 waiting 1 glance jujucharms 363 ubuntu keystone 14.0.1 error 1 keystone jujucharms 426 ubuntu keystone-saml-mellon 14.0.1 active 1 keystone-saml-mellon jujucharms 1 ubuntu mysql 5.7.20-29.24 active 1 percona-cluster jujucharms 332 ubuntu openstack-dashboard 14.0.1 waiting 1 openstack-dashboard jujucharms 411 ubuntu vault 1.0.3 active 1 vault jujucharms 47 ubuntu Unit Workload Agent Machine Public address Ports Message glance/0* waiting idle 0/lxd/0 252.5.238.180 9292/tcp Incomplete relations: identity keystone/0* error idle 0/lxd/1 252.5.235.27 5000/tcp hook failed: "shared-db-relation-changed" keystone-saml-mellon/0* active idle 252.5.235.27 Unit is ready mysql/0* active idle 0/lxd/2 252.5.239.57 3306/tcp Unit is ready openstack-dashboard/0* waiting idle 0/lxd/3 252.5.239.43 80/tcp,443/tcp Incomplete relations: identity vault/0* active idle 0/lxd/4 252.5.231.134 8200/tcp Unit is ready (active: true, mlock: disabled) Machine State DNS Inst id Series AZ Message 0 started 35.231.190.66 juju-f80d42-0 bionic us-east1-b RUNNING 0/lxd/0 started 252.5.238.180 juju-f80d42-0-lxd-0 bionic us-east1-b Container started 0/lxd/1 started 252.5.235.27 juju-f80d42-0-lxd-1 bionic us-east1-b Container started 0/lxd/2 started 252.5.239.57 juju-f80d42-0-lxd-2 bionic us-east1-b Container started 0/lxd/3 started 252.5.239.43 juju-f80d42-0-lxd-3 bionic us-east1-b Container started 0/lxd/4 started 252.5.231.134 juju-f80d42-0-lxd-4 bionic us-east1-b Container started Same lack of certs in /etc/apache2: ubuntu@juju-f80d42-0-lxd-1:/etc/apache2$ ls -ltr total 80 -rw-r--r-- 1 root root 320 Oct 10 18:59 ports.conf -rw-r--r-- 1 root root 31063 Oct 10 18:59 magic -rw-r--r-- 1 root root 1782 Oct 10 18:59 envvars -rw-r--r-- 1 root root 7224 Oct 10 18:59 apache2.conf drwxr-xr-x 2 root root 4096 Mar 28 11:37 conf-available drwxr-xr-x 2 root root 4096 Mar 28 11:37 conf-enabled drwxr-xr-x 2 root root 4096 Mar 28 11:38 sites-enabled drwxr-xr-x 2 root root 4096 Mar 28 11:39 sites-available drwxr-xr-x 2 root root 12288 Mar 28 11:40 mods-available drwxr-xr-x 2 root root 4096 Mar 28 11:42 mods-enabled Same error in keystone juju log: 2019-03-28 13:32:49 DEBUG shared-db-relation-changed RuntimeError: The call within manager.py failed with the error: 'Unable to establish connection to http://localhost:35337/v3/services?'. The call was: path=['list_services'], args=(), kwargs={}, api_version=None 2019-03-28 13:32:49 DEBUG shared-db-relation-changed /usr/lib/python3/dist-packages/keystoneauth1/adapter.py:200: UserWarning: Using keystoneclient sessions has been deprecated. Please update your software to use keystoneauth1. Nothing listening on 35337 hence why connection timeout. Happy to drop onto a call to demonstrate and give first hand access?