Comment 1 for bug 1848456

I suspect that the ordering of the calls to juju is significant. i.e. if the juju config keystone is done first and allowed to settle prior to the juju config openstack-service-checks then the keystone will "know" it is SSL prior to the hook from openstack-service-checks firing.

However, there would appear be a race hazard if the above is the case. Probably both code paths (config-changed and identity-credentials-changed) should be investigated so that both end up (on keystone) triggering/writing the correct information to the relation for openstack-service-checks charm to consume properly.

Please could you check to see if keystone is done first (and settles) whether the problem clears or a different issue arises?