Comment 4 for bug 1762431

https://github.com/openstack/charm-neutron-api/blob/stable/18.02/hooks/charmhelpers/contrib/hahelpers/apache.py#L84-L95

$ sha256sum /usr/local/share/ca-certificates/keystone_juju_ca_cert.crt
f2d19eb104885f6911cae938a34a10f5466df4f6ffef64b0871800ef1f65b0ff /usr/local/share/ca-certificates/keystone_juju_ca_cert.crt

$ head -n1 /usr/local/share/ca-certificates/keystone_juju_ca_cert.crt
-----BEGIN CERTIFICATE-----

^^^ plain text.

https://github.com/openstack/charm-neutron-api/blob/stable/18.02/hooks/charmhelpers/contrib/openstack/context.py#L803-L806
https://github.com/openstack/charm-neutron-api/blob/stable/18.02/hooks/charmhelpers/contrib/hahelpers/apache.py#L63-L73

$ juju run --unit neutron-api/0 'config-get ssl_ca | base64 -d | sha256sum'
f2d19eb104885f6911cae938a34a10f5466df4f6ffef64b0871800ef1f65b0ff -

^^^ with base64 decode, hashsum matches.

> if old_cert and old_cert == ca_cert:
> log("CA cert is the same as installed version", level=INFO)

Wondering why those do not match for 2. below.

> 1. update-status hook shouldn't change the files. It should be read-only.
> 2. Even with other hooks, the charm shouldn't touch /etc/ssl/certs or /etc/ssl/certs/ca-certificates.crt if SSL related configurations are unchanged. Touching /etc/ssl/certs causes the service disruption as you see above.

1. is still valid though.