If public_endpoint is set, the first call will be always public endpoint

I have setup a keystone service(Mitaka) on ubuntu,
and it seems that the first call will always be to keystone's public api url,
when you have set "public_endpoint" in keystone.conf.

For example, when I do the following openstack commands, I always get the following error.

$ubuntu@client:~$ openstack token issue
Unable to establish connection to http://10.12.2.2:5000/fuga/v3/auth/tokens

The keystone's endpoint are like this:
public: http://10.12.2.2:5000/fuga/v3
admin: http://10.12.1.2:35357/fuga/v3
internal: http://10.12.3.2:5000/fuga/v3

openstack client is installed in a client node, which is seperate to keystone node,
and this client node has no network access to public api network.
So if accessing to public api, this is expected, but I have set the env variables like this,

ubuntu@client:~$ env | grep OS_
OS_USER_DOMAIN_NAME=default
OS_PROJECT_NAME=admin
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=openstack
OS_AUTH_URL=http://10.12.1.2:35357/fuga/v3
OS_USERNAME=admin
OS_INTERFACE=admin
OS_PROJECT_DOMAIN_NAME=default

Therefore, my expectation is that api access goes only through admin url.
I have tried also with internal api url, but get the same error.

And of course if the client node has public api network access, the openstack client worked perfectly.
Also, if you just not use the special path for api urls, so by not setting "public_api", it will also work perfectly.

According to this:
https://github.com/openstack/keystone/blob/stable/mitaka/keystone/version/service.py#L160
"public" string is given, and here:
https://github.com/openstack/keystone/blob/stable/mitaka/keystone/common/wsgi.py#L372
the string is being combined with "_endpoint", which will become "public_endpoint",
and if the url is set, this public url will be the initial access.

I have attached some info,
- /etc/keystone/keystone.conf
- /etc/apache2/sites-enabled/wsgi-keystone.conf
- output with debug option