OS_TARGET_CACERT or --os-target_cacert both not work, still report CERTIFICATE_VERIFY_FAILED

Also I tried to set mistral.conf:
[keystone_authtoken]
cafile = /tmp/openstack.crt
auth_uri = https://.../v3

And in client to set OpenStack RC info:
Openstack RC info:
export MISTRAL_URL="http://localhost:8989/v2"
export OS_AUTH_URL=https://.../v3
export OS_USERNAME=...
export OS_PROJECT_NAME=...
export OS_PASSWORD=...
export OS_CACERT=/tmp/openstack.crt
export OS_REGION_NAME=RegionOne
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default

But it still report the same error. And the traceback is:
2018-07-20 03:06:39.509 766 WARNING mistral.actions.openstack.base [req-1a06d85f-32ea-4e89-b8ef-7a59d855021a - - - - -] Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/mistral/actions/openstack/base.py", line 115, in run
    method = self._get_client_method(self._get_client(context))
  File "/usr/lib/python2.7/site-packages/mistral/actions/openstack/base.py", line 84, in _get_client
    return self._create_client(context)
  File "/usr/lib/python2.7/site-packages/mistral/actions/openstack/actions.py", line 89, in _create_client
    nova_endpoint = self.get_service_endpoint()
  File "/usr/lib/python2.7/site-packages/mistral/actions/openstack/base.py", line 108, in get_service_endpoint
    region_name=self.action_region
  File "/usr/lib/python2.7/site-packages/mistral/utils/openstack/keystone.py", line 161, in get_endpoint_for_project
    service_catalog = obtain_service_catalog(ctx)
  File "/usr/lib/python2.7/site-packages/mistral/utils/openstack/keystone.py", line 239, in obtain_service_catalog
    response = client().tokens.get_token_data(
  File "/usr/lib/python2.7/site-packages/mistral/utils/openstack/keystone.py", line 44, in client
    auth_url=auth_url
  File "/usr/lib/python2.7/site-packages/keystoneclient/v3/client.py", line 263, in __init__
    self.authenticate()
  File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 578, in authenticate
    resp = self.get_raw_token_from_identity_service(**kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v3/client.py", line 349, in get_raw_token_from_identity_service
    _('Authorization failed: %s') % e)
AuthorizationFailure: Authorization failed: SSL exception connecting to https://.../v3/auth/tokens: HTTPSConnectionPool(host='...', port=...): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),))

OS_TARGET_CACERT is a client side option. The cacert file is not transmitted to the Mistral server. It is the responsibility of the user to make sure that the Mistral Executor can communicate with the target cloud. That is, it must be able to open SSL connections to the target. This is a similar limitation to what is present for the std.ssh [1] action.

The documentation will be improved to describe these limitations for OS_TARGET_CACERT.

[1] https://docs.openstack.org/mistral/latest/user/wf_lang_v2.html#std-ssh

Fix proposed to branch: master
Review: https://review.openstack.org/584759

Reviewed: https://review.openstack.org/584759
Committed: https://git.openstack.org/cgit/openstack/python-mistralclient/commit/?id=9f197f3d770de3743646e4276e30bec489c424f5
Submitter: Zuul
Branch: master

commit 9f197f3d770de3743646e4276e30bec489c424f5
Author: Andras Kovi <email address hidden>
Date: Mon Jul 23 10:11:08 2018 +0200

    Clarify details about the target cacert parameter

    Change-Id: Ib913eb035c176026ef24a31f3f36926183285318
    Closes-Bug: #1782076

This issue was fixed in the openstack/python-mistralclient 3.7.0 release.