We have fixed our SSL certificates setup on both the controller node (my-controller.example.com) hosting the designate service and the networking node hosting the neutron services. On the network node, we can do the following: - openstack token issue - TOKEN="idofthetoken" - curl -v -H "X-Auth-Token: $TOKEN" https://my-controller.example.com:9001/v2/zones?name=myzone.example.com obtaining the following reply: Trying 10.138.0.7:9001... * Connected to my-controller.example.com (10.138.0.7) port 9001 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/pki/tls/certs/ca-bundle.crt * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.2 (OUT), TLS header, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS header, Unknown (23): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: C=IT; ST=Roma; O=Istituto Nazionale di Fisica Nucleare; CN=my-controller.example.com * start date: Jul 23 00:00:00 2024 GMT * expire date: Jul 23 23:59:59 2025 GMT * subjectAltName: host "my-controller.example.com" matched cert's "my-controller.example.com" * issuer: C=NL; O=GEANT Vereniging; CN=GEANT OV RSA CA 4 * SSL certificate verify ok. * TLSv1.2 (OUT), TLS header, Unknown (23): > GET /v2/zones?name=myzone.example.com HTTP/1.1 > Host: my-controller.example.com:9001 > User-Agent: curl/7.76.1 > Accept: */* > X-Auth-Token: gAAAAABmn73qEXjhYYq-OE5RYZOjcXBk5W0W7r-W4s0ap6RHqTntuUsRmAp1p34dXNEzPWr0ZGtU-41JAGobqrxnT3Eia8RiWq0bz27knGo_g5jHLPc6L3CpP9LcfT_xB7WW6Y_mdouLOKI90G0QWc0BOBYnxP6GJ2udOi48n4EboKffmQVlunA > * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * TLSv1.2 (IN), TLS header, Unknown (23): * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Tue, 23 Jul 2024 14:28:20 GMT < Server: Apache < Content-Length: 142 < x-openstack-request-id: req-13a3f65c-b823-4a46-866e-97b30a0669cf < Vary: Accept-Encoding < Content-Type: application/json < * Connection #0 to host my-controller.example.com left intact {"zones": [], "links": {"self": "https://my-controller.example.com:9001/v2/zones?name=myzone.example.com"}, "metadata": {"total_count": 0}} while if we try to create a floating ip filling the dns domain and name info, or delete it later, we get the following error in /var/log/httpd/neutron_wsgi_error_ssl.log 2024-07-23 16:32:58.620 43553 ERROR neutron.pecan_wsgi.hooks.translation keystoneauth1.exceptions.connection.SSLError: SSL exception connecting to https://my-controller.example.com:9001/v2/zones?name=myzone.example.com.: HTTPSConnectionPool(host='my-controller.example.com', port=9001): Max retries exceeded with url: /v2/zones?name=myzone.example.com. (Caused by SSLError(SSLError(524297, '[SSL] PEM lib (_ssl.c:4065)'))) Also is worth mentioning that we see no relevant logs in /var/log/httpd/designate_wsgi_*.log