Comment 0 for bug 1650350

While the haproxy_server role enables SSL by default it also generates a self signed cert with

haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"

The repo depending roles like pip and all roles using pip seem to use http the internal VIP

openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}"

which results in SSL errors

fatal: [infra01_galera_container-a200f8b8]: FAILED! => {"changed": false, "cmd": "/usr/local/bin/pip install -U --isolated --constraint https://172.19.43.253:8181/os-releases/14.0.3/requirements_absolute_requirements.txt ndg-httpsclient requests", "failed": true, "msg": "\n:stderr: /usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform.

and excessive use of fallback URLs

This is on Ubuntu 14.04

This issue can be worked around by setting proper URLs for
repo_pkg_cache_url, openstack_repo_url or just disabling SSL in haproxy via haproxy_ssl: false