Hello, I've verified that the current -proposed package fixes the issue for us, for the given use case. Using the following deployment bundle on a Bionic + Rocky cloud http://paste.ubuntu.com/p/jnVdVvQg7k/ Without the patch, the problem is reproduced as expressed on the case description: ubuntu@niedbalski-bastion:~/stsstack-bundles/openstack/00268110$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.11:9312/v1/secrets/7aa7727d-f39b-45f8-9310-f5c595ad4feb" --secret="private_key=https://10.5.0.11:9312/v1/secrets/189736d1-51d8-4cbe-9638-ceadcbb664ac" --secret="intermediates=https://10.5.0.11:9312/v1/secrets/70e2cf9c-8110-4d25-a1e3-f7b6f3950e64" ubuntu@niedbalski-bastion:~/stsstack-bundles/openstack/00268110$ openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.11:9312/v1/containers/b548ab63-474d-4a94-b121-4eae8193fcc1" -- lb1 The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-c79fbcb1-06d8-47e4-9754-8066596ba262) With the patch applied in the following version: root@juju-be44b9-barbican-10:/home/ubuntu# dpkg -l |grep barbican ii python3-barbicanclient 4.6.0-0ubuntu1.1 all OpenStack Key Management API client - Python 3.x | https://10.5.0.11:9312/v1/containers/bd67d6f4-3a82-4a86-9679-c97a66ceeb19 | None | 2020-05-12T21:37:32+00:00 | ACTIVE | certificate | certificate=https://10.5.0.11:9312/v1/secrets/26ed5706-5f0a-4f9f-b226-e8595031515e | None | | | | | | | private_key=https://10.5.0.11:9312/v1/secrets/9a3bd926-6ba9-46be-8168-6b5e79e09b36 | | +---------------------------------------------------------------------------+----------------+---------------------------+--------+-------------+--------------------------------------------------------------------------------------+-----------+ The issue isn't longer reproducible and listeners can be created. ubuntu@niedbalski-bastion:~/stsstack-bundles/openstack/00268110$ openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener-2" --default-tls-container="https://10.5.0.11:9312/v1/containers/bd67d6f4-3a82-4a86-9679-c97a66ceeb19" -- lb2 +-----------------------------+---------------------------------------------------------------------------+ | Field | Value | +-----------------------------+---------------------------------------------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2020-05-12T21:38:28 | | default_pool_id | None | | default_tls_container_ref | https://10.5.0.11:9312/v1/containers/bd67d6f4-3a82-4a86-9679-c97a66ceeb19 | | description | | | id | 971a679d-4a07-4012-8552-fac8f0f450ab | | insert_headers | None | | l7policies | | | loadbalancers | 9a49ae4e-4bae-451d-bcec-b22dadf1df29 | | name | test-listener-2 | | operating_status | OFFLINE | | project_id | 2ab451be592d468bad963a95a342e099 | | protocol | TERMINATED_HTTPS | | protocol_port | 443 | | provisioning_status | PENDING_CREATE | | sni_container_refs | [] | | timeout_client_data | 50000 | | timeout_member_connect | 5000 | | timeout_member_data | 50000 | | timeout_tcp_inspect | 0 | | updated_at | None | | client_ca_tls_container_ref | | | client_authentication | | | client_crl_container_ref | | | allowed_cidrs | | +-----------------------------+---------------------------------------------------------------------------+ ubuntu@niedbalski-bastion:~/stsstack-bundles/openstack/00268110$ openstack loadbalancer listener show 971a679d-4a07-4012-8552-fac8f0f450ab | grep tls | default_tls_container_ref | https://10.5.0.11:9312/v1/containers/bd67d6f4-3a82-4a86-9679-c97a66ceeb19 | | client_ca_tls_container_ref | | ubuntu@niedbalski-bastion:~/stsstack-bundles/openstack/00268110$ openstack loadbalancer listener show 971a679d-4a07-4012-8552-fac8f0f450ab | grep -i provis | provisioning_status | ACTIVE | Therefore, I am marking this verification as completed. Thanks for the help on this.