Steps to reproduce:
1. Deploy https://jujucharms.com/openstack-base/ modified to use next charms
2. Add Vault and initialize according to https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/rocky/app-vault.html
3. Add certificate lifecycle management according to https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/rocky/app-certificate-management.html
The Keystone charm will never finish the process.
In the logs you will find this:
2019-04-03 07:08:28 DEBUG certificates-relation-changed Enabling site openstack_https_frontend.
2019-04-03 07:08:28 DEBUG certificates-relation-changed To activate the new configuration, you need to run:
2019-04-03 07:08:28 DEBUG certificates-relation-changed systemctl reload apache2
2019-04-03 07:08:28 DEBUG certificates-relation-changed Job for apache2.service failed because the control process exited with error code.
2019-04-03 07:08:28 DEBUG certificates-relation-changed See "systemctl status apache2.service" and "journalctl -xe" for details.
journalctl shows this:
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 systemd[1]: apache2.service: Failed to reset devices.list: Operation not permitted
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit apache2.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit apache2.service has begun starting up.
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 apachectl[56435]: AH00526: Syntax error on line 8 of /etc/apache2/sites-enabled/openstack_https_frontend.conf:
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 apachectl[56435]: SSLCertificateFile: file '/etc/apache2/ssl/keystone/cert_172.16.122.10' does not exist or is empty
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 apachectl[56435]: Action 'start' failed.
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 apachectl[56435]: The Apache error log may have more information.
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 systemd[1]: apache2.service: Control process exited, code=exited status=1
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 systemd[1]: apache2.service: Failed with result 'exit-code'.
Apr 03 07:08:28 juju-7aa29b-3-lxd-1 systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit apache2.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit apache2.service has failed.
--
-- The result is RESULT.
Manually starting apache2 will resolve the issue.
This appears to be a race condition where we attempt to (re)start the Apache process before the certificate data is written to disk.
This appears to be happening only when the certificates relation is added post deploy.
I still think this is a critical issue though since following the referenced documentation lead you straight into this bug.
The issue can be consistently be reproduced and I'm working on adding a functional test to this effect along with a fix for the bug.