Temporarily workaround: update clouds.yaml with verify: False
From IRC:
<sdanni> tzumainn: i might find the cause but not sure how to fix it. I found the cert haproxy using in haproxy config file which is /etc/pki/tls/private/overcloud_endpoint.pem. It's weird that it's using overcloud pem but this configuration file hasn't been changed since Mar 29, 2022. So i assume it's using overcloud pem all the time for some reason. The current /etc/pki/tls/private/overcloud_endpoint.pem is created on mar 1st, 2023.
<sdanni> The old one was expired I guess. I ran openssl verify -verbose -CAfile /etc/pki/ca-trust/source/anchors/cm-local-ca.pem /etc/pki/tls/private/overcloud_endpoint.pem to verifier this certificate and got the same ssl error: "unable to get local issuer certificate".
<sdanni> so I guess the situation is: the renewed overcloud.pem was not signed by undercloud CA, so we have this ssl certificate issue.
<sdanni> if you look at /var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg, you'll see the cert that has been used when making http calls
<tzumainn> from what you're saying, it sounds like there should be a new cert for the undercloud signed by the undercloud CA?
<tzumainn> and the undercloud should be configured to use that new cert instead of the overcloud cert?
<sdanni> i don't know why it used overcloud_endpoint.pem from the beginning. But it seems like this cert is renewed automatically but not configured correctly. Maybe we want to generate a new cert manually?
<sdanni> i also see another cert:/etc/pki/tls/cert.pem. This one is verified by local CA
Temporarily workaround: update clouds.yaml with
verify: FalseFrom IRC: