Hello,
I try to deploy an overcloud openstack in victoria version.
My configuration to deploy is :

openstack overcloud deploy --templates   -r /home/stack/templates/roles_data.yaml \
                                         -n /home/stack/network_data.yaml \
                                         -e /home/stack/templates/scheduler_hints_env.yaml \
                                         -e /home/stack/templates/network-isolation.yaml \
                                         -e /home/stack/templates/os-net-config-mapping.yaml \
                                         -e /home/stack/templates/node-info.yaml \
                                         -e /home/stack/containers-prepare-parameter.yaml \
                                         -e /home/stack/templates/host-map.yaml \
                                         -e /home/stack/templates/ips-from-pool-all.yaml \
                                         -e /home/stack/templates/network-environment.yaml \
                                         -e /home/stack/templates/net-multiple-nics-vlans.yaml \
                                         -e /home/stack/templates/ceph-ansible-external.yaml \
                                         -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \
                                         -e /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-internal-tls-certmonger.yaml \
                                         -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml \
                                         -e /usr/share/openstack-tripleo-heat-templates/environments/services/octavia.yaml \
                                         -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \
                                         -e /usr/share/openstack-tripleo-heat-templates/environments/disable-telemetry.yaml \
                                         -e /home/stack/templates/tls-parameters.yaml \
                                         -e /home/stack/templates/inject-trust-anchor.yaml \
  
The generated configuration of horizon httpd  contains SSLVerifyClient.
But Haproxy fails to check server available, because haproxy does not send a client certificate when check attempt.

the generated configuration of haproxy backend is :
server host1 ip_host1:5000 ca-file /etc/ipa/ca.crt check fall 5 inter 2000 rise 2 ssl verify required verifyhost host1
server host2 ip_host2:5000 ca-file /etc/ipa/ca.crt check fall 5 inter 2000 rise 2 ssl verify required verifyhost host2
server host3 ip_host3:5000 ca-file /etc/ipa/ca.crt check fall 5 inter 2000 rise 2 ssl verify required verifyhost host3

if i try adding manualy "crt /etc/pki/tls/certs/haproxy/overcloud-haproxy-internal_api.pem" in server configuration in haproxy.conf, horizon/dashboard works via haproxy. But i'm not sure that's the right way.

Did I forget an environment file in deploy configuration ?

Thank you in advance for your assistance with this.

Best regards

Souppart Alexandre