So with the settings: kolla_internal_fqdn: "int.cloud.example.com" kolla_external_fqdn: "cloud.example.com" kolla_enable_tls_internal: "yes" kolla_enable_tls_external: "yes" kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem" haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}" haproxy_backend_cacert_dir: "/etc/ssl/certs" openstack_cacert: "/etc/ssl/certs/ca-certificates.crt" It currently pulls only for the external vip but not the internal so clearly i'm missing something, although i can get it to pull in a hacky way by editing letsencrypt-lego-run.sh to pull int.cloud.example.com No matter what i try i can't get any version of this working with anything other than self signed certs: kolla_enable_tls_backend: "yes" kolla_verify_tls_backend: "yes" kolla_tls_backend_cert: "{{ kolla_certificates_dir }}/backend-cert.pem" kolla_tls_backend_key: "{{ kolla_certificates_dir }}/backend-key.pem" kolla_copy_ca_into_containers: "yes" The note at: https://docs.openstack.org/kolla-ansible/2024.1/admin/tls.html states: The back-end TLS cert/key can be the same certificate that is used for the VIP, as long as those certificates are configured to allow requests from both the VIP and internal networks. Yet, i can't figure out how to do that or what combination of keys to use from the vip certs to get that working For now it's running with kolla_enable_tls_backend: no and a manually pulled internal cert but this is not ideal, anyone any pointers?