Incorrect certificate sent to the browser when os-public-hostname is configured.

When using os-public you have to use "ha" binding map to your public space otherwise haproxy won't correctly send requests to apache using os-public-hostname , e.g. horizon.example.com but instead it will use internal cluster namespace and use juju-lxd-something hostname, so even when you have a correct root CA in the browser you get Certificate mismatch as you asking for horizon.example.com but certificate name is for juju-lxd-something. The workaround is to use hacluster ha binding explicitly, however, it's not in the documentation.

Also, somehow related if you change your config to use os-public-hostname, the vault re-issue certificates action won't create your new certificate, e.g. horizon.example.com. You have to remove the vault relation and add it back in in order to receive a correct certificate from the vault.

openstack-dashboard deployment:
  openstack-dashboard:
    charm: cs:openstack-dashboard-313
    num_units: 3
    bindings:
      "": *oam-space
      shared-db: *internal-space
      public: *public-space
      ha: *public-space
    options:
      os-public-hostname: *horizon-public
      api-result-limit: 10
      use-internal-endpoints: true
      debug: 'no'
      openstack-origin: *openstack-origin
      webroot: "/"
      vip: *dashboard-vip
      neutron-network-dvr: true
      neutron-network-lb: true
      neutron-network-firewall: true
      neutron-network-vpn: true
      cinder-backup: true
      use-syslog: False
    to:
    - lxd:3
    - lxd:4
    - lxd:5
  hacluster-horizon:
    charm: cs:hacluster-76
    bindings:
      "": *oam-space
      ha: *public-space
    options:
      cluster_count: 3