Comment 4 for bug 1671680

What I had to do in this instance, though I didn't test your approach:

    - Create a CA, and make a cert from that rather than a straight
      self-signed cert. https://help.landscape.canonical.com/LDS/SSL is accurate.
    - Add the cert itself and key to the landscape-server and landscape-haproxy
      charm config, base64 encoded.
    - Add the CA cert to the landscape-client charm, base64 encoded and
      prefixed with base64:
    - Manually go to the haproxy box and restart haproxy.

The fact remains, the charm should do all of this. If we need a CA, then the docs are correct and the charm won't ever work. If we can work with self-signed certs, then the charm needs the fix Ante has put together, and the docs need to be fixed as well.