if ceilometerclient is sent an auth_url it sends a keystone request to the publicURL (and ignores the endpoint type if set to internalURL).

ceilometerclient makes some keystone requests and tries to hit the publicURL regardless of the endpoint_type if auth_url is sent to it:

Traceback (most recent call last):
  File "/usr/bin/ospurge", line 13, in <module>
    sys.exit(main())
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/ospurge/client.py", line 907, in main
    action, args.insecure)
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/ospurge/client.py", line 747, in perform_on_project
    resources = globals()[rc](session)
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/ospurge/client.py", line 640, in __init__
    token=get_token, insecure=session.insecure)
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/ceilometerclient/v2/client.py", line 68, in __init__
    self.alarm_client, aodh_enabled = self._get_alarm_client(**kwargs)
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/ceilometerclient/v2/client.py", line 106, in _get_alarm_client
    kwargs.get('timeout'))
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/ceilometerclient/client.py", line 271, in redirect_to_aodh_endpoint
    self.opts['endpoint'] = _get_endpoint(ks_session, **ks_kwargs)
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/ceilometerclient/client.py", line 201, in _get_endpoint
    region_name=kwargs.get('region_name'))
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/keystoneclient/session.py", line 661, in get_endpoint
    return auth.get_endpoint(self, **kwargs)
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/keystoneclient/auth/identity/base.py", line 323, in get_endpoint
    service_catalog = self.get_access(session).service_catalog
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/keystoneclient/auth/identity/base.py", line 248, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/keystoneclient/auth/identity/v2.py", line 88, in get_auth_ref
    authenticated=False, log=False)
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/keystoneclient/session.py", line 502, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/keystoneclient/utils.py", line 337, in inner
    return func(*args, **kwargs)
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/keystoneclient/session.py", line 387, in request
    resp = send(**kwargs)
  File "/usr/share/python/ospurge/lib/python2.7/site-packages/keystoneclient/session.py", line 431, in _send_request
    raise exceptions.ConnectionRefused(msg)
keystoneclient.exceptions.ConnectionRefused: Unable to establish connection to https://identity.fr1.cloudwatt.com/v2.0/tokens

see https://review.openstack.org/#/c/242157/2/ospurge/client.py to see what makes ceilometerclient fail.
I'm not sure whether it's a ceilometerclient or ceilometerclient's documentation bug.