As part of the TLS everwhere work: keystone should be listening exclusively with TLS.
Public TLS is already covered (from a client in the external network to HAProxy). But internal communications should be covered as well. These include:
* From clients to internal endpoints in HAProxy (keystone haproxy frontends).
* From HAProxy to the actual keystone server instances.
* client connections that keystone uses to communicate with the database.
* client connections that keystone uses to use the message broker (rabbitmq)
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.