As stated in bugzilla 2058441, post_save commands are currently not provided for mysql and ovn. It should now be possible to reload certificates on the renewal process. This was previously (at least partially) implemented in [1], but reverted. [1] https://github.com/openstack/tripleo-heat-templates/commit/8b16911cc26ced10316fdd37a818fc1cb6fe5ece Controller: ~~~ Request ID 'mysql': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/mysql.key' certificate: type=FILE,location='/etc/pki/tls/certs/mysql.crt' CA: IPA issuer: CN=Certificate Authority,O=REDHAT.LOCAL subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL expires: 2024-02-25 03:12:22 UTC dns: overcloud.internalapi.redhat.local,controller-0.internalapi.redhat.local principal name: mysql/controller-0.internalapi.redhat.local key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID 'ovn_dbs': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_dbs.key' certificate: type=FILE,location='/etc/pki/tls/certs/ovn_dbs.crt' CA: IPA issuer: CN=Certificate Authority,O=REDHAT.LOCAL subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL expires: 2024-02-25 03:12:27 UTC dns: controller-0.internalapi.redhat.local principal name: ovn_dbs/controller-0.internalapi.redhat.local key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID 'ovn_controller': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_controller.key' certificate: type=FILE,location='/etc/pki/tls/certs/ovn_controller.crt' CA: IPA issuer: CN=Certificate Authority,O=REDHAT.LOCAL subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL expires: 2024-02-25 03:12:28 UTC dns: controller-0.internalapi.redhat.local principal name: ovn_controller/controller-0.internalapi.redhat.local key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID 'neutron_ovn': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_neutron_client.key' certificate: type=FILE,location='/etc/pki/tls/certs/ovn_neutron_client.crt' CA: IPA issuer: CN=Certificate Authority,O=REDHAT.LOCAL subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL expires: 2024-02-25 03:12:29 UTC dns: controller-0.internalapi.redhat.local principal name: neutron_ovn/controller-0.internalapi.redhat.local key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Compute: ~~~ Request ID 'ovn_controller': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_controller.key' certificate: type=FILE,location='/etc/pki/tls/certs/ovn_controller.crt' CA: IPA issuer: CN=Certificate Authority,O=REDHAT.LOCAL subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL expires: 2024-02-25 23:55:10 UTC dns: compute-0.internalapi.redhat.local principal name: ovn_controller/compute-0.internalapi.redhat.local key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID 'ovn_metadata': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_metadata.key' certificate: type=FILE,location='/etc/pki/tls/certs/ovn_metadata.crt' CA: IPA issuer: CN=Certificate Authority,O=REDHAT.LOCAL subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL expires: 2024-02-26 00:12:20 UTC dns: compute-0.internalapi.redhat.local principal name: ovn_metadata/compute-0.internalapi.redhat.local key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes