Comment 2 for bug 1930763

I just hit this again. Looking deeper, only the certificate of the keystone leader is not being updated:

The leader is keystone/0 (10.246.114.58) and the VIP is 10.246.116.11.

$ echo | openssl s_client -showcerts -servername 10.246.116.11 -connect 10.246.116.11:5000 2>/dev/null | openssl x509 -inform pem -noout -text | grep DNS
                DNS:juju-b63bf5-0-lxd-2.maas, IP Address:10.246.114.58

$ echo | openssl s_client -showcerts -servername 10.246.116.11 -connect 10.246.116.11:5000 2>/dev/null | openssl x509 -inform pem -noout -text | grep DNS
                DNS:juju-b63bf5-2-lxd-6.maas, IP Address:10.246.114.37, IP Address:10.246.116.11

$ echo | openssl s_client -showcerts -servername 10.246.116.11 -connect 10.246.116.11:5000 2>/dev/null | openssl x509 -inform pem -noout -text | grep DNS
                DNS:juju-b63bf5-1-lxd-6.maas, IP Address:10.246.114.38, IP Address:10.246.116.11

The keystone application looks like this:

 Unit Workload Agent Machine Public address Ports Message
keystone/0* active idle 0/lxd/2 10.246.114.58 5000/tcp Unit is ready
  keystone-hacluster/0* active idle 10.246.114.58 Unit is ready and clustered
  keystone-mysql-router/0* active idle 10.246.114.58 Unit is ready
keystone/1 active idle 1/lxd/6 10.246.114.38 5000/tcp Unit is ready
  keystone-hacluster/1 active idle 10.246.114.38 Unit is ready and clustered
  keystone-mysql-router/2 active idle 10.246.114.38 Unit is ready
keystone/2 active idle 2/lxd/6 10.246.114.37 5000/tcp Unit is ready
  keystone-hacluster/2 active idle 10.246.114.37 Unit is ready and clustered
  keystone-mysql-router/1 active idle 10.246.114.37 Unit is ready