SHA1 signed certs will no longer work after RHOSP 17.1 upgrades, causing potentials blockers like:

• overcloud's haproxy not able to start anymore

2024-04-14T15:13:06.083087015+08:00 stderr F [ALERT]    (7) : parsing [/etc/haproxy/haproxy.cfg:271] : 'bind {ip}:13778' : unable to load SSL certificate into SSL Context '/etc/pki/tls/private/overcloud_endpoint.pem'.

• broken keystone<->LDAP(s)  backend communication

2024-04-17 13:53:01.740 32 ERROR keystone.server.flask.application ldap.SERVER_DOWN: {'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'error:0A000086:SSL routines::certificate verify fail
ed (CA signature digest algorithm too weak)'} 

Root cause for this is RHEL9 deprecation for legacy crypto policies [0].

As far as i know, the RHOSP 17.1 documentation does not specify that an SSL certificate must be created or upgraded to SHA256 before starting the update. We just reccomend customers to "review the following information to familiarize yourself with RHEL 9" [1] that could be probably a little bit to broad. 

Maybe including this kind of requirement in the " Planning and preparation for an in-place upgrade" section [2] could be worth.

 [0]https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/considerations_in_adopting_rhel_9/assembly_security_considerations-in-adopting-rhel-9#ref_considerations-security-crypto_changes-to-security

 [1]https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/17.1/html/framework_for_upgrades_16.2_to_17.1/assembly_about-the-red-hat-openstack-platform-framework-for-upgrades_about-upgrades#high-level-changes-in-red-hat-openstack-platform-vernum

 [2]https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/17.1/html/framework_for_upgrades_16.2_to_17.1/assembly_about-the-red-hat-openstack-platform-framework-for-upgrades_about-upgrades#familiarize-yourself-with-red-hat-openstack-platform-17.1