Run the SSL verification at step2

Run the SSL verification at step2 instead of host_prep as we need
to have CACerts injected before being able to validate the SSL
certificates.  It looks like NodeTLSCerts is getting deprecated
and CI has already moved away from taht method .

Change-Id: I5e3491efd12ad2445a3d77f0907fbb766fe54466
Closes-bug: #1961056

deployment/haproxy/haproxy-pacemaker-puppet.yaml

@@ -290,34 +290,7 @@ outputs:
       host_prep_tasks:
         list_concat:
           - {get_attr: [HAProxyBase, role_data, host_prep_tasks]}
-          - - name: Validate SSLCertificate is properly defined if PublicSSLCertificateAutogenerated is False
-              when:
-                - {get_param: EnablePublicTLS}
-              vars:
-                ssl_cert: {get_param: SSLCertificate}
-                auto_gen: {get_param: PublicSSLCertificateAutogenerated}
-                protocol: {get_param: [EndpointMap, KeystonePublic, protocol]}
-              block:
-                - name: Verify SSL certificate
-                  shell: |
-                    cat << EOF | openssl verify
-                    {{ssl_cert}}
-                    EOF
-                  register: openssl_output
-                  when:
-                    - ( ssl_cert | length ) > 512
-                    - protocol == "https"
-                  failed_when:
-                    ( ( "self signed certificate" not in openssl_output.stderr ) and ( "OK" not in openssl_output.stdout ) ) or ("expired" in openssl_output.stderr)
-                - fail:
-                    msg: >
-                      SSLCertificate is empty or too short and PublicSSLCertificateAutogenerated
-                      is False and at least one endpoint is configured with https
-                  when:
-                    - ( ssl_cert | length ) < 512
-                    - not ( auto_gen | bool )
-                    - protocol == "https"
-            - name: Run puppet on the host to apply IPtables rules
+          - - name: Run puppet on the host to apply IPtables rules
               no_log: true
               shell: |
                 puppet apply {{ (puppet_debug|bool) | ternary('--debug --verbose', '') }} --detailed-exitcodes --summarize --color=false \
@@ -366,6 +339,34 @@ outputs:
                         name: rsyslog
                         state: restarted
                       when: logconfig is changed
+            - name: Validate SSLCertificate is properly defined if PublicSSLCertificateAutogenerated is False
+              when:
+                - {get_param: EnablePublicTLS}
+                - step|int == 2
+              vars:
+                ssl_cert: {get_param: SSLCertificate}
+                auto_gen: {get_param: PublicSSLCertificateAutogenerated}
+                protocol: {get_param: [EndpointMap, KeystonePublic, protocol]}
+              block:
+                - name: Verify SSL certificate
+                  shell: |
+                    cat << EOF | openssl verify
+                    {{ssl_cert}}
+                    EOF
+                  register: openssl_output
+                  when:
+                    - ( ssl_cert | length ) > 512
+                    - protocol == "https"
+                  failed_when:
+                    ( ( "self signed certificate" not in openssl_output.stderr ) and ( "OK" not in openssl_output.stdout ) ) or ("expired" in openssl_output.stderr)
+                - fail:
+                    msg: >
+                      SSLCertificate is empty or too short and PublicSSLCertificateAutogenerated
+                      is False and at least one endpoint is configured with https
+                  when:
+                    - ( ssl_cert | length ) < 512
+                    - not ( auto_gen | bool )
+                    - protocol == "https"
             - name: HAproxy tag container image for pacemaker
               when: step|int == 1
               import_role: