diff --git a/deployment/nova/nova-metadata-container-puppet.yaml b/deployment/nova/nova-metadata-container-puppet.yaml
index 5e2afe4f8a..3824d1703c 100644
--- a/deployment/nova/nova-metadata-container-puppet.yaml
+++ b/deployment/nova/nova-metadata-container-puppet.yaml
@@ -261,6 +261,8 @@ outputs:
             - not container_healthcheck_disabled
             - step|int == 5
       host_prep_tasks: {get_attr: [NovaMetadataLogging, host_prep_tasks]}
+      metadata_settings:
+        get_attr: [ApacheServiceBase, role_data, metadata_settings]
       external_upgrade_tasks:
         - when:
             - step|int == 1
diff --git a/releasenotes/notes/nova_metadata_http_cert_metadata-274e7e8a66727983.yaml b/releasenotes/notes/nova_metadata_http_cert_metadata-274e7e8a66727983.yaml
new file mode 100644
index 0000000000..bc9d745943
--- /dev/null
+++ b/releasenotes/notes/nova_metadata_http_cert_metadata-274e7e8a66727983.yaml
@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    In case of cellv2 multicell environment nova-metadata is the only
+    httpd managed service on the cell controller role. In case of
+    tls-everywhere it is required that the cell controller host has
+    ther needed metadata to be able to request the HTTP certificates.
+    Otherwise the getcert request fails with "Insufficient 'add' privilege
+    to add the entry 'krbprincipalname=HTTP/cell1-cellcontrol-0....'"