diff --git a/ansible/roles/octavia/templates/octavia.conf.j2 b/ansible/roles/octavia/templates/octavia.conf.j2
index 90d58135c7a94f7c768fd3de6d837b0fd0031ace..7f7fdabee9887316da13165709faec1ddedcf178 100644
--- a/ansible/roles/octavia/templates/octavia.conf.j2
+++ b/ansible/roles/octavia/templates/octavia.conf.j2
@@ -30,6 +30,7 @@ password = {{ octavia_keystone_password }}
 user_domain_name = {{ default_user_domain_name }}
 project_name = {{ openstack_auth.project_name }}
 project_domain_name = {{ default_project_domain_name }}
+cafile = {{ openstack_cacert }}
 
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}
@@ -84,14 +85,14 @@ policy_file = {{ octavia_policy_file }}
 [glance]
 region_name = {{ openstack_region_name }}
 endpoint_type = internal
-ca_certificates_file ==  {{ openstack_cacert }}
+ca_certificates_file = {{ openstack_cacert }}
 
 [neutron]
 region_name = {{ openstack_region_name }}
 endpoint_type = internal
-ca_certificates_file ==  {{ openstack_cacert }}
+ca_certificates_file = {{ openstack_cacert }}
 
 [nova]
 region_name = {{ openstack_region_name }}
 endpoint_type = internal
-ca_certificates_file ==  {{ openstack_cacert }}
+ca_certificates_file = {{ openstack_cacert }}
diff --git a/releasenotes/notes/bug-1872404-dc092ab1ce84c71d.yaml b/releasenotes/notes/bug-1872404-dc092ab1ce84c71d.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4fecfe9ec67de1062b8596424f1ad020ecf24590
--- /dev/null
+++ b/releasenotes/notes/bug-1872404-dc092ab1ce84c71d.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes Octavia in internally-signed (e.g. self-signed) cert TLS deployments
+    by providing path to CA cert file in proper config places.
+    `LP#1872404 <https://launchpad.net/bugs/1872404>`__