diff --git a/SOURCES/bz2029791-1-fence_openstack-add-ssl-insecure.patch b/SOURCES/bz2029791-1-fence_openstack-add-ssl-insecure.patch
new file mode 100644
index 0000000..e616cc8
--- /dev/null
+++ b/SOURCES/bz2029791-1-fence_openstack-add-ssl-insecure.patch
@@ -0,0 +1,72 @@
+From f79436d3a5e4cf279be0974e9633ad8994a017f7 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 6 Dec 2021 12:59:31 +0100
+Subject: [PATCH] fence_openstack: add --ssl-insecure
+
+---
+ agents/openstack/fence_openstack.py     | 7 +++++--
+ tests/data/metadata/fence_openstack.xml | 5 +++++
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/agents/openstack/fence_openstack.py b/agents/openstack/fence_openstack.py
+index c480596c1..c2d9df160 100755
+--- a/agents/openstack/fence_openstack.py
++++ b/agents/openstack/fence_openstack.py
+@@ -89,7 +89,7 @@ def set_power_status(conn, options):
+ 
+ 
+ def nova_login(username, password, projectname, auth_url, user_domain_name,
+-               project_domain_name, cacert, apitimeout):
++               project_domain_name, ssl_insecure, cacert, apitimeout):
+     legacy_import = False
+ 
+     try:
+@@ -127,7 +127,7 @@ def nova_login(username, password, projectname, auth_url, user_domain_name,
+             cacert=cacert,
+         )
+ 
+-    session = ksc_session.Session(auth=auth, verify=cacert, timeout=apitimeout)
++    session = ksc_session.Session(auth=auth, verify=False if ssl_insecure else cacert, timeout=apitimeout)
+     nova = client.Client("2", session=session, timeout=apitimeout)
+     apiversion = None
+     try:
+@@ -220,6 +220,7 @@ def main():
+         "port",
+         "no_port",
+         "uuid",
++        "ssl_insecure",
+         "cacert",
+         "apitimeout",
+     ]
+@@ -268,6 +269,7 @@ def main():
+         fail_usage("Failed: You have to set the Keystone service endpoint for authorization")
+     user_domain_name = options["--user-domain-name"]
+     project_domain_name = options["--project-domain-name"]
++    ssl_insecure = "--ssl-insecure" in options
+     cacert = options["--cacert"]
+     apitimeout = options["--apitimeout"]
+     try:
+@@ -278,6 +280,7 @@ def main():
+             auth_url,
+             user_domain_name,
+             project_domain_name,
++            ssl_insecure,
+             cacert,
+             apitimeout,
+         )
+diff --git a/tests/data/metadata/fence_openstack.xml b/tests/data/metadata/fence_openstack.xml
+index 84503bbe0..926d18c3d 100644
+--- a/tests/data/metadata/fence_openstack.xml
++++ b/tests/data/metadata/fence_openstack.xml
+@@ -43,6 +43,11 @@
+ 		<content type="string"  />
+ 		<shortdesc lang="en">UUID of the node to be fenced.</shortdesc>
+ 	</parameter>
++	<parameter name="ssl_insecure" unique="0" required="0">
++		<getopt mixed="--ssl-insecure" />
++		<content type="boolean"  />
++		<shortdesc lang="en">Use SSL connection without verifying certificate</shortdesc>
++	</parameter>
+ 	<parameter name="username" unique="0" required="1" obsoletes="login">
+ 		<getopt mixed="-l, --username=[name]" />
+ 		<content type="string"  />
diff --git a/SOURCES/bz2029791-2-fence_openstack-cacert-default.patch b/SOURCES/bz2029791-2-fence_openstack-cacert-default.patch
new file mode 100644
index 0000000..419ce33
--- /dev/null
+++ b/SOURCES/bz2029791-2-fence_openstack-cacert-default.patch
@@ -0,0 +1,59 @@
+From b7032d16a07997ecab3b2c11a6436b3fa21f9043 Mon Sep 17 00:00:00 2001
+From: "Fabio M. Di Nitto" <fdinitto@redhat.com>
+Date: Thu, 6 Jan 2022 12:53:28 +0100
+Subject: [PATCH] fence_openstack: relax ssl cacert default
+
+allow the agent to use Base OS defaults vs forcing a specific file
+to increase portability.
+
+Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>
+---
+ agents/openstack/fence_openstack.py     | 12 +++++++++---
+ tests/data/metadata/fence_openstack.xml |  2 +-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/agents/openstack/fence_openstack.py b/agents/openstack/fence_openstack.py
+index c2d9df160..36b353b52 100755
+--- a/agents/openstack/fence_openstack.py
++++ b/agents/openstack/fence_openstack.py
+@@ -127,7 +127,13 @@ def nova_login(username, password, projectname, auth_url, user_domain_name,
+             cacert=cacert,
+         )
+ 
+-    session = ksc_session.Session(auth=auth, verify=False if ssl_insecure else cacert, timeout=apitimeout)
++    caverify=True
++    if ssl_insecure:
++        caverify=False
++    elif cacert:
++        caverify=cacert
++
++    session = ksc_session.Session(auth=auth, verify=caverify, timeout=apitimeout)
+     nova = client.Client("2", session=session, timeout=apitimeout)
+     apiversion = None
+     try:
+@@ -189,10 +195,10 @@ def define_new_opts():
+     all_opt["cacert"] = {
+         "getopt": ":",
+         "longopt": "cacert",
+-        "help": "--cacert=[cacert]              Path to the PEM file with trusted authority certificates",
++        "help": "--cacert=[cacert]              Path to the PEM file with trusted authority certificates (override global CA trust)",
+         "required": "0",
+         "shortdesc": "SSL X.509 certificates file",
+-        "default": "/etc/pki/tls/certs/ca-bundle.crt",
++        "default": "",
+         "order": 7,
+     }
+     all_opt["apitimeout"] = {
+diff --git a/tests/data/metadata/fence_openstack.xml b/tests/data/metadata/fence_openstack.xml
+index 926d18c3d..c8dc2e60f 100644
+--- a/tests/data/metadata/fence_openstack.xml
++++ b/tests/data/metadata/fence_openstack.xml
+@@ -100,7 +100,7 @@
+ 	</parameter>
+ 	<parameter name="cacert" unique="0" required="0">
+ 		<getopt mixed="--cacert=[cacert]" />
+-		<content type="string" default="/etc/pki/tls/certs/ca-bundle.crt"  />
++		<content type="string" default=""  />
+ 		<shortdesc lang="en">SSL X.509 certificates file</shortdesc>
+ 	</parameter>
+ 	<parameter name="apitimeout" unique="0" required="0">
diff --git a/SPECS/fence-agents.spec b/SPECS/fence-agents.spec
index e488765..a353967 100644
--- a/SPECS/fence-agents.spec
+++ b/SPECS/fence-agents.spec
@@ -59,7 +59,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 13%{?alphatag:.%{alphatag}}%{?dist}
+Release: 14%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@@ -226,6 +226,8 @@ Patch9: bz2010709-2-fence_amt_ws-boot-option.patch
 Patch10: bz2000954-1-configure-fix-virt.patch
 Patch11: bz2000954-2-fence_kubevirt.patch
 Patch12: bz2022334-fence_zvmip-add-ssl-tls-support.patch
+Patch13: bz2029791-1-fence_openstack-add-ssl-insecure.patch
+Patch14: bz2029791-2-fence_openstack-cacert-default.patch
 
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
 %ifarch x86_64
@@ -596,7 +598,7 @@ Support libraries for Fence Agents.
 %endif
 
 %package all
-License: GPLv2+, LGPLv2+ and ASL 2.0
+License: GPLv2+ and LGPLv2+ and ASL 2.0
 Summary: Set of unified programs capable of host isolation ("fencing")
 Requires: %{allfenceagents}
 %ifarch ppc64le
@@ -1404,6 +1406,10 @@ are located on corosync cluster nodes.
 %endif
 
 %changelog
+* Tue Jan 11 2022 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-14
+- fence_openstack: add --ssl-insecure
+  Resolves: rhbz#2029791
+
 * Thu Dec  2 2021 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-13
 - fence_amt_ws: fix "or" causing dead code
   Resolves: rhbz#2010709