When using spice console, if ssl vars are set, but console-ssl-cert is not set, spiceproxy can't read the apache ssl keys
Bug #1800024 reported by
Drew Freiberger
This bug affects 6 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Nova Cloud Controller Charm |
Triaged
|
Medium
|
Unassigned |
Bug Description
the apache2 ssl keys are configured in /etc/nova.conf, and if the console-ssl-cert is not set, spiceproxy defaults to trying to load those keys dropped in /etc/apache2/
tags: | added: sts |
Changed in charm-nova-cloud-controller: | |
status: | New → Triaged |
Changed in charm-nova-cloud-controller: | |
importance: | Undecided → Medium |
To post a comment you must log in.
Also ran into this, it causes the nova-novncproxy service to fail to start (issue applies to both VNC and SPICE). See also related Bug #1788660
This problem is worse than just not being able to read the keys.
When you configure SSL for the console (console- ssl-cert/ key) and for the nova-cloud- controller itself (ssl_key/ ssl_ca/ ssl_cert) the same cert= and key= option is set in nova.conf in the same [DEFAULT] section.
So enabling SSL for either, enables SSL for both. However only if console- ssl-{key, cert} is set, does the novncproxy_base_url also get set to include https. Hence if you set ssl_key/ssl_cert for nova but not the console, the proxy listens on SSL only but the URL generated does not have SSL and it does not work.
It's not clear where the cert= and key= entries come from in the case of ssl_key.. it's not directly in the template but seems to be set as a variable list of key,values in the charm somewhere - did not determine where.