Spice console isn't working when ssl_only=True is set

CONFIRMED FOR: MITAKA

@stgleb if you are working on this bug, please mark it as "in progress", thanks.

Ah, I had almost forgotten about this bug. What we did in our deployment to fix it, is create a copy of /usr/share/spice-html5/spice_auto.html like e.g. /usr/share/spice-html5/spice_sec_auto.html and apply the change from "ws://" to "wss://" in that file.

Then reference the new file in the nova.conf, like

[spice]
html5proxy_base_url = https://myspiceproxy.com:6082/spice_sec_auto.html

So IMHO this is not a bug for nova, but rather for the spice-html5 package to not provide an option to use the secure websocket scheme.

Where exactly have you changed that? I see switching from ws: to wss: protocol in spice_auth.html.
Could you give and example of your spice_sec_auto.html that solves this problem?

$ diff -u /usr/share/spice-html5/spice_auto.html /usr/share/spice-html5/spice_sec_auto.html
--- /usr/share/spice-html5/spice_auto.html 2013-09-19 16:10:02.000000000 +0000
+++ /usr/share/spice-html5/spice_sec_auto.html 2016-08-08 07:52:57.641411769 +0000
@@ -81,7 +81,7 @@

             function connect()
             {
- var host, port, password, scheme = "ws://", uri;
+ var host, port, password, scheme = "wss://", uri;

                 // By default, use the host and port of server that served this file
                 host = spice_query_var('host', window.location.hostname);

Newer versions of spice-html5 fix this, it autodetects the proper protocol. See https://cgit.freedesktop.org/spice/spice-html5/tree/spice_auto.html#n94

Thanks for the hint Mike, I must admit that I never looked at that. In fact it seems like this would be fixed already in spice-html5-0.1.5 dated more than two years ago, but Ubuntu still ships 0.1.4.

Status changed to 'Confirmed' because the bug affects multiple users.

It seems that there is no nova fix, just need new spice html5

This is a valid bug for cloud:xenial-queens UCA pocket.

I've tested that the fix for this issue is included in the bionic repositories in version 0.1.7-2ubuntu1.

spice-html5 0.1.7-2ubuntu1

I'm requesting this to be backported into the xenial-queens cloud archive.

Hello Drew, or anyone else affected,

Accepted spice-html5 into queens-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:queens-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-queens-needed to verification-queens-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-queens-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

We have updated to this version 0.1.7-2ubuntu1~cloud0 like so
  sudo add-apt-repository cloud-archive:queens-proposed
  # (press enter to accept the repository)
  sudo apt-get update
  sudo apt-get install spice-html5
  sudo systemctl restart nova-spiceproxy.service
  sudo rm /etc/apt/sources.list.d/cloudarchive-queens-proposed.list
  sudo apt-get update

$dpkg -l spice-html
  0.1.7-2ubuntu1~cloud0

this successfully address the issue