Public bug reported: Description =========== The certificate/key defined in the nova.conf seem to have no apparent effect when starting the openstack-nova-novncproxy. This results in the inability to access the vnc console securely
Expected result =============== VNC console assessable via secure vnc url Actual result ============= VNC Fails to establish connection Environment =========== CentOS Linux release 7.2.1511 (Core) Linux 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Package Versions: openstack-nova-common-2015.1.2-1.el7.noarch openstack-nova-console-2015.1.2-1.el7.noarch openstack-nova-conductor-2015.1.2-1.el7.noarch openstack-nova-scheduler-2015.1.2-1.el7.noarch openstack-nova-api-2015.1.2-1.el7.noarch openstack-nova-novncproxy-2015.1.2-1.el7.noarch openstack-nova-cert-2015.1.2-1.el7.noarch Steps to reproduce ================== Controller novncproxy_host=0.0.0.0 novncproxy_port=6080 novncproxy_base_url=https://fqdn:6080/vnc_auto.html vnc_enabled=true cert=cert.crt key=key.key ssl_only=true Compute vnc_enabled = False vncserver_listen = 0.0.0.0 vncserver_proxyclient_address = computeIP novncproxy_base_url = https://controller-fqdn:6080/vnc_auto.htm ssl_only=true cert=cert.crt key=key.key Tests functionality and certificate =================================== curl -vvv https://fqdn-controller:6080 * Rebuilt URL to: https://fqdn-controller:6080/ * Trying xxx.xxx.xxx.xxx... * Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0) * Server aborted the SSL handshake * Closing connection 0 curl: (35) Server aborted the SSL handshake openssl s_client -connect fqdn-controller:6080 -state -debug CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x7fde23500600 [0x7fde24004200] (130 bytes => 130 (0x82)) 0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00 ......W... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00 ..3..2../....... 0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00 ................ 0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11 .........@...... 0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00 ................ 0060 - 00 ff fd 8a ba 76 60 37-10 91 c0 c3 00 3d 40 67 .....v`7.....=@g 0070 - 74 a3 b4 df 18 9c f8 c3-90 23 bb 2c 1a 88 35 f6 t........#.,..5. 0080 - d0 cb .. SSL_connect:SSLv2/v3 write client hello A read from 0x7fde23500600 [0x7fde24009800] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF)) SSL_connect:error in SSLv2/v3 read server hello A write:errno=54 netstat -tupln |grep 6080 tcp 0 0 0.0.0.0:6080 0.0.0.0:* LISTEN 20504/python ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5900:5999,6080,6081,6082,7940,7937,8773,8774,8775 /* 101 accept all tcp nova */ Workaround to prove functionality and certificate ================================================= Work Around to verify vnc, port and cert valid and functional: Test: openstack-service stop openstack-nova-novncproxy /usr/bin/python /usr/bin/nova-novncproxy --cert cert.crt Results: curl -vvv https://fqdn-controller:6080 * Rebuilt URL to: https://fqdn-controller:6080/ * Trying xxx.xxx.xxx.xxx... * Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: *.MyDogIsOnFire.com * Server certificate: MyDogIsOnFire SSL CA02 * Server certificate: MyDogIsOnFire SSL Policy K1 * Server certificate: MyDogIsOnFire Root CA K1 > GET / HTTP/1.1 > Host: fqdn-controller:6080 > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 200 OK < Server: WebSockify Python/2.7.5 < Date: Fri, 27 May 2016 03:42:12 GMT < Content-type: text/html < Content-Length: 9923 < Last-Modified: Wed, 25 Feb 2015 20:38:54 GMT < <!DOCTYPE html> <html> <head> <!-- noVNC example: simple example using default UI Copyright (C) 2012 Joel Martin Copyright (C) 2013 Samuel Mannehed for Cendio AB noVNC is licensed under the MPL 2.0 (see LICENSE.txt) This file is licensed under the 2-Clause BSD license (see LICENSE.txt). ** Affects: nova Importance: Undecided Status: New ** Also affects: centos Importance: Undecided Status: New ** No longer affects: centos ** Description changed: Description =========== - The certificate/key defined in the nova.conf seem to have no apparent effect when starting the openstack-nova-novncproxy. This results in the inability to access the vnc console securly - + The certificate/key defined in the nova.conf seem to have no apparent effect when starting the openstack-nova-novncproxy. This results in the inability to access the vnc console securely Expected result - =============== + =============== VNC console assessable via secure vnc url Actual result ============= VNC Fails to establish connection Environment =========== CentOS Linux release 7.2.1511 (Core) Linux 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Package Versions: openstack-nova-common-2015.1.2-1.el7.noarch openstack-nova-console-2015.1.2-1.el7.noarch openstack-nova-conductor-2015.1.2-1.el7.noarch openstack-nova-scheduler-2015.1.2-1.el7.noarch openstack-nova-api-2015.1.2-1.el7.noarch openstack-nova-novncproxy-2015.1.2-1.el7.noarch openstack-nova-cert-2015.1.2-1.el7.noarch Steps to reproduce ================== Controller novncproxy_host=0.0.0.0 novncproxy_port=6080 novncproxy_base_url=https://fqdn:6080/vnc_auto.html vnc_enabled=true cert=cert.crt key=key.key ssl_only=true - Compute vnc_enabled = False vncserver_listen = 0.0.0.0 vncserver_proxyclient_address = computeIP novncproxy_base_url = https://controller-fqdn:6080/vnc_auto.htm ssl_only=true cert=cert.crt key=key.key - Tests functionality and certificate =================================== curl -vvv https://fqdn-controller:6080 * Rebuilt URL to: https://fqdn-controller:6080/ * Trying xxx.xxx.xxx.xxx... * Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0) * Server aborted the SSL handshake * Closing connection 0 curl: (35) Server aborted the SSL handshake openssl s_client -connect fqdn-controller:6080 -state -debug CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x7fde23500600 [0x7fde24004200] (130 bytes => 130 (0x82)) 0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00 ......W... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00 ..3..2../....... 0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00 ................ 0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11 .........@...... 0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00 ................ 0060 - 00 ff fd 8a ba 76 60 37-10 91 c0 c3 00 3d 40 67 .....v`7.....=@g 0070 - 74 a3 b4 df 18 9c f8 c3-90 23 bb 2c 1a 88 35 f6 t........#.,..5. 0080 - d0 cb .. SSL_connect:SSLv2/v3 write client hello A read from 0x7fde23500600 [0x7fde24009800] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF)) SSL_connect:error in SSLv2/v3 read server hello A write:errno=54 netstat -tupln |grep 6080 tcp 0 0 0.0.0.0:6080 0.0.0.0:* LISTEN 20504/python ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5900:5999,6080,6081,6082,7940,7937,8773,8774,8775 /* 101 accept all tcp nova */ - - - Workaround to prove functionality and certificate ================================================= Work Around to verify vnc, port and cert valid and functional: Test: openstack-service stop openstack-nova-novncproxy /usr/bin/python /usr/bin/nova-novncproxy --cert cert.crt Results: curl -vvv https://fqdn-controller:6080 * Rebuilt URL to: https://fqdn-controller:6080/ * Trying xxx.xxx.xxx.xxx... * Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: *.MyDogIsOnFire.com * Server certificate: MyDogIsOnFire SSL CA02 * Server certificate: MyDogIsOnFire SSL Policy K1 * Server certificate: MyDogIsOnFire Root CA K1 > GET / HTTP/1.1 > Host: fqdn-controller:6080 > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 200 OK < Server: WebSockify Python/2.7.5 < Date: Fri, 27 May 2016 03:42:12 GMT < Content-type: text/html < Content-Length: 9923 < Last-Modified: Wed, 25 Feb 2015 20:38:54 GMT < <!DOCTYPE html> <html> <head> - <!-- - noVNC example: simple example using default UI - Copyright (C) 2012 Joel Martin - Copyright (C) 2013 Samuel Mannehed for Cendio AB - noVNC is licensed under the MPL 2.0 (see LICENSE.txt) - This file is licensed under the 2-Clause BSD license (see LICENSE.txt). + <!-- + noVNC example: simple example using default UI + Copyright (C) 2012 Joel Martin + Copyright (C) 2013 Samuel Mannehed for Cendio AB + noVNC is licensed under the MPL 2.0 (see LICENSE.txt) + This file is licensed under the 2-Clause BSD license (see LICENSE.txt). -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1586243 Title: Nova does not honor certificate settings for vncproxy Status in OpenStack Compute (nova): New Bug description: Description =========== The certificate/key defined in the nova.conf seem to have no apparent effect when starting the openstack-nova-novncproxy. This results in the inability to access the vnc console securely Expected result =============== VNC console assessable via secure vnc url Actual result ============= VNC Fails to establish connection Environment =========== CentOS Linux release 7.2.1511 (Core) Linux 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Package Versions: openstack-nova-common-2015.1.2-1.el7.noarch openstack-nova-console-2015.1.2-1.el7.noarch openstack-nova-conductor-2015.1.2-1.el7.noarch openstack-nova-scheduler-2015.1.2-1.el7.noarch openstack-nova-api-2015.1.2-1.el7.noarch openstack-nova-novncproxy-2015.1.2-1.el7.noarch openstack-nova-cert-2015.1.2-1.el7.noarch Steps to reproduce ================== Controller novncproxy_host=0.0.0.0 novncproxy_port=6080 novncproxy_base_url=https://fqdn:6080/vnc_auto.html vnc_enabled=true cert=cert.crt key=key.key ssl_only=true Compute vnc_enabled = False vncserver_listen = 0.0.0.0 vncserver_proxyclient_address = computeIP novncproxy_base_url = https://controller-fqdn:6080/vnc_auto.htm ssl_only=true cert=cert.crt key=key.key Tests functionality and certificate =================================== curl -vvv https://fqdn-controller:6080 * Rebuilt URL to: https://fqdn-controller:6080/ * Trying xxx.xxx.xxx.xxx... * Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0) * Server aborted the SSL handshake * Closing connection 0 curl: (35) Server aborted the SSL handshake openssl s_client -connect fqdn-controller:6080 -state -debug CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x7fde23500600 [0x7fde24004200] (130 bytes => 130 (0x82)) 0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00 ......W... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00 ..3..2../....... 0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00 ................ 0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11 .........@...... 0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00 ................ 0060 - 00 ff fd 8a ba 76 60 37-10 91 c0 c3 00 3d 40 67 .....v`7.....=@g 0070 - 74 a3 b4 df 18 9c f8 c3-90 23 bb 2c 1a 88 35 f6 t........#.,..5. 0080 - d0 cb .. SSL_connect:SSLv2/v3 write client hello A read from 0x7fde23500600 [0x7fde24009800] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF)) SSL_connect:error in SSLv2/v3 read server hello A write:errno=54 netstat -tupln |grep 6080 tcp 0 0 0.0.0.0:6080 0.0.0.0:* LISTEN 20504/python ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5900:5999,6080,6081,6082,7940,7937,8773,8774,8775 /* 101 accept all tcp nova */ Workaround to prove functionality and certificate ================================================= Work Around to verify vnc, port and cert valid and functional: Test: openstack-service stop openstack-nova-novncproxy /usr/bin/python /usr/bin/nova-novncproxy --cert cert.crt Results: curl -vvv https://fqdn-controller:6080 * Rebuilt URL to: https://fqdn-controller:6080/ * Trying xxx.xxx.xxx.xxx... * Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: *.MyDogIsOnFire.com * Server certificate: MyDogIsOnFire SSL CA02 * Server certificate: MyDogIsOnFire SSL Policy K1 * Server certificate: MyDogIsOnFire Root CA K1 > GET / HTTP/1.1 > Host: fqdn-controller:6080 > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 200 OK < Server: WebSockify Python/2.7.5 < Date: Fri, 27 May 2016 03:42:12 GMT < Content-type: text/html < Content-Length: 9923 < Last-Modified: Wed, 25 Feb 2015 20:38:54 GMT < <!DOCTYPE html> <html> <head> <!-- noVNC example: simple example using default UI Copyright (C) 2012 Joel Martin Copyright (C) 2013 Samuel Mannehed for Cendio AB noVNC is licensed under the MPL 2.0 (see LICENSE.txt) This file is licensed under the 2-Clause BSD license (see LICENSE.txt). To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1586243/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
