When using spice console, if ssl vars are set, but console-ssl-cert is not set, spiceproxy can't read the apache ssl keys

Bug #1800024 reported by Drew Freiberger on 2018-10-25
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack nova-cloud-controller charm
Medium
Unassigned

Bug Description

the apache2 ssl keys are configured in /etc/nova.conf, and if the console-ssl-cert is not set, spiceproxy defaults to trying to load those keys dropped in /etc/apache2/ssl/nova/*. Those keys are set with root:root 640 perms. Suggest changing to root:nova 640 perms to allow spiceproxy to use those files, which may also be a workaround for bug: 1788660.

Trent Lloyd (lathiat) on 2018-11-09
tags: added: sts
Trent Lloyd (lathiat) wrote :

Also ran into this, it causes the nova-novncproxy service to fail to start (issue applies to both VNC and SPICE). See also related Bug #1788660

This problem is worse than just not being able to read the keys.

When you configure SSL for the console (console-ssl-cert/key) and for the nova-cloud-controller itself (ssl_key/ssl_ca/ssl_cert) the same cert= and key= option is set in nova.conf in the same [DEFAULT] section.

So enabling SSL for either, enables SSL for both. However only if console-ssl-{key,cert} is set, does the novncproxy_base_url also get set to include https. Hence if you set ssl_key/ssl_cert for nova but not the console, the proxy listens on SSL only but the URL generated does not have SSL and it does not work.

It's not clear where the cert= and key= entries come from in the case of ssl_key.. it's not directly in the template but seems to be set as a variable list of key,values in the charm somewhere - did not determine where.

Trent Lloyd (lathiat) wrote :

I'm not sure that key= and cert= needs to be set for the normal nova-cloud-controller SSL deployment at all, at least in our case where we use apache2 for the SSL frontend.

Changed in charm-nova-cloud-controller:
status: New → Triaged
David O Neill (dmzoneill) wrote :

we're still seeing this behaviour

[DEFAULT]
verbose=True
debug=True
dhcpbridge_flagfile=/etc/nova/nova.conf
dhcpbridge=/usr/bin/nova-dhcpbridge
logdir=/var/log/nova
state_path=/var/lib/nova
iscsi_helper=tgtadm
libvirt_use_virtio_for_bridges=True
connection_type=libvirt
root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
volumes_path=/var/lib/nova/volumes
enabled_apis=osapi_compute,metadata
compute_driver=libvirt.LibvirtDriver
use_ipv6 = False
osapi_compute_listen = 0.0.0.0
metadata_host = 0.0.0.0
s3_listen = 0.0.0.0

transport_url = .....

osapi_compute_workers = 14

cpu_allocation_ratio = 1
ram_allocation_ratio = 1
disk_allocation_ratio = 1

use_syslog=False
my_ip = CUSTOMER-FQDN......

cert=/etc/apache2/ssl/nova/CUSTOMER_CERT
key=/etc/apache2/ssl/nova/CUSTOMER_KEY

root@juju-f1249e-33-lxd-0:/home/ubuntu# chown root:nova /etc/apache2/ssl/nova/*
root@juju-f1249e-33-lxd-0:/home/ubuntu# chmod 640 /etc/apache2/ssl/nova/*
root@juju-f1249e-33-lxd-0:/home/ubuntu# ls -liah /etc/apache2/ssl/nova/
total 24K
43388548 dr-xr-xr-x 2 root root 4.0K Dec 13 2018 .
43388547 dr-xr-xr-x 3 root root 4.0K Dec 18 2018 ..
43388549 -rw-r----- 1 root nova 2.4K Dec 4 05:06 CUSTOMER_CERT
43388552 -rw-r----- 1 root nova 3.2K Dec 4 05:06 CUSTOMER_KEY

Changed in charm-nova-cloud-controller:
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers