nova-novnproxy can't read certificates. Permission denied

charm-nova-cloud-controller version 17.0.7 revision 370

In bootstack a customer was unable to access novnc vm console.

We found that nova-novncproxy was unable to read the certificate and was showing the following error:

2019-03-08 10:17:58.240 1887177 DEBUG nova.console.websocketproxy [-] exception vmsg /usr/lib/python2.7/dist-packages/websockify/websocket.py:878
2019-03-08 10:17:58.240 1887177 ERROR nova.console.websocketproxy Traceback (most recent call last):
2019-03-08 10:17:58.240 1887177 ERROR nova.console.websocketproxy File "/usr/lib/python2.7/dist-packages/websockify/websocket.py", line 933, in top_new_client
2019-03-08 10:17:58.240 1887177 ERROR nova.console.websocketproxy client = self.do_handshake(startsock, address)
2019-03-08 10:17:58.240 1887177 ERROR nova.console.websocketproxy File "/usr/lib/python2.7/dist-packages/websockify/websocket.py", line 840, in do_handshake
2019-03-08 10:17:58.240 1887177 ERROR nova.console.websocketproxy keyfile=self.key)
2019-03-08 10:17:58.240 1887177 ERROR nova.console.websocketproxy File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 379, in wrap_socket
2019-03-08 10:17:58.240 1887177 ERROR nova.console.websocketproxy return GreenSSLSocket(sock, *a, **kw)
2019-03-08 10:17:58.240 1887177 ERROR nova.console.websocketproxy File "/usr/lib/python2.7/dist-packages/eventlet/green/ssl.py", line 68, in __init__
2019-03-08 10:17:58.240 1887177 ERROR nova.console.websocketproxy ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
2019-03-08 10:17:58.240 1887177 ERROR nova.console.websocketproxy File "/usr/lib/python2.7/ssl.py", line 560, in __init__
2019-03-08 10:17:58.240 1887177 ERROR nova.console.websocketproxy self._context.load_cert_chain(certfile, keyfile)
2019-03-08 10:17:58.240 1887177 ERROR nova.console.websocketproxy IOError: [Errno 13] Permission denied

We workaround the issue with:

chown nova:nova /etc/apache2/ssl/nova/*.local