Nova console and vault provides internal TLS certificate only

A workaround for the issue:

1. get the key and certificates from /etc/apache2/ssl/nova/cert_nova.<domain> and /etc/apache2/ssl/nova/key_nova.<domain>
2. use the deprecated console-ssl- options:
juju config nova-cloud-controller \
    console-ssl-cert="$(base64 cert_nova.<domain>)" \
    console-ssl-key="$(base64 key_nova.<domain>)"

This will overwrite the nova.conf entries with the specified certificate and key:
[DEFAULT]
...
cert=/etc/nova/ssl/nova_cert.pem
key=/etc/nova/ssl/nova_key.pem

The internal / admin / public TLS endpoints will be still terminated by apache, so this change won't affect nova service rest interfaces, only the consoleauth will pick up the setting:

nova 1913397 0.0 0.0 296568 104316 ? Ss 12:44 0:03 /usr/bin/python3 /usr/bin/nova-consoleauth --config-file=/etc/nova/nova.conf --log-file=/var/log/nova/nova-consoleauth.log

Marking this issue as field-high since it is a blocker for ongoing delivery and its work-around depend on a flag that is flagged to be removed.

We need an alternative solution on the charm code before console-ssl-* configs can go away

Please can you provide sanitised bundle and overlays ? Also a juju crashdump if possible.

I think the code that should be adding them is here https://github.com/juju/charm-helpers/blob/master/charmhelpers/contrib/openstack/cert_utils.py#L122 It will be interesting to see if there are any "Skipping request" entries in the logs

We are still waiting on bundle/overlays/logs - has there been any progress on getting these?

Marking as incomplete as requested log files have not been provided.

I suspect the proxy's are falling back to using:

my_ip = 10.246.114.45

cert=/etc/apache2/ssl/nova/cert_10.246.114.45
key=/etc/apache2/ssl/nova/key_10.246.114.45

my_ip is always bound to the internal network space binding (I think)

the cert and key in comment #7 are generated using the internal binding, not the public binding.

Working on a fix.

https://review.opendev.org/742375

Reviewed: https://review.opendev.org/742375
Committed: https://git.openstack.org/cgit/openstack/charm-nova-cloud-controller/commit/?id=f0095ffcbbfd3c84dc410713ea269ea2dd3ea879
Submitter: Zuul
Branch: master

commit f0095ffcbbfd3c84dc410713ea269ea2dd3ea879
Author: James Page <email address hidden>
Date: Wed Jul 22 10:10:15 2020 +0100

    Use public endpoint binding for console cert and key

    Ensure that the public endpoint binding is used to resolve the
    path to the SSL certificate and key files as the base access
    URL for console access is always via this binding.

    Add unit tests to cover the InstanceConsoleContext class.

    Change-Id: I27de9445d249b0d670543d250bd02f450764a10f
    Closes-Bug: 1871428