Comment 2 for bug 1819794

I see that the attempt disabling tls-proxy failed with:

2019-03-13 01:47:24.187 | + lib/tls:deploy_int_CA:356 : local ca_target_file=/etc/pki/nova-novnc/ca-cert.pem
2019-03-13 01:47:24.189 | + lib/tls:deploy_int_CA:358 : sudo cp /opt/stack/data/CA/int-ca/ca-chain.pem /etc/pki/nova-novnc/ca-cert.pem
2019-03-13 01:47:24.195 | cp: cannot stat '/opt/stack/data/CA/int-ca/ca-chain.pem': No such file or directory
2019-03-13 01:47:24.197 | + lib/tls:deploy_int_CA:1 : exit_trap

which makes sense, because that's the reason we needed to include tls-proxy in the first place. So, I don't think the presence of tls-proxy is the problem.

From the original failure with tls-proxy included, I see that the relevant error in screen-n-cpu.txt is actually this:

Feb 25 15:08:10.760376 ubuntu-bionic-rax-iad-0002993189 nova-compute[31732]: 2019-02-25T15:08:10.650607Z qemu-system-x86_64: -vnc 127.0.0.1:0,tls,x509verify=/etc/pki/libvirt-vnc: Failed to start VNC server: Cannot load certificate '/etc/pki/libvirt-vnc/server-cert.pem' & key '/etc/pki/libvirt-vnc/server-key.pem': Error while reading file.

This is the root cause of the problem.

I'm wondering if it's because there's been a change in the user:group we need for the certs directory. Currently, we're using libvirt-qemu:libvirt-qemu:

https://github.com/openstack-dev/devstack/blob/94ca9f6756e7b677b1ee3fd2e32b555447e950dd/lib/nova_plugins/functions-libvirt#L158