Comment 8 for bug 1819794

I was able to reproduce this locally with devstack and ran the qemu command for VNC through strace:

  $ LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin QEMU_AUDIO_DRV=none strace /usr/bin/qemu-system-x86_64 -vnc 127.0.0.1:0,tls,x509verify=/etc/pki/libvirt-vnc

and got the result:

  openat(AT_FDCWD, "/etc/pki/libvirt-vnc/server-key.pem", O_RDONLY) = -1 EACCES (Permission denied)
write(2, "qemu-system-x86_64: -vnc 127.0.0"..., 236qemu-system-x86_64: -vnc 127.0.0.1:0,tls,x509verify=/etc/pki/libvirt-vnc: Failed to start VNC server: Cannot load certificate '/etc/pki/libvirt-vnc/server-cert.pem' & key '/etc/pki/libvirt-vnc/server-key.pem': Error while reading file.

Looking at the file permissions on xenial (OpenSSL 1.0.2):

  $ ll /etc/pki/libvirt-vnc/
  total 20
  drwxr-xr-x 2 libvirt-qemu libvirt-qemu 4096 Mar 22 17:30 ./
  drwxr-xr-x 4 root root 4096 Mar 22 17:30 ../
  -rw-r--r-- 1 root root 2554 Mar 22 17:30 ca-cert.pem
  -rw-r--r-- 1 root root 1367 Mar 22 17:30 server-cert.pem
  -rw-r--r-- 1 root root 1704 Mar 22 17:30 server-key.pem

The server-key.pem file is readable to all.

Looking at the files on bionic (OpenSSL 1.1.0):

 $ ll /etc/pki/libvirt-vnc/
 total 20
 drwxr-xr-x 2 libvirt-qemu libvirt-qemu 4096 Mar 22 23:48 ./
 drwxr-xr-x 4 root root 4096 Mar 22 23:48 ../
 -rw-r--r-- 1 root root 2554 Mar 22 23:48 ca-cert.pem
 -rw-r--r-- 1 root root 1367 Mar 22 23:48 server-cert.pem
 -rw------- 1 root root 1704 Mar 22 23:48 server-key.pem

The server-key.pem file is readable only for root. This is the root cause, no pun intended.

So, I think we need to set the ownership of the files under the /etc/pki/<console> directories to the user:group intended to read them.