I was able to reproduce this locally with devstack and ran the qemu command for VNC through strace:
$ LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin QEMU_AUDIO_DRV=none strace /usr/bin/qemu-system-x86_64 -vnc 127.0.0.1:0,tls,x509verify=/etc/pki/libvirt-vnc
and got the result:
openat(AT_FDCWD, "/etc/pki/libvirt-vnc/server-key.pem", O_RDONLY) = -1 EACCES (Permission denied) write(2, "qemu-system-x86_64: -vnc 127.0.0"..., 236qemu-system-x86_64: -vnc 127.0.0.1:0,tls,x509verify=/etc/pki/libvirt-vnc: Failed to start VNC server: Cannot load certificate '/etc/pki/libvirt-vnc/server-cert.pem' & key '/etc/pki/libvirt-vnc/server-key.pem': Error while reading file.
Looking at the file permissions on xenial (OpenSSL 1.0.2):
$ ll /etc/pki/libvirt-vnc/ total 20 drwxr-xr-x 2 libvirt-qemu libvirt-qemu 4096 Mar 22 17:30 ./ drwxr-xr-x 4 root root 4096 Mar 22 17:30 ../ -rw-r--r-- 1 root root 2554 Mar 22 17:30 ca-cert.pem -rw-r--r-- 1 root root 1367 Mar 22 17:30 server-cert.pem -rw-r--r-- 1 root root 1704 Mar 22 17:30 server-key.pem
The server-key.pem file is readable to all.
Looking at the files on bionic (OpenSSL 1.1.0):
$ ll /etc/pki/libvirt-vnc/ total 20 drwxr-xr-x 2 libvirt-qemu libvirt-qemu 4096 Mar 22 23:48 ./ drwxr-xr-x 4 root root 4096 Mar 22 23:48 ../ -rw-r--r-- 1 root root 2554 Mar 22 23:48 ca-cert.pem -rw-r--r-- 1 root root 1367 Mar 22 23:48 server-cert.pem -rw------- 1 root root 1704 Mar 22 23:48 server-key.pem
The server-key.pem file is readable only for root. This is the root cause, no pun intended.
So, I think we need to set the ownership of the files under the /etc/pki/<console> directories to the user:group intended to read them.
I was able to reproduce this locally with devstack and ran the qemu command for VNC through strace:
$ LC_ALL=C PATH=/usr/ local/sbin: /usr/local/ bin:/usr/ sbin:/usr/ bin:/sbin: /bin QEMU_AUDIO_DRV=none strace /usr/bin/ qemu-system- x86_64 -vnc 127.0.0. 1:0,tls, x509verify= /etc/pki/ libvirt- vnc
and got the result:
openat(AT_FDCWD, "/etc/pki/ libvirt- vnc/server- key.pem" , O_RDONLY) = -1 EACCES (Permission denied) x86_64: -vnc 127.0.0"..., 236qemu- system- x86_64: -vnc 127.0.0. 1:0,tls, x509verify= /etc/pki/ libvirt- vnc: Failed to start VNC server: Cannot load certificate '/etc/pki/ libvirt- vnc/server- cert.pem' & key '/etc/pki/ libvirt- vnc/server- key.pem' : Error while reading file.
write(2, "qemu-system-
Looking at the file permissions on xenial (OpenSSL 1.0.2):
$ ll /etc/pki/ libvirt- vnc/
total 20
drwxr-xr-x 2 libvirt-qemu libvirt-qemu 4096 Mar 22 17:30 ./
drwxr-xr-x 4 root root 4096 Mar 22 17:30 ../
-rw-r--r-- 1 root root 2554 Mar 22 17:30 ca-cert.pem
-rw-r--r-- 1 root root 1367 Mar 22 17:30 server-cert.pem
-rw-r--r-- 1 root root 1704 Mar 22 17:30 server-key.pem
The server-key.pem file is readable to all.
Looking at the files on bionic (OpenSSL 1.1.0):
$ ll /etc/pki/ libvirt- vnc/
total 20
drwxr-xr-x 2 libvirt-qemu libvirt-qemu 4096 Mar 22 23:48 ./
drwxr-xr-x 4 root root 4096 Mar 22 23:48 ../
-rw-r--r-- 1 root root 2554 Mar 22 23:48 ca-cert.pem
-rw-r--r-- 1 root root 1367 Mar 22 23:48 server-cert.pem
-rw------- 1 root root 1704 Mar 22 23:48 server-key.pem
The server-key.pem file is readable only for root. This is the root cause, no pun intended.
So, I think we need to set the ownership of the files under the /etc/pki/<console> directories to the user:group intended to read them.