← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1586243] [NEW] Nova does not honor certificate settings for vncproxy

 

Public bug reported:

Description
===========
The certificate/key defined in the nova.conf seem to have no apparent effect when starting the openstack-nova-novncproxy.  This results in the inability to access the vnc console securely

Expected result
===============
VNC console assessable via secure vnc url

Actual result
=============
VNC Fails to establish connection

Environment
===========
CentOS Linux release 7.2.1511 (Core)
Linux 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Package Versions:
openstack-nova-common-2015.1.2-1.el7.noarch
openstack-nova-console-2015.1.2-1.el7.noarch
openstack-nova-conductor-2015.1.2-1.el7.noarch
openstack-nova-scheduler-2015.1.2-1.el7.noarch
openstack-nova-api-2015.1.2-1.el7.noarch
openstack-nova-novncproxy-2015.1.2-1.el7.noarch
openstack-nova-cert-2015.1.2-1.el7.noarch

Steps to reproduce
==================

Controller
novncproxy_host=0.0.0.0
novncproxy_port=6080
novncproxy_base_url=https://fqdn:6080/vnc_auto.html
vnc_enabled=true
cert=cert.crt
key=key.key
ssl_only=true

Compute
vnc_enabled = False
vncserver_listen = 0.0.0.0
vncserver_proxyclient_address = computeIP
novncproxy_base_url = https://controller-fqdn:6080/vnc_auto.htm
ssl_only=true
cert=cert.crt
key=key.key

Tests functionality and certificate
===================================

curl -vvv https://fqdn-controller:6080
* Rebuilt URL to: https://fqdn-controller:6080/
*   Trying xxx.xxx.xxx.xxx...
* Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake

openssl s_client -connect fqdn-controller:6080 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x7fde23500600 [0x7fde24004200] (130 bytes => 130 (0x82))
0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00   ......W... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00   ..3..2../.......
0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00   ................
0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11   .........@......
0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00   ................
0060 - 00 ff fd 8a ba 76 60 37-10 91 c0 c3 00 3d 40 67   .....v`7.....=@g
0070 - 74 a3 b4 df 18 9c f8 c3-90 23 bb 2c 1a 88 35 f6   t........#.,..5.
0080 - d0 cb                                             ..
SSL_connect:SSLv2/v3 write client hello A
read from 0x7fde23500600 [0x7fde24009800] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF))
SSL_connect:error in SSLv2/v3 read server hello A
write:errno=54

netstat -tupln |grep 6080
tcp        0      0 0.0.0.0:6080            0.0.0.0:*               LISTEN      20504/python

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport
dports 5900:5999,6080,6081,6082,7940,7937,8773,8774,8775 /* 101 accept
all tcp nova */

Workaround to prove functionality and certificate
=================================================

Work Around to verify vnc, port and cert valid and functional:
Test:
openstack-service stop openstack-nova-novncproxy
/usr/bin/python /usr/bin/nova-novncproxy --cert cert.crt

Results:
curl -vvv https://fqdn-controller:6080
* Rebuilt URL to: https://fqdn-controller:6080/
*   Trying xxx.xxx.xxx.xxx...
* Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: *.MyDogIsOnFire.com
* Server certificate: MyDogIsOnFire SSL CA02
* Server certificate: MyDogIsOnFire SSL Policy K1
* Server certificate: MyDogIsOnFire Root CA K1
> GET / HTTP/1.1
> Host: fqdn-controller:6080
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: WebSockify Python/2.7.5
< Date: Fri, 27 May 2016 03:42:12 GMT
< Content-type: text/html
< Content-Length: 9923
< Last-Modified: Wed, 25 Feb 2015 20:38:54 GMT
<
<!DOCTYPE html>
<html>
<head>

    <!--
    noVNC example: simple example using default UI
    Copyright (C) 2012 Joel Martin
    Copyright (C) 2013 Samuel Mannehed for Cendio AB
    noVNC is licensed under the MPL 2.0 (see LICENSE.txt)
    This file is licensed under the 2-Clause BSD license (see LICENSE.txt).

** Affects: nova
     Importance: Undecided
         Status: New

** Also affects: centos
   Importance: Undecided
       Status: New

** No longer affects: centos

** Description changed:

  Description
  ===========
- The certificate/key defined in the nova.conf seem to have no apparent effect when starting the openstack-nova-novncproxy.  This results in the inability to access the vnc console securly
- 
+ The certificate/key defined in the nova.conf seem to have no apparent effect when starting the openstack-nova-novncproxy.  This results in the inability to access the vnc console securely
  
  Expected result
- =============== 
+ ===============
  VNC console assessable via secure vnc url
  
  Actual result
  =============
  VNC Fails to establish connection
  
  Environment
  ===========
  CentOS Linux release 7.2.1511 (Core)
  Linux 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
  
  Package Versions:
  openstack-nova-common-2015.1.2-1.el7.noarch
  openstack-nova-console-2015.1.2-1.el7.noarch
  openstack-nova-conductor-2015.1.2-1.el7.noarch
  openstack-nova-scheduler-2015.1.2-1.el7.noarch
  openstack-nova-api-2015.1.2-1.el7.noarch
  openstack-nova-novncproxy-2015.1.2-1.el7.noarch
  openstack-nova-cert-2015.1.2-1.el7.noarch
  
  Steps to reproduce
  ==================
  
  Controller
  novncproxy_host=0.0.0.0
  novncproxy_port=6080
  novncproxy_base_url=https://fqdn:6080/vnc_auto.html
  vnc_enabled=true
  cert=cert.crt
  key=key.key
  ssl_only=true
  
- 
  Compute
  vnc_enabled = False
  vncserver_listen = 0.0.0.0
  vncserver_proxyclient_address = computeIP
  novncproxy_base_url = https://controller-fqdn:6080/vnc_auto.htm
  ssl_only=true
  cert=cert.crt
  key=key.key
- 
  
  Tests functionality and certificate
  ===================================
  
  curl -vvv https://fqdn-controller:6080
  * Rebuilt URL to: https://fqdn-controller:6080/
  *   Trying xxx.xxx.xxx.xxx...
  * Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0)
  * Server aborted the SSL handshake
  * Closing connection 0
  curl: (35) Server aborted the SSL handshake
  
  openssl s_client -connect fqdn-controller:6080 -state -debug
  CONNECTED(00000003)
  SSL_connect:before/connect initialization
  write to 0x7fde23500600 [0x7fde24004200] (130 bytes => 130 (0x82))
  0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00   ......W... ..9..
  0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
  0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00   ..3..2../.......
  0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00   ................
  0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11   .........@......
  0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00   ................
  0060 - 00 ff fd 8a ba 76 60 37-10 91 c0 c3 00 3d 40 67   .....v`7.....=@g
  0070 - 74 a3 b4 df 18 9c f8 c3-90 23 bb 2c 1a 88 35 f6   t........#.,..5.
  0080 - d0 cb                                             ..
  SSL_connect:SSLv2/v3 write client hello A
  read from 0x7fde23500600 [0x7fde24009800] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF))
  SSL_connect:error in SSLv2/v3 read server hello A
  write:errno=54
  
  netstat -tupln |grep 6080
  tcp        0      0 0.0.0.0:6080            0.0.0.0:*               LISTEN      20504/python
  
  ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport
  dports 5900:5999,6080,6081,6082,7940,7937,8773,8774,8775 /* 101 accept
  all tcp nova */
  
- 
- 
- 
  Workaround to prove functionality and certificate
  =================================================
  
  Work Around to verify vnc, port and cert valid and functional:
  Test:
  openstack-service stop openstack-nova-novncproxy
  /usr/bin/python /usr/bin/nova-novncproxy --cert cert.crt
  
  Results:
  curl -vvv https://fqdn-controller:6080
  * Rebuilt URL to: https://fqdn-controller:6080/
  *   Trying xxx.xxx.xxx.xxx...
  * Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0)
  * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  * Server certificate: *.MyDogIsOnFire.com
  * Server certificate: MyDogIsOnFire SSL CA02
  * Server certificate: MyDogIsOnFire SSL Policy K1
  * Server certificate: MyDogIsOnFire Root CA K1
  > GET / HTTP/1.1
  > Host: fqdn-controller:6080
  > User-Agent: curl/7.43.0
  > Accept: */*
  >
  < HTTP/1.1 200 OK
  < Server: WebSockify Python/2.7.5
  < Date: Fri, 27 May 2016 03:42:12 GMT
  < Content-type: text/html
  < Content-Length: 9923
  < Last-Modified: Wed, 25 Feb 2015 20:38:54 GMT
  <
  <!DOCTYPE html>
  <html>
  <head>
  
-     <!--
-     noVNC example: simple example using default UI
-     Copyright (C) 2012 Joel Martin
-     Copyright (C) 2013 Samuel Mannehed for Cendio AB
-     noVNC is licensed under the MPL 2.0 (see LICENSE.txt)
-     This file is licensed under the 2-Clause BSD license (see LICENSE.txt).
+     <!--
+     noVNC example: simple example using default UI
+     Copyright (C) 2012 Joel Martin
+     Copyright (C) 2013 Samuel Mannehed for Cendio AB
+     noVNC is licensed under the MPL 2.0 (see LICENSE.txt)
+     This file is licensed under the 2-Clause BSD license (see LICENSE.txt).

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1586243

Title:
  Nova does not honor certificate settings for vncproxy

Status in OpenStack Compute (nova):
  New

Bug description:
  Description
  ===========
  The certificate/key defined in the nova.conf seem to have no apparent effect when starting the openstack-nova-novncproxy.  This results in the inability to access the vnc console securely

  Expected result
  ===============
  VNC console assessable via secure vnc url

  Actual result
  =============
  VNC Fails to establish connection

  Environment
  ===========
  CentOS Linux release 7.2.1511 (Core)
  Linux 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

  Package Versions:
  openstack-nova-common-2015.1.2-1.el7.noarch
  openstack-nova-console-2015.1.2-1.el7.noarch
  openstack-nova-conductor-2015.1.2-1.el7.noarch
  openstack-nova-scheduler-2015.1.2-1.el7.noarch
  openstack-nova-api-2015.1.2-1.el7.noarch
  openstack-nova-novncproxy-2015.1.2-1.el7.noarch
  openstack-nova-cert-2015.1.2-1.el7.noarch

  Steps to reproduce
  ==================

  Controller
  novncproxy_host=0.0.0.0
  novncproxy_port=6080
  novncproxy_base_url=https://fqdn:6080/vnc_auto.html
  vnc_enabled=true
  cert=cert.crt
  key=key.key
  ssl_only=true

  Compute
  vnc_enabled = False
  vncserver_listen = 0.0.0.0
  vncserver_proxyclient_address = computeIP
  novncproxy_base_url = https://controller-fqdn:6080/vnc_auto.htm
  ssl_only=true
  cert=cert.crt
  key=key.key

  Tests functionality and certificate
  ===================================

  curl -vvv https://fqdn-controller:6080
  * Rebuilt URL to: https://fqdn-controller:6080/
  *   Trying xxx.xxx.xxx.xxx...
  * Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0)
  * Server aborted the SSL handshake
  * Closing connection 0
  curl: (35) Server aborted the SSL handshake

  openssl s_client -connect fqdn-controller:6080 -state -debug
  CONNECTED(00000003)
  SSL_connect:before/connect initialization
  write to 0x7fde23500600 [0x7fde24004200] (130 bytes => 130 (0x82))
  0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00   ......W... ..9..
  0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
  0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00   ..3..2../.......
  0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00   ................
  0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11   .........@......
  0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00   ................
  0060 - 00 ff fd 8a ba 76 60 37-10 91 c0 c3 00 3d 40 67   .....v`7.....=@g
  0070 - 74 a3 b4 df 18 9c f8 c3-90 23 bb 2c 1a 88 35 f6   t........#.,..5.
  0080 - d0 cb                                             ..
  SSL_connect:SSLv2/v3 write client hello A
  read from 0x7fde23500600 [0x7fde24009800] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF))
  SSL_connect:error in SSLv2/v3 read server hello A
  write:errno=54

  netstat -tupln |grep 6080
  tcp        0      0 0.0.0.0:6080            0.0.0.0:*               LISTEN      20504/python

  ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0
  multiport dports 5900:5999,6080,6081,6082,7940,7937,8773,8774,8775 /*
  101 accept all tcp nova */

  Workaround to prove functionality and certificate
  =================================================

  Work Around to verify vnc, port and cert valid and functional:
  Test:
  openstack-service stop openstack-nova-novncproxy
  /usr/bin/python /usr/bin/nova-novncproxy --cert cert.crt

  Results:
  curl -vvv https://fqdn-controller:6080
  * Rebuilt URL to: https://fqdn-controller:6080/
  *   Trying xxx.xxx.xxx.xxx...
  * Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0)
  * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  * Server certificate: *.MyDogIsOnFire.com
  * Server certificate: MyDogIsOnFire SSL CA02
  * Server certificate: MyDogIsOnFire SSL Policy K1
  * Server certificate: MyDogIsOnFire Root CA K1
  > GET / HTTP/1.1
  > Host: fqdn-controller:6080
  > User-Agent: curl/7.43.0
  > Accept: */*
  >
  < HTTP/1.1 200 OK
  < Server: WebSockify Python/2.7.5
  < Date: Fri, 27 May 2016 03:42:12 GMT
  < Content-type: text/html
  < Content-Length: 9923
  < Last-Modified: Wed, 25 Feb 2015 20:38:54 GMT
  <
  <!DOCTYPE html>
  <html>
  <head>

      <!--
      noVNC example: simple example using default UI
      Copyright (C) 2012 Joel Martin
      Copyright (C) 2013 Samuel Mannehed for Cendio AB
      noVNC is licensed under the MPL 2.0 (see LICENSE.txt)
      This file is licensed under the 2-Clause BSD license (see LICENSE.txt).

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1586243/+subscriptions


Follow ups