yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #51577
[Bug 1586243] [NEW] Nova does not honor certificate settings for vncproxy
Public bug reported:
Description
===========
The certificate/key defined in the nova.conf seem to have no apparent effect when starting the openstack-nova-novncproxy. This results in the inability to access the vnc console securely
Expected result
===============
VNC console assessable via secure vnc url
Actual result
=============
VNC Fails to establish connection
Environment
===========
CentOS Linux release 7.2.1511 (Core)
Linux 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Package Versions:
openstack-nova-common-2015.1.2-1.el7.noarch
openstack-nova-console-2015.1.2-1.el7.noarch
openstack-nova-conductor-2015.1.2-1.el7.noarch
openstack-nova-scheduler-2015.1.2-1.el7.noarch
openstack-nova-api-2015.1.2-1.el7.noarch
openstack-nova-novncproxy-2015.1.2-1.el7.noarch
openstack-nova-cert-2015.1.2-1.el7.noarch
Steps to reproduce
==================
Controller
novncproxy_host=0.0.0.0
novncproxy_port=6080
novncproxy_base_url=https://fqdn:6080/vnc_auto.html
vnc_enabled=true
cert=cert.crt
key=key.key
ssl_only=true
Compute
vnc_enabled = False
vncserver_listen = 0.0.0.0
vncserver_proxyclient_address = computeIP
novncproxy_base_url = https://controller-fqdn:6080/vnc_auto.htm
ssl_only=true
cert=cert.crt
key=key.key
Tests functionality and certificate
===================================
curl -vvv https://fqdn-controller:6080
* Rebuilt URL to: https://fqdn-controller:6080/
* Trying xxx.xxx.xxx.xxx...
* Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake
openssl s_client -connect fqdn-controller:6080 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x7fde23500600 [0x7fde24004200] (130 bytes => 130 (0x82))
0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00 ......W... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00 ..3..2../.......
0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00 ................
0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11 .........@......
0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00 ................
0060 - 00 ff fd 8a ba 76 60 37-10 91 c0 c3 00 3d 40 67 .....v`7.....=@g
0070 - 74 a3 b4 df 18 9c f8 c3-90 23 bb 2c 1a 88 35 f6 t........#.,..5.
0080 - d0 cb ..
SSL_connect:SSLv2/v3 write client hello A
read from 0x7fde23500600 [0x7fde24009800] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF))
SSL_connect:error in SSLv2/v3 read server hello A
write:errno=54
netstat -tupln |grep 6080
tcp 0 0 0.0.0.0:6080 0.0.0.0:* LISTEN 20504/python
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport
dports 5900:5999,6080,6081,6082,7940,7937,8773,8774,8775 /* 101 accept
all tcp nova */
Workaround to prove functionality and certificate
=================================================
Work Around to verify vnc, port and cert valid and functional:
Test:
openstack-service stop openstack-nova-novncproxy
/usr/bin/python /usr/bin/nova-novncproxy --cert cert.crt
Results:
curl -vvv https://fqdn-controller:6080
* Rebuilt URL to: https://fqdn-controller:6080/
* Trying xxx.xxx.xxx.xxx...
* Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: *.MyDogIsOnFire.com
* Server certificate: MyDogIsOnFire SSL CA02
* Server certificate: MyDogIsOnFire SSL Policy K1
* Server certificate: MyDogIsOnFire Root CA K1
> GET / HTTP/1.1
> Host: fqdn-controller:6080
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: WebSockify Python/2.7.5
< Date: Fri, 27 May 2016 03:42:12 GMT
< Content-type: text/html
< Content-Length: 9923
< Last-Modified: Wed, 25 Feb 2015 20:38:54 GMT
<
<!DOCTYPE html>
<html>
<head>
<!--
noVNC example: simple example using default UI
Copyright (C) 2012 Joel Martin
Copyright (C) 2013 Samuel Mannehed for Cendio AB
noVNC is licensed under the MPL 2.0 (see LICENSE.txt)
This file is licensed under the 2-Clause BSD license (see LICENSE.txt).
** Affects: nova
Importance: Undecided
Status: New
** Also affects: centos
Importance: Undecided
Status: New
** No longer affects: centos
** Description changed:
Description
===========
- The certificate/key defined in the nova.conf seem to have no apparent effect when starting the openstack-nova-novncproxy. This results in the inability to access the vnc console securly
-
+ The certificate/key defined in the nova.conf seem to have no apparent effect when starting the openstack-nova-novncproxy. This results in the inability to access the vnc console securely
Expected result
- ===============
+ ===============
VNC console assessable via secure vnc url
Actual result
=============
VNC Fails to establish connection
Environment
===========
CentOS Linux release 7.2.1511 (Core)
Linux 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Package Versions:
openstack-nova-common-2015.1.2-1.el7.noarch
openstack-nova-console-2015.1.2-1.el7.noarch
openstack-nova-conductor-2015.1.2-1.el7.noarch
openstack-nova-scheduler-2015.1.2-1.el7.noarch
openstack-nova-api-2015.1.2-1.el7.noarch
openstack-nova-novncproxy-2015.1.2-1.el7.noarch
openstack-nova-cert-2015.1.2-1.el7.noarch
Steps to reproduce
==================
Controller
novncproxy_host=0.0.0.0
novncproxy_port=6080
novncproxy_base_url=https://fqdn:6080/vnc_auto.html
vnc_enabled=true
cert=cert.crt
key=key.key
ssl_only=true
-
Compute
vnc_enabled = False
vncserver_listen = 0.0.0.0
vncserver_proxyclient_address = computeIP
novncproxy_base_url = https://controller-fqdn:6080/vnc_auto.htm
ssl_only=true
cert=cert.crt
key=key.key
-
Tests functionality and certificate
===================================
curl -vvv https://fqdn-controller:6080
* Rebuilt URL to: https://fqdn-controller:6080/
* Trying xxx.xxx.xxx.xxx...
* Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake
openssl s_client -connect fqdn-controller:6080 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x7fde23500600 [0x7fde24004200] (130 bytes => 130 (0x82))
0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00 ......W... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00 ..3..2../.......
0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00 ................
0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11 .........@......
0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00 ................
0060 - 00 ff fd 8a ba 76 60 37-10 91 c0 c3 00 3d 40 67 .....v`7.....=@g
0070 - 74 a3 b4 df 18 9c f8 c3-90 23 bb 2c 1a 88 35 f6 t........#.,..5.
0080 - d0 cb ..
SSL_connect:SSLv2/v3 write client hello A
read from 0x7fde23500600 [0x7fde24009800] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF))
SSL_connect:error in SSLv2/v3 read server hello A
write:errno=54
netstat -tupln |grep 6080
tcp 0 0 0.0.0.0:6080 0.0.0.0:* LISTEN 20504/python
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport
dports 5900:5999,6080,6081,6082,7940,7937,8773,8774,8775 /* 101 accept
all tcp nova */
-
-
-
Workaround to prove functionality and certificate
=================================================
Work Around to verify vnc, port and cert valid and functional:
Test:
openstack-service stop openstack-nova-novncproxy
/usr/bin/python /usr/bin/nova-novncproxy --cert cert.crt
Results:
curl -vvv https://fqdn-controller:6080
* Rebuilt URL to: https://fqdn-controller:6080/
* Trying xxx.xxx.xxx.xxx...
* Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: *.MyDogIsOnFire.com
* Server certificate: MyDogIsOnFire SSL CA02
* Server certificate: MyDogIsOnFire SSL Policy K1
* Server certificate: MyDogIsOnFire Root CA K1
> GET / HTTP/1.1
> Host: fqdn-controller:6080
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: WebSockify Python/2.7.5
< Date: Fri, 27 May 2016 03:42:12 GMT
< Content-type: text/html
< Content-Length: 9923
< Last-Modified: Wed, 25 Feb 2015 20:38:54 GMT
<
<!DOCTYPE html>
<html>
<head>
- <!--
- noVNC example: simple example using default UI
- Copyright (C) 2012 Joel Martin
- Copyright (C) 2013 Samuel Mannehed for Cendio AB
- noVNC is licensed under the MPL 2.0 (see LICENSE.txt)
- This file is licensed under the 2-Clause BSD license (see LICENSE.txt).
+ <!--
+ noVNC example: simple example using default UI
+ Copyright (C) 2012 Joel Martin
+ Copyright (C) 2013 Samuel Mannehed for Cendio AB
+ noVNC is licensed under the MPL 2.0 (see LICENSE.txt)
+ This file is licensed under the 2-Clause BSD license (see LICENSE.txt).
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1586243
Title:
Nova does not honor certificate settings for vncproxy
Status in OpenStack Compute (nova):
New
Bug description:
Description
===========
The certificate/key defined in the nova.conf seem to have no apparent effect when starting the openstack-nova-novncproxy. This results in the inability to access the vnc console securely
Expected result
===============
VNC console assessable via secure vnc url
Actual result
=============
VNC Fails to establish connection
Environment
===========
CentOS Linux release 7.2.1511 (Core)
Linux 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Package Versions:
openstack-nova-common-2015.1.2-1.el7.noarch
openstack-nova-console-2015.1.2-1.el7.noarch
openstack-nova-conductor-2015.1.2-1.el7.noarch
openstack-nova-scheduler-2015.1.2-1.el7.noarch
openstack-nova-api-2015.1.2-1.el7.noarch
openstack-nova-novncproxy-2015.1.2-1.el7.noarch
openstack-nova-cert-2015.1.2-1.el7.noarch
Steps to reproduce
==================
Controller
novncproxy_host=0.0.0.0
novncproxy_port=6080
novncproxy_base_url=https://fqdn:6080/vnc_auto.html
vnc_enabled=true
cert=cert.crt
key=key.key
ssl_only=true
Compute
vnc_enabled = False
vncserver_listen = 0.0.0.0
vncserver_proxyclient_address = computeIP
novncproxy_base_url = https://controller-fqdn:6080/vnc_auto.htm
ssl_only=true
cert=cert.crt
key=key.key
Tests functionality and certificate
===================================
curl -vvv https://fqdn-controller:6080
* Rebuilt URL to: https://fqdn-controller:6080/
* Trying xxx.xxx.xxx.xxx...
* Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake
openssl s_client -connect fqdn-controller:6080 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x7fde23500600 [0x7fde24004200] (130 bytes => 130 (0x82))
0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00 ......W... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00 ..3..2../.......
0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00 ................
0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11 .........@......
0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00 ................
0060 - 00 ff fd 8a ba 76 60 37-10 91 c0 c3 00 3d 40 67 .....v`7.....=@g
0070 - 74 a3 b4 df 18 9c f8 c3-90 23 bb 2c 1a 88 35 f6 t........#.,..5.
0080 - d0 cb ..
SSL_connect:SSLv2/v3 write client hello A
read from 0x7fde23500600 [0x7fde24009800] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF))
SSL_connect:error in SSLv2/v3 read server hello A
write:errno=54
netstat -tupln |grep 6080
tcp 0 0 0.0.0.0:6080 0.0.0.0:* LISTEN 20504/python
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
multiport dports 5900:5999,6080,6081,6082,7940,7937,8773,8774,8775 /*
101 accept all tcp nova */
Workaround to prove functionality and certificate
=================================================
Work Around to verify vnc, port and cert valid and functional:
Test:
openstack-service stop openstack-nova-novncproxy
/usr/bin/python /usr/bin/nova-novncproxy --cert cert.crt
Results:
curl -vvv https://fqdn-controller:6080
* Rebuilt URL to: https://fqdn-controller:6080/
* Trying xxx.xxx.xxx.xxx...
* Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: *.MyDogIsOnFire.com
* Server certificate: MyDogIsOnFire SSL CA02
* Server certificate: MyDogIsOnFire SSL Policy K1
* Server certificate: MyDogIsOnFire Root CA K1
> GET / HTTP/1.1
> Host: fqdn-controller:6080
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: WebSockify Python/2.7.5
< Date: Fri, 27 May 2016 03:42:12 GMT
< Content-type: text/html
< Content-Length: 9923
< Last-Modified: Wed, 25 Feb 2015 20:38:54 GMT
<
<!DOCTYPE html>
<html>
<head>
<!--
noVNC example: simple example using default UI
Copyright (C) 2012 Joel Martin
Copyright (C) 2013 Samuel Mannehed for Cendio AB
noVNC is licensed under the MPL 2.0 (see LICENSE.txt)
This file is licensed under the 2-Clause BSD license (see LICENSE.txt).
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1586243/+subscriptions
Follow ups