← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #51859

[Bug 1586243] Re: Nova does not honor certificate settings for vncproxy

  Thread PreviousDate PreviousThread Next 
This bug is reported against kilo, which is no longer supported in any
format. If you can reproduce against upstream master, we can reopen and
look into it.

** Changed in: nova
       Status: New => Incomplete

** Changed in: nova
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1586243

Title:
  Nova does not honor certificate settings for vncproxy

Status in OpenStack Compute (nova):
  Invalid

Bug description:
  Description
  ===========
  The certificate/key defined in the nova.conf seem to have no apparent effect when starting the openstack-nova-novncproxy.  This results in the inability to access the vnc console securely

  Expected result
  ===============
  VNC console assessable via secure vnc url

  Actual result
  =============
  VNC Fails to establish connection

  Environment
  ===========
  CentOS Linux release 7.2.1511 (Core)
  Linux 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

  Package Versions:
  openstack-nova-common-2015.1.2-1.el7.noarch
  openstack-nova-console-2015.1.2-1.el7.noarch
  openstack-nova-conductor-2015.1.2-1.el7.noarch
  openstack-nova-scheduler-2015.1.2-1.el7.noarch
  openstack-nova-api-2015.1.2-1.el7.noarch
  openstack-nova-novncproxy-2015.1.2-1.el7.noarch
  openstack-nova-cert-2015.1.2-1.el7.noarch

  Steps to reproduce
  ==================

  Controller
  novncproxy_host=0.0.0.0
  novncproxy_port=6080
  novncproxy_base_url=https://fqdn:6080/vnc_auto.html
  vnc_enabled=true
  cert=cert.crt
  key=key.key
  ssl_only=true

  Compute
  vnc_enabled = True
  vncserver_listen = 0.0.0.0
  vncserver_proxyclient_address = computeIP
  novncproxy_base_url = https://controller-fqdn:6080/vnc_auto.htm
  ssl_only=true
  cert=cert.crt
  key=key.key

  Tests functionality and certificate
  ===================================

  curl -vvv https://fqdn-controller:6080
  * Rebuilt URL to: https://fqdn-controller:6080/
  *   Trying xxx.xxx.xxx.xxx...
  * Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0)
  * Server aborted the SSL handshake
  * Closing connection 0
  curl: (35) Server aborted the SSL handshake

  openssl s_client -connect fqdn-controller:6080 -state -debug
  CONNECTED(00000003)
  SSL_connect:before/connect initialization
  write to 0x7fde23500600 [0x7fde24004200] (130 bytes => 130 (0x82))
  0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00   ......W... ..9..
  0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
  0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00   ..3..2../.......
  0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00   ................
  0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11   .........@......
  0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00   ................
  0060 - 00 ff fd 8a ba 76 60 37-10 91 c0 c3 00 3d 40 67   .....v`7.....=@g
  0070 - 74 a3 b4 df 18 9c f8 c3-90 23 bb 2c 1a 88 35 f6   t........#.,..5.
  0080 - d0 cb                                             ..
  SSL_connect:SSLv2/v3 write client hello A
  read from 0x7fde23500600 [0x7fde24009800] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF))
  SSL_connect:error in SSLv2/v3 read server hello A
  write:errno=54

  netstat -tupln |grep 6080
  tcp        0      0 0.0.0.0:6080            0.0.0.0:*               LISTEN      20504/python

  ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0
  multiport dports 5900:5999,6080,6081,6082,7940,7937,8773,8774,8775 /*
  101 accept all tcp nova */

  Workaround to prove functionality and certificate
  =================================================

  Work Around to verify vnc, port and cert valid and functional:
  Test:
  openstack-service stop openstack-nova-novncproxy
  /usr/bin/python /usr/bin/nova-novncproxy --cert cert.crt

  Results:
  curl -vvv https://fqdn-controller:6080
  * Rebuilt URL to: https://fqdn-controller:6080/
  *   Trying xxx.xxx.xxx.xxx...
  * Connected to fqdn-controller (xxx.xxx.xxx.xxx) port 6080 (#0)
  * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  * Server certificate: *.MyDogIsOnFire.com
  * Server certificate: MyDogIsOnFire SSL CA02
  * Server certificate: MyDogIsOnFire SSL Policy K1
  * Server certificate: MyDogIsOnFire Root CA K1
  > GET / HTTP/1.1
  > Host: fqdn-controller:6080
  > User-Agent: curl/7.43.0
  > Accept: */*
  >
  < HTTP/1.1 200 OK
  < Server: WebSockify Python/2.7.5
  < Date: Fri, 27 May 2016 03:42:12 GMT
  < Content-type: text/html
  < Content-Length: 9923
  < Last-Modified: Wed, 25 Feb 2015 20:38:54 GMT
  <
  <!DOCTYPE html>
  <html>
  <head>

      <!--
      noVNC example: simple example using default UI
      Copyright (C) 2012 Joel Martin
      Copyright (C) 2013 Samuel Mannehed for Cendio AB
      noVNC is licensed under the MPL 2.0 (see LICENSE.txt)
      This file is licensed under the 2-Clause BSD license (see LICENSE.txt).

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1586243/+subscriptions

References

  Thread PreviousDate PreviousThread Next