Bug 1372678

Summary: On SSL enabled overcloud the novnc URL gets configured with http protocol instead of https
Product: Red Hat OpenStack Reporter: Marius Cornea <mcornea>
Component: puppet-tripleoAssignee: Juan Antonio Osorio <josorior>
Status: CLOSED ERRATA QA Contact: Marius Cornea <mcornea>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 10.0 (Newton)CC: dbecker, jjoyce, josorior, jschluet, kbasil, mburns, morazi, nkinder, rcritten, rhel-osp-director-maint, slinaber, tvignaud
Target Milestone: rcKeywords: Triaged
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-tripleo-5.1.0-0.20160928184742.b8f8d0f.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-14 15:55:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marius Cornea 2016-09-02 11:02:27 UTC 
Description of problem:
On SSL enabled overcloud the novnc URL gets configured with http protocol instead of https:

source ~/stackrc
export THT=/usr/share/openstack-tripleo-heat-templates
openstack overcloud deploy --templates \
-e $THT/environments/network-isolation.yaml \
-e $THT/environments/network-management.yaml \
-e ~/templates/network-environment.yaml \
-e $THT/environments/storage-environment.yaml \
-e ~/templates/disk-layout.yaml \
-e ~/templates/wipe-disk-env.yaml \
-e ~/templates/enable-tls.yaml \
-e ~/templates/inject-trust-anchor.yaml \
-e ~/templates/tls-endpoints-public-ip.yaml \
-e ~/templates/ssl-ports.yaml \
--control-scale 3 \
--control-flavor controller \
--compute-scale 1 \
--compute-flavor compute \
--ceph-storage-scale 1 \
--ceph-storage-flavor ceph \
--ntp-server clock.redhat.com \
--log-file overcloud_deployment.log &> overcloud_install.log


Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-5.0.0-0.20160823140311.72404b.1.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
1. Deploy SSL enabled overcloud
2. Launch instance
3. nova get-vnc-console st--89-instance-uayoipreamyl-my_instance-igz4chfjp4u4 novnc


Actual results:
+-------+-----------------------------------------------------------------------------------+
| Type  | Url                                                                               |
+-------+-----------------------------------------------------------------------------------+
| novnc | http://172.16.18.25:6080/vnc_auto.html?token=5060af06-5c0f-4267-8203-0f51785c5e1c |
+-------+-----------------------------------------------------------------------------------+


Expected results:
URL is https://172.16.18.25:6080

Additional info:
This is caused by a misconfiguration in /etc/nova/nova.conf on the compute node:

[root@overcloud-novacompute-0 heat-admin]# grep novnc /etc/nova/nova.conf
novncproxy_base_url=http://172.16.18.25:6080/vnc_auto.html
Comment 3 Juan Antonio Osorio 2016-09-07 16:10:22 UTC 
This could potentially be fixed in OSP10. Gotta test it out manually. But with the addition of keystone setting up the endpoints via puppet this should be covered.
Comment 6 Juan Antonio Osorio 2016-09-15 15:07:35 UTC 
So this is still an issue. But I set up some patches upstream for this.
Comment 7 Rob Crittenden 2016-09-19 17:54:01 UTC 
Merged upstream.
Comment 11 Marius Cornea 2016-11-07 11:58:49 UTC 
[stack@undercloud-0 ~]$ nova get-vnc-console  st--db-instance-eze65xgccna4-my_instance-l2cfbgtmak5b novnc
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for 172.16.18.25 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for 172.16.18.25 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
+-------+-------------------------------------------------------------------------------------+
| Type  | Url                                                                                 |
+-------+-------------------------------------------------------------------------------------+
| novnc | https://172.16.18.25:13080/vnc_auto.html?token=31271131-28ff-46ed-b1ff-b06292d1066d |
+-------+-------------------------------------------------------------------------------------+
Comment 13 errata-xmlrpc 2016-12-14 15:55:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html