Bug 1811594
| Summary: | VNC console fails in horizon with TLS endpoint encryption everywhere | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | sawaghma |
| Component: | documentation | Assignee: | RHOS Documentation Team <rhos-docs> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | RHOS Documentation Team <rhos-docs> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 13.0 (Queens) | CC: | jagee, jbadiapa, joflynn, jschluet, mariel, rheslop |
| Target Milestone: | --- | Keywords: | Documentation, Triaged, ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-06-30 20:47:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hey Andy, can you set cee_docs_prio on this one? No response received; Closing with insufficient data. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
Description of problem: When using existing IPA environment which acts as Intermediate CA then not able to access instances console via VNC. We saw that this issue is fixed in BZ[1] and to overcome the issue we have updated the templates by setting the following and re-run the deploy command: ~~~ parameter_defaults: LibvirtVncCACert: /etc/ipa/ca.crt ~~~ While going through the official doc[2], It does not even mention to use: LibvirtVncCACert: /etc/ipa/ca.crt The docs says: "This specifies the CA certificate to use for VNC TLS. This file will be symlinked to the default CA path, which is /etc/pki/libvirt-vnc/ca-cert.pem. This parameter should be used if the default (which comes from the InternalTLSVncCAFile parameter) is not desired. The current default reflects TripleO’s default CA, which is FreeIPA. It will only be used if internal TLS is enabled." To configure TLS everywhere refered doc[3]. This chapter only says that it integrates with IPA (which is the only supported way currently by the way and could also be mentioned). A direct hint to this necessary configuration parameter at this point in the documentation would be very helpful!!! And this chapter does not even mention about taking care about further Nova config params in. Extend the OSP 13 docs and give a hint that you need to set, ~~~ parameter_defaults: LibvirtVncCACert: /etc/ipa/ca.crt ~~~ [1] https://access.redhat.com/solutions/4180891 [2] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/overcloud_parameters/index#compute-nova-parameters [3] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/advanced_overcloud_customization/index#sect-Enabling_Internal_SSLTLS_on_the_Overcloud Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: