Bug 1372678 - On SSL enabled overcloud the novnc URL gets configured with http protocol instead of https
Summary: On SSL enabled overcloud the novnc URL gets configured with http protocol ins...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: 10.0 (Newton)
Assignee: Juan Antonio Osorio
QA Contact: Marius Cornea
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-02 11:02 UTC by Marius Cornea
Modified: 2016-12-14 15:55 UTC (History)
12 users (show)

Fixed In Version: puppet-tripleo-5.1.0-0.20160928184742.b8f8d0f.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-14 15:55:42 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2948 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 enhancement update 2016-12-14 19:55:27 UTC
OpenStack gerrit 370552 None None None 2016-09-20 01:35:05 UTC
OpenStack gerrit 371903 None None None 2016-09-20 01:32:48 UTC

Description Marius Cornea 2016-09-02 11:02:27 UTC
Description of problem:
On SSL enabled overcloud the novnc URL gets configured with http protocol instead of https:

source ~/stackrc
export THT=/usr/share/openstack-tripleo-heat-templates
openstack overcloud deploy --templates \
-e $THT/environments/network-isolation.yaml \
-e $THT/environments/network-management.yaml \
-e ~/templates/network-environment.yaml \
-e $THT/environments/storage-environment.yaml \
-e ~/templates/disk-layout.yaml \
-e ~/templates/wipe-disk-env.yaml \
-e ~/templates/enable-tls.yaml \
-e ~/templates/inject-trust-anchor.yaml \
-e ~/templates/tls-endpoints-public-ip.yaml \
-e ~/templates/ssl-ports.yaml \
--control-scale 3 \
--control-flavor controller \
--compute-scale 1 \
--compute-flavor compute \
--ceph-storage-scale 1 \
--ceph-storage-flavor ceph \
--ntp-server clock.redhat.com \
--log-file overcloud_deployment.log &> overcloud_install.log


Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-5.0.0-0.20160823140311.72404b.1.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
1. Deploy SSL enabled overcloud
2. Launch instance
3. nova get-vnc-console st--89-instance-uayoipreamyl-my_instance-igz4chfjp4u4 novnc


Actual results:
+-------+-----------------------------------------------------------------------------------+
| Type  | Url                                                                               |
+-------+-----------------------------------------------------------------------------------+
| novnc | http://172.16.18.25:6080/vnc_auto.html?token=5060af06-5c0f-4267-8203-0f51785c5e1c |
+-------+-----------------------------------------------------------------------------------+


Expected results:
URL is https://172.16.18.25:6080

Additional info:
This is caused by a misconfiguration in /etc/nova/nova.conf on the compute node:

[root@overcloud-novacompute-0 heat-admin]# grep novnc /etc/nova/nova.conf
novncproxy_base_url=http://172.16.18.25:6080/vnc_auto.html

Comment 3 Juan Antonio Osorio 2016-09-07 16:10:22 UTC
This could potentially be fixed in OSP10. Gotta test it out manually. But with the addition of keystone setting up the endpoints via puppet this should be covered.

Comment 6 Juan Antonio Osorio 2016-09-15 15:07:35 UTC
So this is still an issue. But I set up some patches upstream for this.

Comment 7 Rob Crittenden 2016-09-19 17:54:01 UTC
Merged upstream.

Comment 11 Marius Cornea 2016-11-07 11:58:49 UTC
[stack@undercloud-0 ~]$ nova get-vnc-console  st--db-instance-eze65xgccna4-my_instance-l2cfbgtmak5b novnc
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for 172.16.18.25 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for 172.16.18.25 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
+-------+-------------------------------------------------------------------------------------+
| Type  | Url                                                                                 |
+-------+-------------------------------------------------------------------------------------+
| novnc | https://172.16.18.25:13080/vnc_auto.html?token=31271131-28ff-46ed-b1ff-b06292d1066d |
+-------+-------------------------------------------------------------------------------------+

Comment 13 errata-xmlrpc 2016-12-14 15:55:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html


Note You need to log in before you can comment on or make changes to this bug.