Bug 1811594 - VNC console fails in horizon with TLS endpoint encryption everywhere
Summary: VNC console fails in horizon with TLS endpoint encryption everywhere
Status: NEW
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: RHOS Documentation Team
QA Contact: RHOS Documentation Team
Depends On:
TreeView+ depends on / blocked
Reported: 2020-03-09 10:15 UTC by sawaghma
Modified: 2021-09-22 10:51 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Description sawaghma 2020-03-09 10:15:59 UTC
Description of problem:

When using existing IPA environment which acts as Intermediate CA then not able to access instances console via VNC. We saw that this issue is fixed in BZ[1] and to overcome the issue we have updated the templates by setting the following and re-run the deploy command:

    LibvirtVncCACert: /etc/ipa/ca.crt

While going through the official doc[2], It does not even mention to use: 

LibvirtVncCACert: /etc/ipa/ca.crt

The docs says: 

"This specifies the CA certificate to use for VNC TLS. This file will be symlinked to the default CA path, which is /etc/pki/libvirt-vnc/ca-cert.pem. This parameter should be used if the default (which comes from the InternalTLSVncCAFile parameter) is not desired. The current default reflects TripleO’s default CA, which is FreeIPA. It will only be used if internal TLS is enabled." 

To configure TLS everywhere refered doc[3].

This chapter only says that it integrates with IPA (which is the only supported way currently by the way and could also be mentioned). A direct hint to this necessary configuration parameter at this point in the documentation would be very helpful!!! And this chapter does not even mention about taking care about further Nova config params in.

Extend the OSP 13 docs and give a hint that you need to set,

    LibvirtVncCACert: /etc/ipa/ca.crt

[1] https://access.redhat.com/solutions/4180891
[2] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/overcloud_parameters/index#compute-nova-parameters
[3] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/advanced_overcloud_customization/index#sect-Enabling_Internal_SSLTLS_on_the_Overcloud

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 2 Roger Heslop 2021-09-15 19:47:29 UTC
Hey Andy, can you set cee_docs_prio on this one?

Note You need to log in before you can comment on or make changes to this bug.