Bug 986060 - Unable to have horizon supply https links with nonvc ssl/tls configuration.
Unable to have horizon supply https links with nonvc ssl/tls configuration.
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova (Show other bugs)
x86_64 Linux
high Severity high
: beta
: 6.0 (Juno)
Assigned To: Eoghan Glynn
: FutureFeature, Triaged
Depends On: 1039668
  Show dependency treegraph
Reported: 2013-07-18 17:36 EDT by Josh Carter
Modified: 2016-04-26 10:00 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Release Note
Doc Text:
In OpenStack Compute, if openstack-nova-novncproxy is configured to use TLS, the protocol is not set to https:// automatically. In order for the Dashboard and Compute to provide a proper https:// protocol in the URLs for connecting to instances, you must manually change the novncproxy_base_url config option to have https:// as the protocol.
Story Points: ---
Clone Of:
Last Closed: 2015-11-17 16:00:55 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Carter 2013-07-18 17:36:55 EDT
Description of problem: 

After configuring novnc with ssl/tls with a self-sgined http cert/key with openssl horizon still provides the http link in the novnc session. If it is manually updated to https then it works as expected. 

Version-Release number of selected component (if applicable): RHOS 3.0

How reproducible: n/a

Steps to Reproduce: n/a 

Actual results: horizon will supply the non secure link for novnc session.

Expected results: horizon should use the correct link when novnc is setup for ssl/tls. 

Additional info:
Comment 2 Julie Pichon 2013-09-04 11:52:54 EDT
Horizon uses the url as returned by the "nova get-vnc-console" command. I'm not sure how this url is created in the background, perhaps someone from Nova can shed some light on this?
Comment 4 Nikola Dipanov 2013-10-10 14:24:52 EDT
This indeed appears to be a nova bug - no matter how nova-novncproxy binary is configured - nova will always construct the url it returns from  get-vnc-console based on novncproxy_base_url config option which by default has http:// set as protocol.

Ideally we will fix this in upcoming releases to be autodetected - but for now - the workaround is that if using tls - change novncproxy_base_ur to have https:// as protocol, as this is what nova will serve back to horizon.
Comment 5 Vladan Popovic 2013-10-18 04:30:03 EDT
As I saw there are the cert/key and ssl_only options in the config file for the vnc configuration. Did you set the ssl_only option to true, or just configure the cert/key?
I made a patch for this but when I read the description I got a little confused. 

Is the expected scenario for the novnc to be accessible on both http and https or only on https when configured like this? If it's expected to be just on https the ssl_only option should be probably turned on.

I'm asking this because I check the ssl_only option to see if ssl/tls is configured.
Comment 13 Solly Ross 2014-10-23 16:48:29 EDT
The config validation blueprint appears to have been abandoned upstream.
Do we want to try and revive it, do we want to say "make sure to configuration your cloud correctly", or do we want to try and have Nova replace the HTTP with HTTPS when ssl_only is enabled?

Note You need to log in before you can comment on or make changes to this bug.