Red Hat Bugzilla – Bug 986060
Unable to have horizon supply https links with nonvc ssl/tls configuration.
Last modified: 2016-04-26 10:00:48 EDT
Description of problem:
After configuring novnc with ssl/tls with a self-sgined http cert/key with openssl horizon still provides the http link in the novnc session. If it is manually updated to https then it works as expected.
Version-Release number of selected component (if applicable): RHOS 3.0
How reproducible: n/a
Steps to Reproduce: n/a
Actual results: horizon will supply the non secure link for novnc session.
Expected results: horizon should use the correct link when novnc is setup for ssl/tls.
Horizon uses the url as returned by the "nova get-vnc-console" command. I'm not sure how this url is created in the background, perhaps someone from Nova can shed some light on this?
This indeed appears to be a nova bug - no matter how nova-novncproxy binary is configured - nova will always construct the url it returns from get-vnc-console based on novncproxy_base_url config option which by default has http:// set as protocol.
Ideally we will fix this in upcoming releases to be autodetected - but for now - the workaround is that if using tls - change novncproxy_base_ur to have https:// as protocol, as this is what nova will serve back to horizon.
As I saw there are the cert/key and ssl_only options in the config file for the vnc configuration. Did you set the ssl_only option to true, or just configure the cert/key?
I made a patch for this but when I read the description I got a little confused.
Is the expected scenario for the novnc to be accessible on both http and https or only on https when configured like this? If it's expected to be just on https the ssl_only option should be probably turned on.
I'm asking this because I check the ssl_only option to see if ssl/tls is configured.
The config validation blueprint appears to have been abandoned upstream.
Do we want to try and revive it, do we want to say "make sure to configuration your cloud correctly", or do we want to try and have Nova replace the HTTP with HTTPS when ssl_only is enabled?