Ask Your Question
0

Nova spice-html5 tls error

asked 2015-11-16 11:06:26 -0500

id-cat gravatar image

updated 2015-11-17 08:16:55 -0500

Primarily must say that i'm not very familiar with specifics of using tsl certificates. With configuration of nova.conf for spice and also disabled vnc оn controller node:

[DEFAULT]
cert = /etc/nova/server.crt
key_file = /etc/nova/server.key

vnc_enabled = False
web = /usr/share/spice-html5

[spice]
# Enable spice related features (boolean value)
enabled = True
insecure = True
# Enable spice guest agent support (boolean value)
agent_enabled = true
html5proxy_base_url = http://controller:6082/spice_auto.html
html5proxy_host = 0.0.0.0
html5proxy_port = 6082
#html5proxy_port = 6080
keymap = en-us

When I try get access to console, curl says:

curl: (35) Unknown SSL protocol error in connection to controller:6082

and log contains

nova-spicehtml5proxy[19730]: 2015-11-16 19:47:02.080 24392 INFO nova.console.websocketproxy [-] handler exception: [Errno 336265225] _ssl.c:368: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib

I generated serts previously using script

SUBJ=/C=US/ST=Unset/L=Unset/O=IIOOOI/CN=controller

# Generate DH params
openssl dhparam -out dh2048.pem 2048

# Generate CA key/cert
openssl req -x509 -newkey rsa:2048 -subj $SUBJ -keyout ca.key -out ca.crt

# Generate server key/cert
openssl req -new -nodes -subj $SUBJ -keyout server.key -out server.csr

# Generate user key/cert
openssl req -newkey rsa:2048 -subj $SUBJ -keyout client1.key -out client1.csr

# Sign keys
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
openssl x509 -req -days 3650 -in client1.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client1.crt

What I'm doing wrong? is there a way to disable using https for spice (for example for testing)? Or it may be done only through configuring keystone to use https?

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
0

answered 2015-11-17 08:25:09 -0500

VonGoofy gravatar image

Maybe you will get a hint from this line in your config under spice:

insecure = True

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-11-16 11:06:26 -0500

Seen: 250 times

Last updated: Nov 17 '15