[Openstack] [nova] secure websocket (wss) and websocketproxy setup for serial console

Mike Dorman mdorman at godaddy.com
Fri May 8 16:15:19 UTC 2015 

Yeah, you will need:

DEFAULT/ssl_ca_file
DEFAULT/ssl_cert_file
DEFAULT/ssl_key_file

In nova.conf.  IIRC that’s all that’s needed to enable SSL on this.

I don’t remember exactly, but that may turn on SSL for other nova services 
as well (spice proxy, etc.)  So just be aware of that.

Mike










On 5/8/15, 7:05 AM, "Markus Zoeller" <mzoeller at de.ibm.com> wrote:

>How do I setup a secure websocket connection (wss) for the 
>nova-serialproxy service? I have the following setting on the 
>compute node (nova.conf):
>    [serial_console]
>    enabled = True
>    base_url = wss://<ip-of-controller-node>:6083/  # wss !!
>    proxyclient_address = <ip-of-compute-node>
>
>As soon as I want to use that with Horizon (via https) the 
>nova-serialproxy service logs this trace (from the module 
>"nova.console.websocketproxy"; timestamps and location truncated):
>
>    [...] [-] exception vmsg 
>/usr/lib/python2.7/site-packages/websockify/websocket.py:824
>     Traceback (most recent call last):
>       File "/usr/lib/python2.7/site-packages/websockify/websocket.py", 
>line 874, in top_new_client
>         client = self.do_handshake(startsock, address)
>       File "/usr/lib/python2.7/site-packages/websockify/websocket.py", 
>line 786, in do_handshake
>         keyfile=self.key)
>       File "/usr/lib/python2.7/site-packages/eventlet/green/ssl.py", 
>line 
>339, in wrap_socket
>         return GreenSSLSocket(sock, *a, **kw)
>       File "/usr/lib/python2.7/site-packages/eventlet/green/ssl.py", 
>line 
>64, in __init__
>         ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
>       File "/usr/lib64/python2.7/ssl.py", line 141, in __init__
>         ciphers)
>     SSLError: [Errno 336265225] _ssl.c:351: error:140B0009:SSL 
>routines:SSL_CTX_use_PrivateKey_file:PEM lib
>
>I assume that I have to set the "nova.conf" options "cert" and "key" 
>([DEFAULT] section) on the controller node but I couldn't figure out
>the right setup.
>
>Thanks in advance!
>Markus Zoeller (markus_z)
>
>
>_______________________________________________
>Mailing list: 
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>Post to     : openstack at lists.openstack.org
>Unsubscribe : 
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

More information about the Openstack mailing list