[Openstack] [nova] secure websocket (wss) and websocketproxy setup for serial console

Markus Zoeller mzoeller at de.ibm.com
Tue May 12 15:20:14 UTC 2015 

> Yeah, you will need:
> 
> DEFAULT/ssl_ca_file
> DEFAULT/ssl_cert_file
> DEFAULT/ssl_key_file
> 
> In nova.conf.  IIRC that?s all that?s needed to enable SSL on this.
> 
> I don?t remember exactly, but that may turn on SSL for other nova 
services 
> as well (spice proxy, etc.)  So just be aware of that.
> 
> Mike

I have a bit trouble to apply your suggestions. Is there a specific 
way how to generate the files which will be linked from 
DEFAULT/ssl_ca_file
DEFAULT/ssl_cert_file
DEFAULT/ssl_key_file

Do I do this as "nova" user? Do the files have to be in a specific
folder with specific permissions?

> On 5/8/15, 7:05 AM, "Markus Zoeller" <mzoeller at de.ibm.com> wrote:
> 
> >How do I setup a secure websocket connection (wss) for the 
> >nova-serialproxy service? I have the following setting on the 
> >compute node (nova.conf):
> >    [serial_console]
> >    enabled = True
> >    base_url = wss://<ip-of-controller-node>:6083/  # wss !!
> >    proxyclient_address = <ip-of-compute-node>
> >
> >As soon as I want to use that with Horizon (via https) the 
> >nova-serialproxy service logs this trace (from the module 
> >"nova.console.websocketproxy"; timestamps and location truncated):
> >
> >    [...] [-] exception vmsg 
> >/usr/lib/python2.7/site-packages/websockify/websocket.py:824
> >     Traceback (most recent call last):
> >       File "/usr/lib/python2.7/site-packages/websockify/websocket.py", 

> >line 874, in top_new_client
> >         client = self.do_handshake(startsock, address)
> >       File "/usr/lib/python2.7/site-packages/websockify/websocket.py", 

> >line 786, in do_handshake
> >         keyfile=self.key)
> >       File "/usr/lib/python2.7/site-packages/eventlet/green/ssl.py", 
> >line 
> >339, in wrap_socket
> >         return GreenSSLSocket(sock, *a, **kw)
> >       File "/usr/lib/python2.7/site-packages/eventlet/green/ssl.py", 
> >line 
> >64, in __init__
> >         ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
> >       File "/usr/lib64/python2.7/ssl.py", line 141, in __init__
> >         ciphers)
> >     SSLError: [Errno 336265225] _ssl.c:351: error:140B0009:SSL 
> >routines:SSL_CTX_use_PrivateKey_file:PEM lib
> >
> >I assume that I have to set the "nova.conf" options "cert" and "key" 
> >([DEFAULT] section) on the controller node but I couldn't figure out
> >the right setup.

More information about the Openstack mailing list