diff --git a/.zuul.yaml b/.zuul.yaml
index d58b64586650..6f374beb6335 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -134,7 +134,8 @@
       Pike, the service user token functionality was added. This job is also
       unique in that it runs the post_test_hook from the nova repo, which runs
       post-test scripts to ensure those scripts are still working,
-      e.g. archive_deleted_rows.
+      e.g. archive_deleted_rows. In Queens, this job started testing the
+      TLS console proxy code in the libvirt driver.
     # TODO(mriedem): Make this voting once bug 1747511 is fixed.
     voting: false
     run: playbooks/legacy/nova-next/run.yaml
diff --git a/playbooks/legacy/nova-next/run.yaml b/playbooks/legacy/nova-next/run.yaml
index de5f1d4c061d..9d3f6a788246 100644
--- a/playbooks/legacy/nova-next/run.yaml
+++ b/playbooks/legacy/nova-next/run.yaml
@@ -26,12 +26,16 @@
     - shell:
         # TODO(mriedem): Consider setting USE_PYTHON3=True here to make this
         # job run under python 3.5 which is a "next" type thing.
+
+        # Enable TLS between the noVNC proxy & compute nodes; this requires
+        # the tls-proxy service to be enabled.
         cmd: |
           set -e
           set -x
           cat << 'EOF' >>"/tmp/dg-local.conf"
           [[local|localrc]]
           NOVA_USE_SERVICE_TOKEN=True
+          NOVA_CONSOLE_PROXY_COMPUTE_TLS=True
 
           EOF
         executable: /bin/bash
@@ -42,6 +46,8 @@
         cmd: |
           set -e
           set -x
+          # tls-proxy is needed to initialize the CA and cert.
+          export ENABLED_SERVICES=tls-proxy
           export PYTHONUNBUFFERED=true
           # Yes we want to run Tempest.
           export DEVSTACK_GATE_TEMPEST=1