This is coming over and over again, I suggest to put this text somewhere at the bottom of the VNC page:

The console will work only if this site is secure (https with green lock). Make sure you are connecting to the fully qualified domain name that matches the Common Name from the certificate (IP address or short DNS name will not work properly unless certificate is regenerated). The Foreman webserver needs to have ports 5900-5930 opened and direct access to the hypervisor. Spice only works via unsecure channel, enable network.websocket.allowInsecureFromHTTPS in Firefox or allow-running-insecure-content in Chrome. Only libvirt/oVirt/RHEV VMs with enabled VNC or Spice options will work.

Probably as some tiny text or some expandable pane. Taken from https://access.redhat.com/solutions/2844021