Project

General

Profile

Bug #23023

Support for ssl_chain in tls configurations for custom certificates

Added by Daniel Kimsey over 1 year ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

There is no way at this time to pass a custom certificate chain file to the foreman-installer. For certs cut from an intermediate CA, it's not possible for the client to be able to establish a trust chain. I had to modify our CA cert to include the chain in it so boxes that install katello-rhsm-consumer will work, but that doesn't work for clients that are accessing the API for instance.

I suspect this would require updates to:
- foreman_proxy_content/manifests/reverse_proxy.pp
- foreman-certs-generate tool
- theforeman/puppet-certs

FWIW: Currently, the CA is provided in the generate tool but that sets the Client auth CA. Which is not the same thing as the Chain certs. I thought this was going to set the chain, so we've deployed with that setting, which causes some browsers in our infrastructure to try to do tls client auth which will not work.

Associated revisions

Revision a641478d (diff)
Added by Ewoud Kohl van Wijngaarden 8 months ago

Fixes #23023 - Set the ssl_chain to the server ca cert

This makes sure the correct SSL chain is sent when using a custom cert.

History

#1 Updated by Ewoud Kohl van Wijngaarden over 1 year ago

  • Category set to Installer
  • Project changed from Smart Proxy to Katello

#2 Updated by Justin Sherrill over 1 year ago

  • Legacy Backlogs Release (now unused) set to 114

#3 Updated by Ewoud Kohl van Wijngaarden 8 months ago

  • Status changed from New to Closed

Also available in: Atom PDF