Bug #23023

Support for ssl_chain in tls configurations for custom certificates

Added by Daniel Kimsey about 4 years ago. Updated over 3 years ago.

Target version:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:


There is no way at this time to pass a custom certificate chain file to the foreman-installer. For certs cut from an intermediate CA, it's not possible for the client to be able to establish a trust chain. I had to modify our CA cert to include the chain in it so boxes that install katello-rhsm-consumer will work, but that doesn't work for clients that are accessing the API for instance.

I suspect this would require updates to:
- foreman_proxy_content/manifests/reverse_proxy.pp
- foreman-certs-generate tool
- theforeman/puppet-certs

FWIW: Currently, the CA is provided in the generate tool but that sets the Client auth CA. Which is not the same thing as the Chain certs. I thought this was going to set the chain, so we've deployed with that setting, which causes some browsers in our infrastructure to try to do tls client auth which will not work.

Associated revisions

Revision a641478d (diff)
Added by Ewoud Kohl van Wijngaarden over 3 years ago

Fixes #23023 - Set the ssl_chain to the server ca cert

This makes sure the correct SSL chain is sent when using a custom cert.


#1 Updated by Ewoud Kohl van Wijngaarden about 4 years ago

  • Category set to Installer
  • Project changed from Smart Proxy to Katello

#2 Updated by Justin Sherrill about 4 years ago

  • Legacy Backlogs Release (now unused) set to 114

#3 Updated by Ewoud Kohl van Wijngaarden over 3 years ago

  • Status changed from New to Closed

Also available in: Atom PDF