Bug #23023
closedSupport for ssl_chain in tls configurations for custom certificates
Description
There is no way at this time to pass a custom certificate chain file to the foreman-installer. For certs cut from an intermediate CA, it's not possible for the client to be able to establish a trust chain. I had to modify our CA cert to include the chain in it so boxes that install katello-rhsm-consumer will work, but that doesn't work for clients that are accessing the API for instance.
I suspect this would require updates to:
- foreman_proxy_content/manifests/reverse_proxy.pp
- foreman-certs-generate tool
- theforeman/puppet-certs
FWIW: Currently, the CA is provided in the generate tool but that sets the Client auth CA. Which is not the same thing as the Chain certs. I thought this was going to set the chain, so we've deployed with that setting, which causes some browsers in our infrastructure to try to do tls client auth which will not work.
Updated by Ewoud Kohl van Wijngaarden over 6 years ago
- Project changed from Smart Proxy to Katello
- Category set to Installer
Updated by Justin Sherrill over 6 years ago
- Translation missing: en.field_release set to 114
Updated by Ewoud Kohl van Wijngaarden about 6 years ago
- Status changed from New to Closed
Applied in changeset puppet-foreman_proxy_content|a641478d3489de335111e40e1c60373a8cef1ee8.