Bug #23023
closed
Support for ssl_chain in tls configurations for custom certificates
Description
There is no way at this time to pass a custom certificate chain file to the foreman-installer. For certs cut from an intermediate CA, it's not possible for the client to be able to establish a trust chain. I had to modify our CA cert to include the chain in it so boxes that install katello-rhsm-consumer will work, but that doesn't work for clients that are accessing the API for instance.
I suspect this would require updates to:
- foreman_proxy_content/manifests/reverse_proxy.pp
- foreman-certs-generate tool
- theforeman/puppet-certs
FWIW: Currently, the CA is provided in the generate tool but that sets the Client auth CA. Which is not the same thing as the Chain certs. I thought this was going to set the chain, so we've deployed with that setting, which causes some browsers in our infrastructure to try to do tls client auth which will not work.
Updated by 
Updated by