I am trying to change the certificate used by Foreman to my own custom certificate that is signed by our in house CA. When doing this I stumbled onto something weird. Even though I had changed the file /etc/httpd/conf.d/05-foreman-ssl.conf and restarted httpd I still got served the default, self signed certificate. I managed to determine that the certificate file used was /etc/pki/katello/certs/katello-apache.crt but according to what I could see this was only used by crane on port 5000.

In a last act of desperation I changed the file /etc/httpd/conf.d/03-crane.conf to use my custom certificate, restarted httpd, and lo and behold: connecting to the server on port 443 finally served me the correct certificate!

It turns out that, at least in my environment, Apache does not bother with the virtual environments ports but actually serves the first configuration it finds, which is 03-crane.conf since it comes way before 05-foreman-ssl.conf. 3 being smaller than 5 and all...

I was able to verify this by reverting 03-crane.conf back to the original state, which got me back to getting the self signed certificate on port 443. Then I renamed it to 13-crane.conf which as expected got me the proper certificate on port 443, now when 05-foreman-ssl.conf was the first file found.

I am running Foreman 1.22.0 and Katello 3.12. Not sure if this has been fixed in 1.22.1. If so, you can close this and I'll wait until it becomes available to CentOS.