Bug #36755
openforeman-proxy does not send full certificate chain
Description
Description of problem:
When establishing a SSL connection against foreman-proxy configured with custom certs which use a bundle with root + intermediate certificates, the full certificate chain is not presented to the client.
This requires that the client establishing the connection trust all the intermediate CAs of the bundle for it to work. If the full certificate chain is present, the client only needs to trust the ROOT CA for the connection to be verified.
This is important for customer using custom certs and doing registration through capsules, since a registration command goes to port 9090.
Apache, for example, do offer the full certificate chain.
Version-Release number of selected component (if applicable):
How reproducible:
Always
Steps to Reproduce:
1. Configure your Satellite/Capsule to use custom certs and provide a bundle with more than one certificate
2. try establishing a connection the foreman-proxy and check the certificates sent by the server:
~~
echo |openssl s_client -connect $(hostname -f):9090 -showcerts 2> /dev/null |awk -v cmd='openssl x509 -noout -subject ' ' /BEGIN/{close(cmd)};{print | cmd}' 2> /dev/null
~~
You will see only the Server certificate
Actual results:
Only server certificate (no CA chain)
Expected results:
Full certificate chain present
Updated by The Foreman Bot 3 months ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/smart-proxy/pull/874 added