Project

General

Profile

Actions

Bug #37029

open

YAML scenario - server_ssl_chain is ignored

Added by Francesco Di Nucci 11 months ago. Updated 8 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
foreman-installer script
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Hello,
I'm installing Foreman 3.8.0 on AlmaLinux 8.9, using a custom scenario YAML. I'm setting up SSL/TLS, so amongst other options there are the following:

foreman:
  apache: true
  ssl: true
  server_port: 80
  server_ssl_port: 443
  server_ssl_ca: /etc/pki/tls/certs/foreman-ca.pem
  server_ssl_chain: /etc/pki/tls/certs/foreman-ca.pem
  server_ssl_cert: /etc/pki/tls/certs/foreman-cert.pem
  server_ssl_key: /etc/pki/tls/private/foreman-private.key
  server_ssl_crl: /etc/pki/tls/certs/foreman-crl.pem
  server_ssl_verify_client: optional
  client_ssl_ca: /etc/pki/tls/certs/foreman-ca.pem
  client_ssl_cert: /etc/pki/tls/certs/foreman-cert.pem
  client_ssl_key: /etc/pki/tls/private/foreman-private.key
  websockets_encrypt: true
  websockets_ssl_key: /etc/pki/tls/private/foreman-private.key
  websockets_ssl_cert: /etc/pki/tls/certs/foreman-cert.pem

The issue is that although server_ssl_chain is specified, it is not set in /etc/httpd/conf.d/05-foreman-ssl.conf, where it defaults to SSLCertificateChainFile "/etc/puppetlabs/puppet/ssl/certs/ca.pem"

Also, I'm not sure SSLCertificateChainFile should be set at all, because SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file. [See https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile]

Actions

Also available in: Atom PDF