Project

General

Profile

Actions
Copy link

Feature #37253

closed

katello-certs-check and foreman-installer --scenario katello should support not using chain

Added by Rune Philosof 9 months ago. Updated 6 months ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Foreman - 3.9.2
Red Hat JIRA:

Description

`katello-certs-check` and `foreman-installer --scenario katello` should support not using chain certificate file.
Apache Httpd supports putting the chain in the same file as the leaf certificate. Supplying a chain file was even deprecated years ago.

`foreman-installer --scenario katello --certs-server-cert "/etc/pki/tls/certs/my_cert.pem" --certs-server-key /etc/pki/tls/private/my_key.pem` will run `katello-certs-check`.
`katello-certs-check` will complain about missing `-b CA_BUNDLE_FILE`.

https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatefile

The files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes SSLCertificateChainFile. When running with OpenSSL 1.0.2 or later, this allows to configure the intermediate CA chain on a per-certificate basis.

Furthermore, https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile marks SSLCertificateChainFile as deprecated
Similar: https://projects.theforeman.org/issues/29279 - Drop use of SSLCertificateChainFile

Related issues 1 (1 open0 closed)

Related to Installer - Bug #29279: Drop use of SSLCertificateChainFile and combine CA certsNewActions
Actions
Copy link

Also available in: Atom PDF