Project

General

Profile

Actions
Copy link

Feature #37253

open

katello-certs-check and foreman-installer --scenario katello should support not using chain

Added by Rune Philosof about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Foreman - 3.9.2
Red Hat JIRA:

Description

`katello-certs-check` and `foreman-installer --scenario katello` should support not using chain certificate file.
Apache Httpd supports putting the chain in the same file as the leaf certificate. Supplying a chain file was even deprecated years ago.

`foreman-installer --scenario katello --certs-server-cert "/etc/pki/tls/certs/my_cert.pem" --certs-server-key /etc/pki/tls/private/my_key.pem` will run `katello-certs-check`.
`katello-certs-check` will complain about missing `-b CA_BUNDLE_FILE`.

https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatefile

The files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes SSLCertificateChainFile. When running with OpenSSL 1.0.2 or later, this allows to configure the intermediate CA chain on a per-certificate basis.

Furthermore, https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile marks SSLCertificateChainFile as deprecated
Similar: https://projects.theforeman.org/issues/29279 - Drop use of SSLCertificateChainFile

No data to display

Actions
Copy link

Also available in: Atom PDF