Fixes #36755 - Send full certificate chain to clients

jpasqualetto · jpasqualetto · commit 35f97bb73d3d · 2023-09-20T10:15:56.000-04:00
Add option SSLExtraChainCert to the Webrick webserver, so the full
certificate chain is sent to clients during the SSL handkshake.
diff --git a/lib/launcher.rb b/lib/launcher.rb
@@ -38,6 +38,14 @@ def https_plugins
       plugins.select { |p| p[:https_enabled] }.map { |p| p[:class] }
     end
 
+    # Imitate OpenSSL::X509::Certificate.load_file for openssl < 3.0.0
+    def load_fullchain(bundle_pem)
+      File.read(bundle_pem)
+          .lines
+          .slice_after(/END CERTIFICATE/)
+          .map { |pem| OpenSSL::X509::Certificate.new(pem.join) }
+    end
+
     def http_app(http_port, plugins = http_plugins)
       return nil unless http_enabled?
       app = Rack::Builder.new do
@@ -62,6 +70,10 @@ def https_app(https_port, plugins = https_plugins)
         logger.error "Unable to read #{settings.ssl_ca_file}. Are the values correct in settings.yml and do permissions allow reading?"
       end
 
+      unless File.readable?(settings.foreman_ssl_ca)
+        logger.error "Unable to read #{settings.foreman_ssl_ca}. Are the values correct in settings.yml and do permissions allow reading?"
+      end
+
       app = Rack::Builder.new do
         plugins.each { |p| instance_eval(p.https_rackup) }
       end
@@ -95,6 +107,7 @@ def https_app(https_port, plugins = https_plugins)
         :SSLVerifyClient => OpenSSL::SSL::VERIFY_PEER,
         :SSLPrivateKey => load_ssl_private_key(settings.ssl_private_key),
         :SSLCertificate => load_ssl_certificate(settings.ssl_certificate),
+        :SSLExtraChainCert => load_fullchain(settings.foreman_ssl_ca),
         :SSLCACertificateFile => settings.ssl_ca_file,
         :SSLOptions => ssl_options,
         :SSLCiphers => CIPHERS - Proxy::SETTINGS.ssl_disabled_ciphers,
