Fixes #36755 - Send full certificate chain to clients #874
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -38,6 +38,14 @@ def https_plugins | |||||
| plugins.select { |p| p[:https_enabled] }.map { |p| p[:class] } | ||||||
| end | ||||||
|
|
||||||
| # Imitate OpenSSL::X509::Certificate.load_file for openssl < 3.0.0 | ||||||
| def load_fullchain(bundle_pem) | ||||||
| File.read(bundle_pem) | ||||||
| .lines | ||||||
| .slice_after(/END CERTIFICATE/) | ||||||
| .map { |pem| OpenSSL::X509::Certificate.new(pem.join) } | ||||||
| end | ||||||
|
|
||||||
| def http_app(http_port, plugins = http_plugins) | ||||||
| return nil unless http_enabled? | ||||||
| app = Rack::Builder.new do | ||||||
|
|
@@ -62,6 +70,10 @@ def https_app(https_port, plugins = https_plugins) | |||||
| logger.error "Unable to read #{settings.ssl_ca_file}. Are the values correct in settings.yml and do permissions allow reading?" | ||||||
| end | ||||||
|
|
||||||
| unless File.readable?(settings.foreman_ssl_ca) | ||||||
|
Member
There was a problem hiding this comment. I just noticed you're suing
Author
There was a problem hiding this comment. Hello @ekohl I'm using However, when a deployment uses custom certificates, then So, if we add If we add With all this being said, the check to see if we can read
Member
There was a problem hiding this comment. Sorry, but if that's the case then that's just a bug in how the installer deploys things then. The Looking at the certs we have this bit that deploys it: If Now that I look closer, we already send
Member
There was a problem hiding this comment. I think theforeman/puppet-certs#413 is the actual fix for this bug.
Author
There was a problem hiding this comment.
That's true. As the same certificate deployed on Apache (where we got o talk to foreman) is used by foreman-proxy, it also can be used to verify the connection to foreman-proxy.
This is only true for self-signed certificates. For custom certificates, ssl_ca_file does not validate ssl_cert.pem and ssl_key.pem. If I understand your point of view, but I just don't see a simple solution without using Maybe deploy another file to be used as
Not sure why, but This is what a client receives (original code, without my patch): This is what it would look like with my patch: This is what it would look like
Member
There was a problem hiding this comment. @ehelms pointed out we also do both verification of client certs (which is the default CA), so it's one I need to think further about.
Member
There was a problem hiding this comment. Note to self: perhaps we can provide the cert including the full chain in |
||||||
| logger.error "Unable to read #{settings.foreman_ssl_ca}. Are the values correct in settings.yml and do permissions allow reading?" | ||||||
| end | ||||||
|
|
||||||
| app = Rack::Builder.new do | ||||||
| plugins.each { |p| instance_eval(p.https_rackup) } | ||||||
| end | ||||||
|
|
@@ -95,6 +107,7 @@ def https_app(https_port, plugins = https_plugins) | |||||
| :SSLVerifyClient => OpenSSL::SSL::VERIFY_PEER, | ||||||
| :SSLPrivateKey => load_ssl_private_key(settings.ssl_private_key), | ||||||
| :SSLCertificate => load_ssl_certificate(settings.ssl_certificate), | ||||||
| :SSLExtraChainCert => load_fullchain(settings.foreman_ssl_ca), | ||||||
|
Member
There was a problem hiding this comment.
Suggested change
|
||||||
| :SSLCACertificateFile => settings.ssl_ca_file, | ||||||
| :SSLOptions => ssl_options, | ||||||
| :SSLCiphers => CIPHERS - Proxy::SETTINGS.ssl_disabled_ciphers, | ||||||
|
|
||||||
Uh oh!
There was an error while loading. Please reload this page.