lp:~lathiat/charm-helpers/lp1484489-ssl-certificate-chain
- Get this branch:
- bzr branch lp:~lathiat/charm-helpers/lp1484489-ssl-certificate-chain
Branch merges
- Jorge Niedbalski (community): Approve
-
Diff: 11 lines (+1/-0)1 file modifiedcharmhelpers/contrib/openstack/templates/openstack_https_frontend (+1/-0)
Related bugs
Related blueprints
Branch information
Recent revisions
- 652. By Trent Lloyd
-
Configure apache2 to handle SSL certificates with chained intermediate roots
Publicly issued SSL certificates are in recent years generally issued from an
intermediate root certificate, creating a trust chain from the server
certificate through the intermediate root up to the ultimately trusted root CA
certificate in the system SSL store. Most clients (including firefox, wget and
many python SSL libraries) require the server to send the full SSL certificate
chain to the client to correctly validate this arrangement (notably, Google
Chrome does not. Beware of that if testing this yourself).apache2 >= 2.4.8 (xenial+) already handles this allowing you to simply
concatenate all 3 certificates in order (from leaf to root) into the
SSLCertificateFile and it automatically handles sending this full chain to the
client.apache2 <= 2.4.7 (trusty-) requires this to be configured separately with the
SSLCertificateChainFile directive, refer to the upstream documentation:
http://httpd.apache. org/docs/ 2.4/mod/ mod_ssl. html#sslcertifi catechainfile We configure the SSLCertificateC
hainFile to use the same certificate file as
SSLCertificateFile. This works well allowing the same configuration of simply
concatenating all 3 certificates be used on any version. The presence of the
server certificate in the chain file does not appear to cause any problems.Because we re-use the existing certificate file, no code changes are required
in charms to support this.Closes-Bug: 1484489
- 651. By Liam Young
-
[gabor.meszaros, r=ivoks, r=gnuoy] Configure Apache SSL termination on a load balancer
- 650. By David Ames
-
[gnuoy, thedac Quote service to examine as it might contain whitespace in systemd land
- 648. By Liam Young
-
[gnuoy, r=james-page] Allow the module cached version of os_release to be bypassed. Useful when doing a charm upgrade and the os_release has changed since the module was imported
- 647. By Ryan Beisner
-
[coreycb, r=1chb1n] Enable stable/newton and master (ocata) DFS branches
Also fix minor unrelated lint in-line.
- 645. By James Page
-
Use public-address in OpenStack Amulet keystone address helper
'private-address' is not always present, even after a deployment is completely settled.
Here is a dump of all keys from sentry.info:
DEBUG:amulet-
logger: ['machine' , 'open-ports', 'public-address', 'service', 'workload-status', 'agent-status', 'unit_name', 'agent-state', 'unit', 'agent-version'] Given that sentry.info is just a copy of the juju status yaml data, when juju status has no private-address to report, it is also not present.
More detail and an example at:
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:charm-helpers