lp:~lathiat/charm-helpers/lp1484489-ssl-certificate-chain

Branch merges

Propose for merging

No branches dependent on this one.

Merged into lp:charm-helpers at revision 653

Jorge Niedbalski (community): Approve on 2016-11-03

Diff: 11 lines (+1/-0)

1 file modified

charmhelpers/contrib/openstack/templates/openstack_https_frontend (+1/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Bug #1484489: Cannot put SSLCertificateChainFile in apache config to support SSL intermediate certificate

Medium

Fix Released

Link a bug report

Related blueprints

652. By Trent Lloyd on 2016-11-02

Configure apache2 to handle SSL certificates with chained intermediate roots

Publicly issued SSL certificates are in recent years generally issued from an
intermediate root certificate, creating a trust chain from the server
certificate through the intermediate root up to the ultimately trusted root CA
certificate in the system SSL store. Most clients (including firefox, wget and
many python SSL libraries) require the server to send the full SSL certificate
chain to the client to correctly validate this arrangement (notably, Google
Chrome does not. Beware of that if testing this yourself).

apache2 >= 2.4.8 (xenial+) already handles this allowing you to simply
concatenate all 3 certificates in order (from leaf to root) into the
SSLCertificateFile and it automatically handles sending this full chain to the
client.

apache2 <= 2.4.7 (trusty-) requires this to be configured separately with the
SSLCertificateChainFile directive, refer to the upstream documentation:
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile

We configure the SSLCertificateChainFile to use the same certificate file as
SSLCertificateFile. This works well allowing the same configuration of simply
concatenating all 3 certificates be used on any version. The presence of the
server certificate in the chain file does not appear to cause any problems.

Because we re-use the existing certificate file, no code changes are required
in charms to support this.

Closes-Bug: 1484489

651. By Liam Young on 2016-10-17

[gabor.meszaros, r=ivoks, r=gnuoy] Configure Apache SSL termination on a load balancer

650. By David Ames on 2016-10-13

[gnuoy, thedac Quote service to examine as it might contain whitespace in systemd land

649. By Ryan Beisner on 2016-10-12

Add helper for creation of flavors by amulet tests.

648. By Liam Young on 2016-10-10

[gnuoy, r=james-page] Allow the module cached version of os_release to be bypassed. Useful when doing a charm upgrade and the os_release has changed since the module was imported

647. By Ryan Beisner on 2016-10-07

[coreycb, r=1chb1n] Enable stable/newton and master (ocata) DFS branches

Also fix minor unrelated lint in-line.

646. By James Page on 2016-10-07

Add lxd to use_source list

645. By James Page on 2016-10-05

Use public-address in OpenStack Amulet keystone address helper

'private-address' is not always present, even after a deployment is completely settled.

Here is a dump of all keys from sentry.info:

DEBUG:amulet-logger:['machine', 'open-ports', 'public-address', 'service', 'workload-status', 'agent-status', 'unit_name', 'agent-state', 'unit', 'agent-version']

Given that sentry.info is just a copy of the juju status yaml data, when juju status has no private-address to report, it is also not present.

More detail and an example at:

http://pastebin.ubuntu.com/23277010/

644. By James Page on 2016-10-04

Add percona-cluster charm to list of use_source charms

643. By James Page on 2016-10-04

Re-instate previous revert; its OK when tests don't race