Merge lp:~lathiat/charm-helpers/lp1484489-ssl-certificate-chain into lp:charm-helpers
Status: | Merged |
---|---|
Merged at revision: | 653 |
Proposed branch: | lp:~lathiat/charm-helpers/lp1484489-ssl-certificate-chain |
Merge into: | lp:charm-helpers |
Diff against target: |
11 lines (+1/-0) 1 file modified
charmhelpers/contrib/openstack/templates/openstack_https_frontend (+1/-0) |
To merge this branch: | bzr merge lp:~lathiat/charm-helpers/lp1484489-ssl-certificate-chain |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Jorge Niedbalski (community) | Approve | ||
Review via email: mp+309815@code.launchpad.net |
Description of the change
Configure apache2 to handle SSL certificates with chained intermediate roots
Publicly issued SSL certificates are in recent years generally issued from an intermediate root certificate, creating a trust chain from the server certificate through the intermediate root up to the ultimately trusted root CA certificate in the system SSL store. Most clients (including firefox, wget and many python SSL libraries) require the server to send the full SSL certificate chain to the client to correctly validate this arrangement (notably, Google Chrome does not. Beware of that if testing this yourself).
apache2 >= 2.4.8 (xenial+) already handles this allowing you to simply concatenate all 3 certificates in order (from leaf to root) into the SSLCertificateFile and it automatically handles sending this full chain to the client.
apache2 <= 2.4.7 (trusty-) requires this to be configured separately with the SSLCertificateC
We configure the SSLCertificateC
The presence of the server certificate in the chain file does not appear to cause any problems. Because we re-use the existing certificate file, no code changes are required in charms to support this.
Hello Trent,
On the description you mention that this new config declaration only works on <= Trusty, in Xenial the SSLCertificateC hainFile option has been deprecated[0].
Do you know if the config parser will fail in >= Xenial if the option is present? if that's the case it might be required to split the template or add a conditional to check the series.
[0] https:/ /httpd. apache. org/docs/ current/ mod/mod_ ssl.html# page-header