Charm Helpers

Merge lp:~lathiat/charm-helpers/lp1484489-ssl-certificate-chain into lp:charm-helpers

  1. lp1484489-ssl-certificate-chain
  2. Merge into devel
Proposed by Trent Lloyd
Status: Merged
Merged at revision: 653
Proposed branch: lp:~lathiat/charm-helpers/lp1484489-ssl-certificate-chain
Merge into: lp:charm-helpers
Diff against target: 11 lines (+1/-0)
1 file modified
charmhelpers/contrib/openstack/templates/openstack_https_frontend (+1/-0)
To merge this branch: bzr merge lp:~lathiat/charm-helpers/lp1484489-ssl-certificate-chain
Reviewer Review Type Date Requested Status
Jorge Niedbalski (community) Approve
Review via email: mp+309815@code.launchpad.net

Description of the change

Configure apache2 to handle SSL certificates with chained intermediate roots

Publicly issued SSL certificates are in recent years generally issued from an intermediate root certificate, creating a trust chain from the server certificate through the intermediate root up to the ultimately trusted root CA certificate in the system SSL store. Most clients (including firefox, wget and many python SSL libraries) require the server to send the full SSL certificate chain to the client to correctly validate this arrangement (notably, Google Chrome does not. Beware of that if testing this yourself).

apache2 >= 2.4.8 (xenial+) already handles this allowing you to simply concatenate all 3 certificates in order (from leaf to root) into the SSLCertificateFile and it automatically handles sending this full chain to the client.

apache2 <= 2.4.7 (trusty-) requires this to be configured separately with the SSLCertificateChainFile directive, refer to the upstream documentation: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile

We configure the SSLCertificateChainFile to use the same certificate file as SSLCertificateFile. This works well allowing the same configuration of simply concatenating all 3 certificates be used on any version.

The presence of the server certificate in the chain file does not appear to cause any problems. Because we re-use the existing certificate file, no code changes are required in charms to support this.

To post a comment you must log in.
Revision history for this message
Jorge Niedbalski (niedbalski) wrote :

Hello Trent,

On the description you mention that this new config declaration only works on <= Trusty, in Xenial the SSLCertificateChainFile option has been deprecated[0].

Do you know if the config parser will fail in >= Xenial if the option is present? if that's the case it might be required to split the template or add a conditional to check the series.

[0] https://httpd.apache.org/docs/current/mod/mod_ssl.html#page-header

review: Needs Information
Revision history for this message
Trent Lloyd (lathiat) wrote :

It works fine in Xenial at least (no error or warning). It may be removed in some future major release, but there doesn't seem to be a note about specifically when in the docs.

Revision history for this message
Jorge Niedbalski (niedbalski) wrote :

LGTM +1

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'charmhelpers/contrib/openstack/templates/openstack_https_frontend'
2--- charmhelpers/contrib/openstack/templates/openstack_https_frontend 2016-10-10 14:57:46 +0000
3+++ charmhelpers/contrib/openstack/templates/openstack_https_frontend 2016-11-02 05:59:28 +0000
4@@ -9,6 +9,7 @@
5 SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
6 SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM
7 SSLCertificateFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
8+ SSLCertificateChainFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
9 SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
10 ProxyPass / http://localhost:{{ int }}/
11 ProxyPassReverse / http://localhost:{{ int }}/

Subscribers

People subscribed via source and target branches