Revision 25cb897a
Added by Ivan Necas over 8 years ago
manifests/reverse_proxy.pp | ||
---|---|---|
ssl_proxyengine => true,
|
||
ssl_cert => $certs::apache::apache_cert,
|
||
ssl_key => $certs::apache::apache_key,
|
||
ssl_ca => $certs::katello_server_ca_cert,
|
||
ssl_ca => $certs::ca_cert,
|
||
ssl_verify_client => 'optional',
|
||
ssl_verify_depth => 10,
|
||
request_headers => ['set X_RHSM_SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"'],
|
||
... | ... | |
},
|
||
],
|
||
custom_fragment => "
|
||
SSLProxyCACertificateFile ${::certs::katello_server_ca_cert}
|
||
SSLProxyCACertificateFile ${::certs::ca_cert}
|
||
SSLProxyMachineCertificateFile ${certs::foreman_proxy::foreman_proxy_ssl_client_bundle}
|
||
",
|
||
}
|
Also available in: Unified diff
Fixes #11660 - use default CA for client certificates verification
The katello_server_ca_cert is not meant to verify client certificates (although
it seems to work with all-in-one certificates).