summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-05-16 16:38:35 +0300
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-05-17 12:27:00 +0300
commit6bb2d9e5f82c57d708bff1d3c2bfb0c18dcec1d3 (patch)
tree16ec3578751ea9fcc375a3b88f7595ff13273599
parent30bd4f5189087b2cabc2129da512895011cac88f (diff)
TLS-everywhere: Configure CA for apache
This tells apache which CA certificate was used to sign the certs it's using. this setting is useful in case we want to enable OCSP stapling or client authentication via TLS. Change-Id: I97a7e5332aea8377c7662ca98beb71ed5e236640
-rw-r--r--puppet/services/apache.yaml6
1 files changed, 6 insertions, 0 deletions
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index f3021060..12ecc7b5 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -38,6 +38,11 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
conditions:
@@ -88,6 +93,7 @@ outputs:
- internal_tls_enabled
-
generate_service_certificates: true
+ apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
apache_certificates_specs: