TLS-everywhere: Configure CA for apache

This tells apache which CA certificate was used to sign the certs it's using. this setting is useful in case we want to enable OCSP stapling or client authentication via TLS. Change-Id: I97a7e5332aea8377c7662ca98beb71ed5e236640
author: Juan Antonio Osorio Robles <jaosorior@redhat.com> 2017-05-16 16:38:35 +0300
committer: Juan Antonio Osorio Robles <jaosorior@redhat.com> 2017-05-17 12:27:00 +0300
commit: 6bb2d9e5f82c57d708bff1d3c2bfb0c18dcec1d3 (patch)
tree: 16ec3578751ea9fcc375a3b88f7595ff13273599 /puppet
parent: 30bd4f5189087b2cabc2129da512895011cac88f (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index f3021060..12ecc7b5 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -38,6 +38,11 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
 
 conditions:
 
@@ -88,6 +93,7 @@ outputs:
             - internal_tls_enabled
             -
               generate_service_certificates: true
+              apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
               tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
               tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
               apache_certificates_specs:
author	Juan Antonio Osorio Robles <jaosorior@redhat.com>	2017-05-16 16:38:35 +0300
committer	Juan Antonio Osorio Robles <jaosorior@redhat.com>	2017-05-17 12:27:00 +0300
commit	6bb2d9e5f82c57d708bff1d3c2bfb0c18dcec1d3 (patch)
tree	16ec3578751ea9fcc375a3b88f7595ff13273599 /puppet
parent	30bd4f5189087b2cabc2129da512895011cac88f (diff)