From 6bb2d9e5f82c57d708bff1d3c2bfb0c18dcec1d3 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Tue, 16 May 2017 16:38:35 +0300
Subject: TLS-everywhere: Configure CA for apache

This tells apache which CA certificate was used to sign the certs it's
using. this setting is useful in case we want to enable OCSP stapling or
client authentication via TLS.

Change-Id: I97a7e5332aea8377c7662ca98beb71ed5e236640
---
 puppet/services/apache.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'puppet')

diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index f3021060..12ecc7b5 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -38,6 +38,11 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
 
 conditions:
 
@@ -88,6 +93,7 @@ outputs:
             - internal_tls_enabled
             -
               generate_service_certificates: true
+              apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
               tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
               tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
               apache_certificates_specs:
-- 
cgit 1.2.3-korg