openstack
/
tripleo-heat-templates
Code Issues Proposed changes

TLS-everywhere: Configure CA for apache 

This tells apache which CA certificate was used to sign the certs it's
using. this setting is useful in case we want to enable OCSP stapling or
client authentication via TLS.

Change-Id: I97a7e5332aea8377c7662ca98beb71ed5e236640
This commit is contained in:
Juan Antonio Osorio Robles 2017-05-16 16:38:35 +03:00
parent 30bd4f5189
commit 6bb2d9e5f8
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
puppet/services/apache.yaml
View File

@ -38,6 +38,11 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
conditions:
@ -88,6 +93,7 @@ outputs:
- internal_tls_enabled
-
generate_service_certificates: true
apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
apache_certificates_specs: