Deploy server CA certificate for smart-proxy rather than default #396
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Let's start with the basics. The Katello installation scenario allows for supplying custom certificates (ones not created by the default CA) from the user so that the public facing sites present a certificate from the users CA provider. The primary location for these to get deployed is Apache, but we also deploy them to the smart-proxy.
For the entire lifecycle, at least from looking back at code, of the custom certificates feature (~7-8 years), we have been deploying the user's custom certificate and private key for the smart-proxy service to use but have been deploying the default CA instead of the CA that signed the server certificates. I think this is generally speaking an incorrect behavior - and things have managed to just work for years now.
As soon as we try to correct this, we will notice certain client based workflows will not work anymore. For example, if a Katello client signed by the default CA presents it's certificates to the smart-proxy for remote execution and REX uses the smart-proxy CA to verify them it will now fail.
This plays a role in how we think about deploying something new like mosquitto (see theforeman/puppet-foreman_proxy#726) where if we want to re-use the hostname certificates we also need a combined CA certificate so that clients connecting with Katello certificates can do so.
This change opts to deploy both CA certificates as a chain file.