Skip to content

Make deploying client bundle certificate optional #458

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Make deploying client bundle certificate optional #458

wants to merge 1 commit into from
+55 −1

Conversation

@ehelms
Copy link
Member

@ehelms ehelms commented Aug 6, 2024

Currently we deploy this certificate in all deployments but it should only be deployed onto a foreman-proxy where reverse proxy is present. It is useless and unused on a Foreman deployment. This keeps the default behaviour by defaulting to 'present' but provides a way to set this to false in puppet-foreman_proxy_content (PR to follow).

@ehelms
Copy link
Member Author

ehelms commented Aug 6, 2024

The puppet-foreman_proxy_content module includes certs::foreman_proxy in multiple locations (https://github.com/search?q=repo%3Atheforeman%2Fpuppet-foreman_proxy_content+certs%3A%3Aforeman_proxy&type=code) which from my early testing makes it difficult to include this change. As I need to switch to using class { 'certs::foreman_proxy:} in order to set this new parameter somewhere and I encounter duplicate class declarations.

@ekohl
Copy link
Member

ekohl commented Aug 8, 2024

Currently we deploy this certificate in all deployments but it should only be deployed onto a foreman-proxy where reverse proxy is present.

That's https://github.com/theforeman/puppet-foreman_proxy_content/blob/master/manifests/reverse_proxy.pp#L54

I always had questions about this. Why is the reverse proxy configured with a private key? That just screams potential security holes to me.

Quoting https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile

This directive sets the all-in-one file where you keep the certificates and keys used for authentication of the proxy server to remote servers.

Why do we need that?

@ehelms
Copy link
Member Author

ehelms commented Aug 8, 2024

Why do we need that?

I believe this is used to perform re-encryption because SSL was being terminated in Apache on the Capsule and we then need to proxy the communication while preserving the SSL client certificate header (https://github.com/theforeman/puppet-foreman_proxy_content/blob/master/manifests/reverse_proxy.pp#L62).

@ekohl
Copy link
Member

ekohl commented Aug 8, 2024

My expectation is that it would simply result in a different SSL client certificate header. The one belongs to the certificate & private key provided in the bundle.

@ehelms
Copy link
Member Author

ehelms commented Aug 9, 2024

My understanding is that without setting this, the proxy cannot present a valid certificate to the Apache on Foreman. While this appears to work without SSLProxyMachineCertificateFile, there are errors within the log:

AH02268: Proxy client certificate callback: (<hostname>:443) downstream server wanted client certificate but none are configured

In all cases, the client certificate information has to be extracted and put into a new header that is sent along, this line (https://github.com/theforeman/puppet-foreman_proxy_content/blob/master/manifests/reverse_proxy.pp#L62) because the client certificates cannot be passed along.

@ehelms ehelms force-pushed the allow-not-deploying-bundle branch from 3047eb1 to ec4826d Compare March 1, 2025 16:28
@ehelms ehelms moved this to In Progress in Containerization Mar 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Not yet reviewed

Projects

Containerization
Status: In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ehelms @ekohl