mod_ssl: add SSLVerifyDepth for external CA installs

mod_ssl's limiting of client cert verification depth was causing the replica installs to fail when master had been installed with external CA since the SSLCACertificateFile was pointing to a file with more than one certificate. This is caused by the default SSLVerifyDepth value of 1. We set it to 5 as that should be just about enough even for possible sub-CAs. https://pagure.io/freeipa/issue/7530 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-05-04 12:16:33 +02:00
parent e642865717
commit 392f44a38a
3 changed files with 14 additions and 1 deletions
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -43,7 +43,7 @@ from ipapython.dn import DN
 import ipapython.errors
 from ipaserver.install import sysupgrade
 from ipalib import api, x509
-from ipalib.constants import IPAAPI_USER
+from ipalib.constants import IPAAPI_USER, MOD_SSL_VERIFY_DEPTH
 from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths
@@ -418,6 +418,11 @@ class HTTPInstance(service.Service):
        installutils.set_directive(paths.HTTPD_SSL_CONF,
                                   'SSLCACertificateFile',
                                   paths.IPA_CA_CRT, False)
+        # set SSLVerifyDepth for external CA installations
+        installutils.set_directive(paths.HTTPD_SSL_CONF,
+                                   'SSLVerifyDepth',
+                                   MOD_SSL_VERIFY_DEPTH,
+                                   quotes=False)

    def __publish_ca_cert(self):
        ca_subject = self.cert.issuer