[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Making CA certificate available over http, __default__ rewrites


in an effort to stop using curl -k and rhc -k when talking to broker,
I thought it'd be nice if broker had a well-known location of its CA

So I put the certificate to /var/www/html/CA.crt (well, it's the
server self-signed certificate but that should not matter) but then
I hit the issue or derdirects -- to /console, and to https.

I tried to put

	RewriteRule     ^/CA\.*crt$    -   [L]



but that did not help. Then I've realized that this being
all-on-one-machine installation, the


takes precedence. When I put the RewriteRule there, before the other
rules, it works (I can fetch the certificate from
http://broker.example.net/CA.crt) but I can also get it from any node
running on the same machine.

It looks like I want to put equivalent ot

	__default__/CA.crt NOPROXY

to something like


except I did not find where that database gets populated. Is there
a way to put that one record there in rpm build time?

I also wonder if the records

	__default__ REDIRECT:/console
	__default__/console TOHTTPS:
	__default__/broker TOHTTPS:

in there are actually correct -- I'd expect these to be handled by


and that


would only specifically do anything for gear hostnames, never for
__default__. Am I missing something in the setup?

The task to fetch CA.crt is really just a beginning in trying to
co-install other projects on the same machine, like FreeIPA. I'll
be attempting to add other .conf drop-ins to /etc/httpd/conf.d and
stopping OpenShift from being over-owning the URI namespace would
make the work and debugging easier.

Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]