[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Making CA certificate available over http, __default__ rewrites



Hello,

in an effort to stop using curl -k and rhc -k when talking to broker,
I thought it'd be nice if broker had a well-known location of its CA
certificate.

So I put the certificate to /var/www/html/CA.crt (well, it's the
server self-signed certificate but that should not matter) but then
I hit the issue or derdirects -- to /console, and to https.

I tried to put

	RewriteRule     ^/CA\.*crt$    -   [L]

to

	/etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf

but that did not help. Then I've realized that this being
all-on-one-machine installation, the

	/etc/httpd/conf.d/openshift_route.include

takes precedence. When I put the RewriteRule there, before the other
rules, it works (I can fetch the certificate from
http://broker.example.net/CA.crt) but I can also get it from any node
running on the same machine.

It looks like I want to put equivalent ot

	__default__/CA.crt NOPROXY

to something like

	/var/lib/openshift/.httpd.d/nodes.db

except I did not find where that database gets populated. Is there
a way to put that one record there in rpm build time?

I also wonder if the records

	__default__ REDIRECT:/console
	__default__/console TOHTTPS:127.0.0.1:8118/console
	__default__/broker TOHTTPS:127.0.0.1:8080/broker

in there are actually correct -- I'd expect these to be handled by

	/etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf

and that

	/etc/httpd/conf.d/000001_openshift_origin_node.conf
	/etc/httpd/conf.d/openshift_route.include

would only specifically do anything for gear hostnames, never for
__default__. Am I missing something in the setup?

The task to fetch CA.crt is really just a beginning in trying to
co-install other projects on the same machine, like FreeIPA. I'll
be attempting to add other .conf drop-ins to /etc/httpd/conf.d and
stopping OpenShift from being over-owning the URI namespace would
make the work and debugging easier.

-- 
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]