Oh, ok, now I understand what Fabrice meant about haproxy terminating the ssl
tunnel. Thanks for that explanation.
Sorry, I didn't pick that up right away.
I changed var/conf/haproxy.conf to point at my certificates, and every time I
restart the service, it rewrites haproxy.conf file back to using server.pem.
So reading your response again, it sounds like my concatenated certificate
might need to be named 'server.pem'.
If I rename my certificate to 'server.pem', it works as desired.
Is that the way to do it? Or am I still off-base?
'server.pem' won't get overwritten by an ugrade?
Thanks so much,
Darryl
From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: Friday, April 28, 2017 4:29 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Captive portal SSL not using defined cert
after PF7 upgrade
A bit of background seems in order.
In PF 7.0 HAProxy sits in front of the httpd process for the portal.
HAProxy terminates the TLS connection, not httpd.
So you must tell HAProxy where to find your server certificate and key.
Look at the var/conf/haproxy.conf.
You will find the lines that configure ssl for each of the frontends.
Those lines point to the server.pem file, which must contain the concatenation
of both your server certificate(s) and server key.
The conf/httpd.conf.d/ssl-certificates.conf files have nothing to do with that.
On Apr 28, 2017, at 9:33 AM, Virginie Girou
<virginie.gi...@ut-capitole.fr<mailto:virginie.gi...@ut-capitole.fr>> wrote:
Hello,
I am exactly in the same case.
Here is the content of /usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf :
# Apache SSL certificates configuration
# This file is manipulated on PacketFence's startup before being given to Apache
SSLCertificateFile %%install_dir%%/conf/ssl/certif_ut-capitole_fr.crt
SSLCertificateKeyFile %%install_dir%%/conf/ssl/cle_ut-capitole_fr.key
SSLCertificateChainFile %%install_dir%%/conf/ssl/cachain_digicert.pem
I follow your advice :
cat certif_ut-capitole_fr.crt cle_ut-capitole_fr.key certif2_ut-capitole_fr.pem
But where must "certif2_ut-capitole_fr.pem" be used ? Which config file ?
Thanks
Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca> ::
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
________________________________
>>> CONFIDENTIALITY NOTICE <<<
This electronic mail (e-mail) message, including any and/or all attachments, is
for the sole use of the intended recipient(s), and may contain confidential
and/or privileged information, pertaining to business conducted under the
direction and supervision of EarthColor, Inc. All e-mail messages, which may
have been established as expressed views and/or opinions (stated either within
the e-mail message or any of its attachments), are left to the sole
responsibility of that of the sender, and are not necessarily attributed to
EarthColor, Inc. Unauthorized interception, review, use, disclosure or
distribution of any such information contained within this e-mail message
and/or its attachment(s), is(are) strictly prohibited. If you are not the
intended recipient, please contact the sender by replying to this e-mail
message, along with the destruction of all copies of the original e-mail
message (along with any attachments).
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
