Re: [PacketFence-users] Captive portal SSL not using defined cert after PF7 upgrade

Fri, 28 Apr 2017 14:47:58 -0700 

> On Apr 28, 2017, at 5:25 PM, Sokolowski, Darryl <ds...@earthcolor.com> wrote:
> 
> Oh, ok, now I understand what Fabrice meant about haproxy terminating the ssl 
> tunnel. Thanks for that explanation.
> Sorry, I didn’t pick that up right away.
>  
> I changed var/conf/haproxy.conf to point at my certificates, and every time I 
> restart the service, it rewrites haproxy.conf file back to using server.pem.
>  

That's the expected behaviour.
That file is actually generated based on your configuration, every time your 
start the service.


> So reading your response again, it sounds like my concatenated certificate 
> might need to be named ‘server.pem’.
> If I rename my certificate to ‘server.pem’, it works as desired.
> Is that the way to do it? Or am I still off-base?


That's the way to go.


> ‘server.pem’ won’t get overwritten by an ugrade?
>  


This is what the packetfence.spec file does: 

#Make ssl certificate
if [ ! -f /usr/local/pf/conf/ssl/server.crt ]; then
    openssl req -x509 -new -nodes -days 365 -batch\
        -out /usr/local/pf/conf/ssl/server.crt\
        -keyout /usr/local/pf/conf/ssl/server.key\
        -nodes -config /usr/local/pf/conf/openssl.cnf
    cat /usr/local/pf/conf/ssl/server.crt /usr/local/pf/conf/ssl/server.key > 
/usr/local/pf/conf/ssl/server.pem
fi
So as long as you have a file named  "/usr/local/pf/conf/ssl/server.crt" it 
won't overwrite the server.pem.




I agree that this should be configurable.
I'm adding it to the whishlist for 7.1 or 7.2.



Regards,
--
Louis Munro
lmu...@inverse.ca <mailto:lmu...@inverse.ca>  ::  www.inverse.ca 
<http://www.inverse.ca/> 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and 
PacketFence (www.packetfence.org <http://www.packetfence.org/>)


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to