TLS-everywhere: Configure CA for apache

This tells apache which CA certificate was used to sign the certs it's
using. this setting is useful in case we want to enable OCSP stapling or
client authentication via TLS.

Change-Id: I97a7e5332aea8377c7662ca98beb71ed5e236640

diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index f302106..12ecc7b 100644 (file)
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -38,6 +38,11 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
 
 conditions:
 
@@ -88,6 +93,7 @@ outputs:
             - internal_tls_enabled
             -
               generate_service_certificates: true
+              apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
               tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
               tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
               apache_certificates_specs: