Re: [PacketFence-users] Captive portal SSL not using defined cert after PF7 upgrade

[Louis M. <lm...@in...>]

> On Apr 28, 2017, at 5:25 PM, Sokolowski, Darryl <DS...@ea...> wrote:
> 
> Oh, ok, now I understand what Fabrice meant about haproxy terminating the ssl tunnel. Thanks for that explanation.
> Sorry, I didn’t pick that up right away.
>  
> I changed var/conf/haproxy.conf to point at my certificates, and every time I restart the service, it rewrites haproxy.conf file back to using server.pem.
>  

That's the expected behaviour.
That file is actually generated based on your configuration, every time your start the service.


> So reading your response again, it sounds like my concatenated certificate might need to be named ‘server.pem’.
> If I rename my certificate to ‘server.pem’, it works as desired.
> Is that the way to do it? Or am I still off-base?


That's the way to go.


> ‘server.pem’ won’t get overwritten by an ugrade?
>  


This is what the packetfence.spec file does: 

#Make ssl certificate
if [ ! -f /usr/local/pf/conf/ssl/server.crt ]; then
    openssl req -x509 -new -nodes -days 365 -batch\
    	-out /usr/local/pf/conf/ssl/server.crt\
    	-keyout /usr/local/pf/conf/ssl/server.key\
    	-nodes -config /usr/local/pf/conf/openssl.cnf
    cat /usr/local/pf/conf/ssl/server.crt /usr/local/pf/conf/ssl/server.key > /usr/local/pf/conf/ssl/server.pem
fi
So as long as you have a file named  "/usr/local/pf/conf/ssl/server.crt" it won't overwrite the server.pem.




I agree that this should be configurable.
I'm adding it to the whishlist for 7.1 or 7.2.



Regards,
--
Louis Munro
lm...@in... <mailto:lm...@in...>  ::  www.inverse.ca <http://www.inverse.ca/> 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and PacketFence (www.packetfence.org <http://www.packetfence.org/>)