diff options
| author | Lee Clements <lclements0@gmail.com> | 2026-06-26 10:48:38 -0400 |
|---|---|---|
| committer | Lee Clements <lclements0@gmail.com> | 2026-06-27 01:34:17 -0400 |
| commit | 78bec494bd6df824875ff132920f6f293d82ac0c (patch) | |
| tree | 14979628f0e6e96a4d4f470f0d07b3c07cac1471 /python | |
| parent | 477b1b9137ef42407e18b68684485ae623834456 (diff) | |
| download | vyos-1x-78bec494bd6df824875ff132920f6f293d82ac0c.tar.gz vyos-1x-78bec494bd6df824875ff132920f6f293d82ac0c.zip | |
https: T9022: serve the full CA certificate chain
When a certificate is assigned to the HTTPS service, nginx was only
sent the leaf certificate. An intermediate CA was included only when
an operator manually configured "ca-certificate", and even then just
that single CA - the rest of the issuer chain was never followed.
As a result, clients that do not already trust the issuing intermediate
CA (for example Let's Encrypt's newer E- and R-series intermediates)
could not build a path to a trusted root and rejected the connection.
Build the complete chain from the CA certificates present in the PKI
using find_chain(), the same helper already used by HAProxy, OpenConnect,
stunnel and the other PKI consumers. The intermediate chain is now
discovered automatically, so configuring "ca-certificate" is no longer
required; it remains accepted for backwards compatibility.
Diffstat (limited to 'python')
0 files changed, 0 insertions, 0 deletions
