From 931695475cbb261678e4571c2523bf6bd4c2bef5 Mon Sep 17 00:00:00 2001
From: Damian Dabrowski <damian.dabrowski@cleura.com>
Date: Sat, 8 Apr 2023 01:29:43 +0200
Subject: [PATCH] Use chain cert file for apache

Apache needs to respond with all intermediate CA certificates.
Otherwise, haproxy will not be able to validate backend certificate.
That is why -chain.crt file needs to be installed for keystone.

Change-Id: Ibc8267a1c27e1de7ed5bce716199f3264e8c136d
---
 defaults/main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index fdee7e69..2c4f7e63 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -299,7 +299,7 @@ keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
 # Installation details for SSL certificates
 keystone_pki_install_certificates:
   # Apache certificates
-  - src: "{{ keystone_user_ssl_cert | default(keystone_pki_certs_path ~ 'keystone_' ~ ansible_facts['hostname'] ~ '.crt') }}"
+  - src: "{{ keystone_user_ssl_cert | default(keystone_pki_certs_path ~ 'keystone_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
     dest: "{{ keystone_ssl_cert }}"
     owner: "{{ keystone_system_user_name }}"
     group: "{{ keystone_system_group_name }}"
@@ -316,7 +316,7 @@ keystone_pki_install_certificates:
     owner: "{{ keystone_system_user_name }}"
     group: "{{ keystone_system_group_name }}"
     mode: "0644"
-    condition: "{{ keystone_ssl }}"
+    condition: "{{ keystone_user_ssl_ca_cert is defined }}"
   # IDP certificates
   - src: "{{ keystone_pki_dir ~ '/roots/' ~ keystone_idp_authority_name ~ '/certs/' ~ keystone_idp_authority_name ~ '.crt' }}"
     dest: "{{ keystone_idp['certfile'] | default('') }}"