From e8e65f312ea2c6e86430ed72da6ba049873a0fdb Mon Sep 17 00:00:00 2001
From: Daniel Hokka Zakrisson <dhokka@cs.princeton.edu>
Date: Mon, 28 Dec 2009 16:21:42 +0000
Subject: [PATCH] If a real certificate is used and it is not issued by a root
 CA, a SSLCertificateChainFile must be used containing all the CAs leading
 down to the certificate.

---
 plc.d/ssl | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/plc.d/ssl b/plc.d/ssl
index 90cd41a..2c8a4a4 100755
--- a/plc.d/ssl
+++ b/plc.d/ssl
@@ -139,13 +139,20 @@ case "$1" in
 	    fi
 	    ssl_key=PLC_${server}_SSL_KEY
 	    ssl_crt=PLC_${server}_SSL_CRT
+	    ssl_ca_crt=PLC_${server}_CA_SSL_CRT
 
 	    symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
 	    symlink ${!ssl_key} /etc/pki/tls/private/localhost.key
+	    symlink ${!ssl_ca_crt} /etc/pki/tls/certs/server-chain.crt
 	    symlink ${!ssl_crt} /etc/httpd/conf/ssl.crt/server.crt
 	    symlink ${!ssl_key} /etc/httpd/conf/ssl.key/server.key
 	done
 
+	# Ensure that the server-chain gets used, as it is off by
+	# default.
+	sed -i -e 's/^#SSLCertificateChainFile /SSLCertificateChainFile /' \
+	    /etc/httpd/conf.d/ssl.conf
+
 	result "$MESSAGE"
 	;;
 esac
-- 
2.43.0