diff --git a/httpd-init.service b/httpd-init.service
index 05af86e..e2e8dd6 100644
--- a/httpd-init.service
+++ b/httpd-init.service
@@ -1,5 +1,6 @@
[Unit]
Description=One-time configuration for httpd.service
+Documentation=man:httpd-init.service(8)
ConditionPathExists=|!/etc/pki/tls/certs/localhost.crt
ConditionPathExists=|!/etc/pki/tls/certs/localhost-ca.crt
diff --git a/httpd-ssl-gencerts b/httpd-ssl-gencerts
index 0771b73..67b6d9a 100755
--- a/httpd-ssl-gencerts
+++ b/httpd-ssl-gencerts
@@ -3,22 +3,20 @@
set -e
FQDN=`hostname`
-# A >59 char FQDN means "root@FQDN" exceeds 64-char max length for emailAddress
-if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
- FQDN=localhost.localdomain
+
+if test -f /etc/pki/tls/certs/localhost.crt -o \
+ -f /etc/pki/tls/private/localhost.key -o \
+ -f /etc/pki/tls/certs/localhost-ca.crt; then
+ exit 1
fi
sscg -q \
--cert-file /etc/pki/tls/certs/localhost.crt \
--cert-key-file /etc/pki/tls/private/localhost.key \
--ca-file /etc/pki/tls/certs/localhost-ca.crt \
- --hash-alg sha256 \
- --key-strength 2048 \
--lifetime 365 \
- --country "--" \
- --state SomeState \
- --locality SomeCity \
- --organization SomeOrganization \
- --organizational-unit SomeOrganizationalUnit \
--hostname $FQDN \
--email root@$FQDN
+
+# mod_ssl will send the CA cert if it's appended to the server cert.
+cat /etc/pki/tls/certs/localhost-ca.crt >> /etc/pki/tls/certs/localhost.crt
diff --git a/httpd.service.xml b/httpd.service.xml
index 8f82e59..d851862 100644
--- a/httpd.service.xml
+++ b/httpd.service.xml
@@ -37,12 +37,14 @@
httpd.service
httpd.socket
+ httpd-init.service
httpd unit files for systemd
/usr/lib/systemd/system/httpd.service,
+ /usr/lib/systemd/system/httpd-init.service,
/usr/lib/systemd/system/httpd.socket
@@ -124,6 +126,20 @@ Wants=network-online.target
+
+ SSL/TLS certificate generation
+
+ The httpd-init.service unit is provided
+ with the mod_ssl package. This oneshot unit automatically
+ creates a TLS server certificate and key (using a generated
+ self-signed CA certificate and key) for testing purposes before
+ httpd is started. To inhibit certificate generation, use
+ systemctl mask httpd-init.service after
+ installing mod_ssl, and adjust the mod_ssl configuration to use
+ an appropriate certicate and key.
+
+
+
Reloading and stopping the service
diff --git a/httpd.spec b/httpd.spec
index 717e321..cccea46 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.27
-Release: 8.4%{?dist}
+Release: 9%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@@ -454,7 +454,7 @@ install -m 644 -p $RPM_SOURCE_DIR/httpd.logrotate \
$RPM_BUILD_ROOT/etc/logrotate.d/httpd
# Install systemd service man pages
-install -m 644 -p httpd.service.8 httpd.socket.8 \
+install -m 644 -p httpd.service.8 httpd-init.service.8 httpd.socket.8 \
$RPM_BUILD_ROOT%{_mandir}/man8
# fix man page paths
@@ -618,6 +618,7 @@ rm -rf $RPM_BUILD_ROOT
%attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd/proxy
%{_mandir}/man8/*
+%exclude %{_mandir}/man8/httpd-init.*
%{_unitdir}/httpd.service
%{_unitdir}/htcacheclean.service
@@ -658,6 +659,7 @@ rm -rf $RPM_BUILD_ROOT
%{_libexecdir}/httpd-ssl-pass-dialog
%{_libexecdir}/httpd-ssl-gencerts
%{_unitdir}/httpd.socket.d/10-listen443.conf
+%{_mandir}/man8/httpd-init.*
%files -n mod_proxy_html
%defattr(-,root,root)
@@ -687,6 +689,10 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
+* Thu Sep 21 2017 Joe Orton - 2.4.27-9
+- use sscg defaults; append CA cert to generated cert
+- document httpd-init.service in httpd-init.service(8)
+
* Wed Sep 20 2017 Stephen Gallagher - 2.4.27-8.1
- Generate SSL certificates on service start, not %posttrans
diff --git a/ssl.conf b/ssl.conf
index a2709ce..a07bd8f 100644
--- a/ssl.conf
+++ b/ssl.conf
@@ -122,7 +122,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
-SSLCACertificateFile /etc/pki/tls/certs/localhost-ca.crt
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are