Fixes #36755 - Send full certificate chain to clients

Add option SSLExtraChainCert to the Webrick webserver, so the full
certificate chain is sent to clients during the SSL handkshake.

lib/launcher.rb

@@ -38,6 +38,13 @@ def https_plugins
  plugins.select { |p| p[:https_enabled] }.map { |p| p[:class] }
  end
 
+ def load_fullchain(bundle_pem)
+ File.read(bundle_pem)
+ .lines
+ .slice_after(/END CERTIFICATE/)
+ .map { |pem| OpenSSL::X509::Certificate.new(pem.join) }
+ end
+
  def http_app(http_port, plugins = http_plugins)
  return nil unless http_enabled?
  app = Rack::Builder.new do
@@ -62,6 +69,11 @@ def https_app(https_port, plugins = https_plugins)
  logger.error "Unable to read #{settings.ssl_ca_file}. Are the values correct in settings.yml and do permissions allow reading?"
  end
 
+ unless File.readable?(settings.foreman_ssl_ca)
+ logger.error "Unable to read #{settings.foreman_ssl_ca}. Are the values correct in settings.yml and do permissions allow reading?"
+ end
+
+
  app = Rack::Builder.new do
  plugins.each { |p| instance_eval(p.https_rackup) }
  end
@@ -95,6 +107,7 @@ def https_app(https_port, plugins = https_plugins)
  :SSLVerifyClient => OpenSSL::SSL::VERIFY_PEER,
  :SSLPrivateKey => load_ssl_private_key(settings.ssl_private_key),
  :SSLCertificate => load_ssl_certificate(settings.ssl_certificate),
+ :SSLExtraChainCert => load_fullchain(settings.foreman_ssl_ca),
  :SSLCACertificateFile => settings.ssl_ca_file,
  :SSLOptions => ssl_options,
  :SSLCiphers => CIPHERS - Proxy::SETTINGS.ssl_disabled_ciphers,