From 5a8f6556714ded885133166004116c2daa24f192 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 2 Sep 2021 16:56:24 -0700
Subject: [PATCH] proxies: add intermediate certs for mirrors.centos.org

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 inventory/group_vars/all                   | 5 +++++
 playbooks/include/proxies-certificates.yml | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index a04e74a14e..5321ecb7dc 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -281,6 +281,11 @@ ocp_wildcard_cert_file: wildcard-2021.apps.ocp.fedoraproject.org.cert
 ocp_wildcard_key_file: wildcard-2021.apps.ocp.fedoraproject.org.key
 ocp_wildcard_int_file: wildcard-2021.apps.ocp.fedoraproject.org.intermediate.cert
 
+# This is the mirrors.centos.org certs
+mirrors_centos_org_cert_name: mirrors.centos.org
+mirrors_centos_org_cert_file: mirrors.centos.org.cert
+mirrors_centos_org_key_file: mirrors.centos.org.key
+
 # Everywhere, always, we should sign messages and validate signatures.
 # However, we allow individual hosts and groups to override this.  Use this very
 # carefully.. and never in production (good for testing stuff in staging).
diff --git a/playbooks/include/proxies-certificates.yml b/playbooks/include/proxies-certificates.yml
index fee0f1f83a..be9d518394 100644
--- a/playbooks/include/proxies-certificates.yml
+++ b/playbooks/include/proxies-certificates.yml
@@ -69,10 +69,12 @@
 
   - role: httpd/certificate
     certname: mirrors.centos.org
+    SSLCertificateChainFile: mirrors.centos.org.intermediate.cert
     when: env != "staging"
 
   - role: httpd/certificate
     certname: mirrors.stg.centos.org
+    SSLCertificateChainFile: mirrors.stg.centos.org.intermediate.cert
     when: env == "staging"
 
   # - role: httpd/certificate