uyuni-project · jcayouette · Mar 22, 2024 · Mar 22, 2024
diff --git a/.changelog b/.changelog
@@ -1,9 +1,12 @@
+<<<<<<< HEAD:.changelog
 # Write your changes here, new entries at the top, in correct format:
 # - Updated Foo chapter in Installation and Upgrade Guide for readability
 # - Documented Bar feature in Administration Guide
 # - Fixed error in Bat section of Upgrade Guide (bsc#1234567)
 # For guidelines: https://en.opensuse.org/openSUSE:Creating_a_changes_file_(RPM)#Changelog_section_.28.25changelog.29
 
+
+- Fixed the instructions for SSL Certificates (bsc#1219061)
 - Remove package sync paragraph in package-management doc since
   it is not available for Salt clients and traditional clients are no
   longer supported (bsc#1221279)

diff --git a/modules/administration/pages/ssl-certs-hsts.adoc b/modules/administration/pages/ssl-certs-hsts.adoc
@@ -3,17 +3,47 @@
 
 HTTP Strict Transport Security (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[HSTS]) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.
 
+
 {productname} allows enabling HSTS, to enable it for a {productname} Server:
 
+<<<<<<< HEAD
 1. Edit `/etc/apache2/conf.d/zz-spacewalk-www.conf`
 2. Uncomment the line `# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"`
+=======
+.Procedure
+1. Create new configuration file in  `/etc/apache2/conf.d/<filename>.conf`, for example `/etc/apache2/conf.d/zz-spacewalk-www-custom.conf`.
+2. Add line `Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"`
+>>>>>>> ed03d466e (Clearer instructions for HTTP Strict Transport Security (#2875))
 3. Restart Apache with `systemctl restart apache2`
 
+
+
 To enable it for {productname} Proxies:
 
+<<<<<<< HEAD
 1. Edit `/etc/apache2/conf.d/spacewalk-proxy.conf`
 2. Uncomment the line `# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"`
 3. Restart Apache with `systemctl restart apache2`
 
 **IMPORTANT:** Once HSTS is enabled while using the default SSL certificate generated by {productname} or a self-signed certificate, browsers will refuse to connect using HTTPS unless the CA used to sign such certificates is trusted by the browser.
+=======
+.Procedure
+1. Create new configuration file in  `/etc/apache2/conf.d/<filename>.conf`, for example `/etc/apache2/conf.dz/zz-spacewalk-proxy-custom.conf`.
+2. Add line `Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"`
+3. Restart Apache with `systemctl restart apache2`
+
+
+
+[WARNING]
+====
+When naming the new config file [literal]``<filename>.conf``, make sure it is loaded at the right time.
+For example, to override something defined in [literal]``spacewalk-www.conf`` the new file needs to be alphabetically after this file. 
+For more information about how Apache loads files, see https://httpd.apache.org/docs.
+====
+
+
+[IMPORTANT] 
+====
+When HSTS is enabled while using the default SSL certificate generated by {productname} or a self-signed certificate, browsers will refuse to connect with HTTPS unless the CA used to sign such certificates is trusted by the browser.
+>>>>>>> ed03d466e (Clearer instructions for HTTP Strict Transport Security (#2875))
 If you are using the SSL certificate generated by {productname}, you can trust it by importing the file located at `http://<SERVER-HOSTNAME>/pub/RHN-ORG-TRUSTED-SSL-CERT` to the browsers of all users.