Versions of the puppetlabs-apache module prior to 1.11.1 and 2.1.0 make it very easy to accidentally misconfigure TLS trust. If you specify the ssl_ca parameter but do not specify the ssl_certs_dir parameter, a default will be provided for the ssl_certs_dir that will trust certificates from any of the system-trusted certificate authorities. This did not affect FreeBSD.
Affected versions: puppetlabs-apache 0.7.0 - 1.11.0, puppetlabs-apache 2.x prior to 2.1.0
Created puppet-apache tracking bugs for this issue:
Affects: openstack-rdo [bug 1491602]
This issue affects Red Hat Satellite 6.1 and 6.2. Red Hat Product Security has rated this issue as having Low security impact. Red Hat Satellite 6.3 is not affected by this issue.