From efbd85eb8b36ab02095a3dffc14aff37f0d14845 Mon Sep 17 00:00:00 2001
From: Tomas Kopecek <tkopecek@redhat.com>
Date: Jun 21 2021 12:30:17 +0000
Subject: PR#2888: web: docs for KojiHubCA/ClientCA


Merges #2888
https://pagure.io/koji/pull-request/2888

Fixes: #2878
https://pagure.io/koji/issue/2878
[1.24.1] : Koji-web can't authenticate with hub through TLS auth

---

diff --git a/docs/source/server_howto.rst b/docs/source/server_howto.rst
index 0982285..2da3190 100644
--- a/docs/source/server_howto.rst
+++ b/docs/source/server_howto.rst
@@ -1008,7 +1008,6 @@ override all these values. So, you can use e.g.
 
     ## SSL authentication options
     ; WebCert = /etc/pki/koji/koji-web.pem
-    ; ClientCA = /etc/pki/koji/ca_cert.crt
     ; KojiHubCA = /etc/pki/koji/ca_cert.crt
 
     LoginTimeout = 72
diff --git a/www/conf/web.conf b/www/conf/web.conf
index 2be8578..4da640d 100644
--- a/www/conf/web.conf
+++ b/www/conf/web.conf
@@ -17,6 +17,8 @@ KojiFilesURL = http://server.example.com/kojifiles
 
 # SSL authentication options
 # WebCert = /etc/kojiweb/kojiweb.crt
+# KojiHubCA needs to be set only if system-wide CA bundle doesn't contain
+# it already. Note, that it will override that bundle.
 # KojiHubCA = /etc/kojiweb/kojihubca.crt
 
 LoginTimeout = 72