OpenSSL parameters used in obtain-cert.yml are not compatible with LibreSSL version used in MacOS
jimkoen opened this issue · comments
In this line
The parameters no-CAfile
and no-CApath
are not compatible with the OpenSSL version that is installed per default on MacOS (Which is LibreSSL).
Would it be okay to suggest investigating wether using different parameters would be possible, or skipping this step?
The role seems to be working fine without them, maybe a different check could be implemented (or a condition as to not perform the check).
Happy to implement this if wished.
Well, LibreSSL is not an OpenSSL version, but a not really compatible OpenSSL replacement. But yeah, it would be nice if it would also work with that one out of the box.
I guess the solution will be running openssl version
first and looking at the output (the version on macOS has LibreSSL
in its output - see https://github.com/ansible-collections/community.crypto/blob/main/tests/integration/targets/setup_openssl/tasks/main.yml#L46). Skipping the two unsupported parameters in case of LibreSSL (or replacing them with something that works with LibreSSL if possible) sounds like a good idea.
The role seems to be working fine without them
Yes, it's mainly a sanity check whether the obtained certificates seem to work (and there's already an option to not make the check fail the role).