OpenSSL parameters used in obtain-cert.yml are not compatible with LibreSSL version used in MacOS

Question

OpenSSL parameters used in obtain-cert.yml are not compatible with LibreSSL version used in MacOS

jimkoen opened this issue 2 years ago · comments

Lucca Jiménez Könings commented 2 years ago

In this line

https://github.com/felixfontein/ansible-acme/blob/main/roles/acme_certificate/tasks/obtain-cert.yml#L202

The parameters no-CAfile and no-CApath are not compatible with the OpenSSL version that is installed per default on MacOS (Which is LibreSSL).

Would it be okay to suggest investigating wether using different parameters would be possible, or skipping this step?
The role seems to be working fine without them, maybe a different check could be implemented (or a condition as to not perform the check).
Happy to implement this if wished.

Felix Fontein · Answer 1 · Tue Dec 13 2022 04:54:24 GMT+0800 (China Standard Time)

Well, LibreSSL is not an OpenSSL version, but a not really compatible OpenSSL replacement. But yeah, it would be nice if it would also work with that one out of the box.

I guess the solution will be running openssl version first and looking at the output (the version on macOS has LibreSSL in its output - see https://github.com/ansible-collections/community.crypto/blob/main/tests/integration/targets/setup_openssl/tasks/main.yml#L46). Skipping the two unsupported parameters in case of LibreSSL (or replacing them with something that works with LibreSSL if possible) sounds like a good idea.

Felix Fontein · Answer 2 · Tue Dec 13 2022 04:55:16 GMT+0800 (China Standard Time)

The role seems to be working fine without them

Yes, it's mainly a sanity check whether the obtained certificates seem to work (and there's already an option to not make the check fail the role).