Improve TLS keys and certs handling in OpenBSD.

files/update-ca-certificates

+#!/bin/sh -e
+# Update the CA certificates store.
+
+test -d /etc/ssl/certs || echo "/etc/ssl/certs doesn't exist."
+test -w /etc/ssl/cert.pem || chmod 0644 /etc/ssl/cert.pem
+
+cat /etc/ssl/certs/*.pem > /etc/ssl/cert.pem

handlers/main.yml

@@ -2,7 +2,7 @@
 # handlers file for ansible-common
 
 - name: Update CA store
-  command: /usr/sbin/update-ca-certificates
+  command: '{{ update_ca_certificates[ansible_os_family] }}'
 
 - name: Restart rsyslog
   service:

tasks/add_tls_cert.yml

@@ -3,11 +3,11 @@
 - name: Assert
   assert:
     that:
-    - "ansible_os_family in [ 'Debian' ]"
+    - "ansible_os_family in [ 'Debian', 'OpenBSD' ]"
     - "extra_tls_certs is defined"
 
 - name: apt install CA certificates
-  when: ansible_os_family == 'Debian'
+  when: ansible_pkg_mgr == 'apt'
   apt:
     name: ca-certificates
     state: present

tasks/tls_cert_OpenBSD.yml

@@ -17,43 +17,52 @@
     mode: '{{ item.mode }}'
     state: directory
 
+- name: Get current CA store
+  get_url:
+    url: http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/cert.pem
+    dest: /etc/ssl/certs/ca-certificates.pem
+    owner: root
+    group: wheel
+    mode: '0644'
+
+- name: Copy update-ca-certifcates script
+  copy:
+    src: update-ca-certificates
+    dest: /usr/local/sbin/update-ca-certificates
+    owner: root
+    group: wheel
+    mode: '0755'
+
 - stat:
     path: /etc/ssl/private/ssl-cert-snakeoil.key
   register: tls_stat_key
 
 - name: Generate self-signed TLS key
-  when: not tls_stat_key.exists
-  command: /usr/sbin/openssl genrsa -out /etc/ssl/private/ssl-cert-snakeoil.key 2048
+  when: not tls_stat_key.stat.exists
+  command: /usr/bin/openssl genrsa -out /etc/ssl/private/ssl-cert-snakeoil.key 2048
 
 - stat:
-    path: /etc/ssl/certs/ssl-cert-snakeoil.crt
+    path: /etc/ssl/certs/ssl-cert-snakeoil.pem
   register: tls_stat_cert
 
 - name: Generate self-signed TLS cert
-  when: not tls_stat_cert.exists
+  when: not tls_stat_cert.stat.exists
   command: |
-    /usr/sbin/openssl req \
+    /usr/bin/openssl req \
         -x509 \
         -new \
-        -key /etc/ssl/private/snakeoil.key \
+        -key /etc/ssl/private/ssl-cert-snakeoil.key \
         -nodes \
-        -out /etc/ssl/certs/snakeoil.crt \
+        -out /etc/ssl/certs/ssl-cert-snakeoil.pem \
         -days 3650
         -subj "/CN={{ ansible_fqdn }}"
   register: tls_gen_snakeoil_cert
 
-- name: Add self-signed TLS cert to certificate store
-  when: not tls_stat_cert.exists
-  command: |
-    /usr/sbin/openssl x509 \
-        -in /etc/ssl/certs/ssl-snake-oil.crt \
-        -text >> /etc/ssl/cert.pem
-
 - name: Set TLS key and certificate
   set_fact:
     tls_key_path: '/etc/ssl/private/{{ tls_key|default("ssl-cert-snakeoil")|basename }}.key'
-    tls_cert_path: '/etc/ssl/certs/{{ tls_cert|default("ssl-cert-snakeoil")|basename }}.crt'
-    tls_ca_cert_path: '/etc/ssl/certs/{{ tls_ca_cert|default(tls_cert|default("ssl-cert-snakeoil"))|basename }}.crt'
+    tls_cert_path: '/etc/ssl/certs/{{ tls_cert|default("ssl-cert-snakeoil")|basename }}.pem'
+    tls_ca_cert_path: '/etc/ssl/certs/{{ tls_ca_cert|default(tls_cert|default("ssl-cert-snakeoil"))|basename }}.pem'
 
 - name: Copy TLS certificate and key
   when: tls_cert is defined and tls_key is defined and tls_ca_cert is defined
@@ -73,11 +82,4 @@
   register: tls_copy
 
 - name: Update certificate authority store
-  when: tls_copy.changed
-  with_items:
-  - '{{ tls_cert_path }}'
-  - '{{ tls_ca_cert_path }}'
-  command: |
-    /usr/sbin/openssl x509 \
-        -in {{ item }} \
-        -text >> /etc/ssl/cert.pem
+  command: /usr/local/sbin/update-ca-certificates

vars/main.yml

@@ -32,3 +32,10 @@ openbsd_collectd_version:
     '5.8': 'collectd-5.5.0p1'
 
 openbsd_pkg_mirror: http://www.mirrorservice.org/pub
+ansible_python_interpreter: '{{ "/usr/local/bin/python2.7" if openbsd_bootstrap is defined else omit }}'
+update_ca_certificates:
+    OpenBSD: /usr/local/sbin/update-ca-certificates
+    Debian: /usr/sbin/update-ca-certificates
+ca_store:
+    OpenBSD: /etc/ssl/cert.pem
+    Debian: /etc/ssl/certs/ca-certificates.crt