Install BKCA.crt as a system trusted CA

This will install the BKCA as a system trusted CA on Debian (and
hopefully FreeBSD) and then removes all explicit certificate pinning
from any configuration file which should force the use of all system
trusted CAs at this point

group_vars/all/vars.yml

@@ -13,7 +13,6 @@ hackmd_dbuser: hackmd
 hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
 hackmd_secret: "{{ vault_hackmd_secret }}"
 
-ldap_ca: /etc/ldap/ssl/BKCA.crt
 ldap_uri: ldaps://ldap.binary.kitchen/
 ldap_host: ldap.binary.kitchen
 ldap_base: dc=binary-kitchen,dc=de

roles/common/handlers/main.yml

@@ -8,3 +8,6 @@
 
 - name: update-initramfs
   command: update-initramfs -u -k all
+
+- name: update-ca-certificates
+  command: update-ca-certificates

roles/common/tasks/Debian.yml

@@ -57,7 +57,8 @@
   template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
 
 - name: Copy LDAP certificate
-  copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
+  copy: src=BKCA.crt dest=/usr/local/share/ca-certificates/BKCA.crt mode=0444
+  notify: update-ca-certificates
 
 - name: Disable hibernation/resume
   copy: src=resume dest=/etc/initramfs-tools/conf.d/resume

roles/common/tasks/FreeBSD.yml

@@ -28,7 +28,18 @@
   - { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.6/functions/Prompts/prompt_gentoo_setup' }
 
 - name: Create LDAP certificate directory
-  file: path=/etc/ldap/ssl state=directory
+  file:
+    path: "{{ item }}"
+    state: "directory"
+  loop:
+    - "/etc/ssl/certs"
+    - "/usr/local/etc/ssl/certs"
 
 - name: Copy LDAP certificate
-  copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
+  copy:
+    src: "BKCA.crt"
+    dest: "{{ item }}/BKCA.crt"
+    mode: "0444"
+  loop:
+    - "/etc/ssl/certs"
+    - "/usr/local/etc/ssl/certs"

roles/common/templates/ldap.conf.j2

@@ -11,7 +11,3 @@ URI	{{ ldap_uri }}
 #SIZELIMIT	12
 #TIMELIMIT	15
 #DEREF		never
-
-# TLS certificates (needed for GnuTLS)
-TLS_CACERT	/etc/ldap/ssl/BKCA.crt
-

roles/hackmd/templates/config.json.j2

@@ -37,7 +37,6 @@
             "searchAttributes": ["cn", "uid"],
             "usernameField": "cn",
             "useridField": "uid",
-            "tlsca": "/etc/ldap/ssl/BKCA.crt"
         },
         "email": false
     }

roles/ldap-pam/templates/nslcd.conf.j2

@@ -32,4 +32,3 @@ base shadow {{ nslcd_base_shadow }}
 
 # SSL options
 tls_reqcert demand
-tls_cacertfile {{ ldap_ca }}

roles/mail/tasks/main.yml

@@ -105,9 +105,6 @@
 - name: Ensure postfix chroot has an LDAP CA directory
   file: path=/var/spool/postfix/etc/ldap/ssl/ state=directory
 
-- name: Ensure postfix chroot has the LDAP CA file
-  copy: remote_src=yes src=/etc/ldap/ssl/BKCA.crt dest=/var/spool/postfix/etc/ldap/ssl/BKCA.crt
-
 - name: Ensure postfix certificates are available
   command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
   notify: Restart postfix

roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2

@@ -43,9 +43,9 @@ dnpass = {{ ldap_bindpw }}
 #sasl_authz_id =
 
 # Use TLS to connect to the LDAP server.
-tls = no
+tls = yes
 # TLS options, currently supported only with OpenLDAP:
-tls_ca_cert_file = {{ ldap_ca }}
+#tls_ca_cert_file =
 #tls_ca_cert_dir =
 #tls_cipher_suite =
 # TLS cert/key is used only if LDAP server requires a client certificate.

roles/mail/templates/postfix/ldap-aliases.cf.j2

@@ -1,5 +1,4 @@
 server_host = {{ ldap_uri }}
-tls_ca_cert_file = {{ ldap_ca }}
 tls_require_cert = yes
 bind = yes
 bind_dn = {{ ldap_binddn }}

roles/mail/templates/postfix/ldap-virtual-maps.cf.j2

@@ -1,5 +1,4 @@
 server_host = {{ ldap_uri }}
-tls_ca_cert_file = {{ ldap_ca }}
 tls_require_cert = yes
 bind = yes
 bind_dn = {{ ldap_binddn }}

roles/slapd/templates/slapd.conf.j2

@@ -67,7 +67,6 @@ access to *
 
 TLSCertificateFile	/etc/ldap/ssl/srv.crt
 TLSCertificateKeyFile	/etc/ldap/ssl/srv.key
-TLSCACertificateFile	{{ ldap_ca }}
 TLSCipherSuite		NORMAL
 TLSVerifyClient		never