From b0f21482af94640dcdf69c35b859d13027beae91 Mon Sep 17 00:00:00 2001
From: Kishi <kishi@binary-kitchen.de>
Date: Tue, 18 Sep 2018 02:26:11 +0200
Subject: [PATCH] Install BKCA.crt as a system trusted CA

This will install the BKCA as a system trusted CA on Debian (and
hopefully FreeBSD) and then removes all explicit certificate pinning
from any configuration file which should force the use of all system
trusted CAs at this point
---
 group_vars/all/vars.yml                           |  1 -
 roles/common/handlers/main.yml                    |  3 +++
 roles/common/tasks/Debian.yml                     |  3 ++-
 roles/common/tasks/FreeBSD.yml                    | 15 +++++++++++++--
 roles/common/templates/ldap.conf.j2               |  4 ----
 roles/hackmd/templates/config.json.j2             |  1 -
 roles/ldap-pam/templates/nslcd.conf.j2            |  1 -
 roles/mail/tasks/main.yml                         |  3 ---
 .../templates/dovecot/dovecot-ldap.conf.ext.j2    |  4 ++--
 roles/mail/templates/postfix/ldap-aliases.cf.j2   |  1 -
 .../templates/postfix/ldap-virtual-maps.cf.j2     |  1 -
 roles/slapd/templates/slapd.conf.j2               |  1 -
 12 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 57a6d03..0470215 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -13,7 +13,6 @@ hackmd_dbuser: hackmd
 hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
 hackmd_secret: "{{ vault_hackmd_secret }}"
 
-ldap_ca: /etc/ldap/ssl/BKCA.crt
 ldap_uri: ldaps://ldap.binary.kitchen/
 ldap_host: ldap.binary.kitchen
 ldap_base: dc=binary-kitchen,dc=de
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 041e8eb..94fe6ec 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -8,3 +8,6 @@
 
 - name: update-initramfs
   command: update-initramfs -u -k all
+
+- name: update-ca-certificates
+  command: update-ca-certificates
diff --git a/roles/common/tasks/Debian.yml b/roles/common/tasks/Debian.yml
index 24a952f..86abc2b 100644
--- a/roles/common/tasks/Debian.yml
+++ b/roles/common/tasks/Debian.yml
@@ -57,7 +57,8 @@
   template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
 
 - name: Copy LDAP certificate
-  copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
+  copy: src=BKCA.crt dest=/usr/local/share/ca-certificates/BKCA.crt mode=0444
+  notify: update-ca-certificates
 
 - name: Disable hibernation/resume
   copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
diff --git a/roles/common/tasks/FreeBSD.yml b/roles/common/tasks/FreeBSD.yml
index 367f49c..a633955 100644
--- a/roles/common/tasks/FreeBSD.yml
+++ b/roles/common/tasks/FreeBSD.yml
@@ -28,7 +28,18 @@
   - { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.6/functions/Prompts/prompt_gentoo_setup' }
 
 - name: Create LDAP certificate directory
-  file: path=/etc/ldap/ssl state=directory
+  file:
+    path: "{{ item }}"
+    state: "directory"
+  loop:
+    - "/etc/ssl/certs"
+    - "/usr/local/etc/ssl/certs"
 
 - name: Copy LDAP certificate
-  copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
+  copy:
+    src: "BKCA.crt"
+    dest: "{{ item }}/BKCA.crt"
+    mode: "0444"
+  loop:
+    - "/etc/ssl/certs"
+    - "/usr/local/etc/ssl/certs"
diff --git a/roles/common/templates/ldap.conf.j2 b/roles/common/templates/ldap.conf.j2
index 4622f5a..68c992d 100644
--- a/roles/common/templates/ldap.conf.j2
+++ b/roles/common/templates/ldap.conf.j2
@@ -11,7 +11,3 @@ URI	{{ ldap_uri }}
 #SIZELIMIT	12
 #TIMELIMIT	15
 #DEREF		never
-
-# TLS certificates (needed for GnuTLS)
-TLS_CACERT	/etc/ldap/ssl/BKCA.crt
-
diff --git a/roles/hackmd/templates/config.json.j2 b/roles/hackmd/templates/config.json.j2
index aa1570a..b02eb65 100644
--- a/roles/hackmd/templates/config.json.j2
+++ b/roles/hackmd/templates/config.json.j2
@@ -37,7 +37,6 @@
             "searchAttributes": ["cn", "uid"],
             "usernameField": "cn",
             "useridField": "uid",
-            "tlsca": "/etc/ldap/ssl/BKCA.crt"
         },
         "email": false
     }
diff --git a/roles/ldap-pam/templates/nslcd.conf.j2 b/roles/ldap-pam/templates/nslcd.conf.j2
index 01a0948..ecca929 100644
--- a/roles/ldap-pam/templates/nslcd.conf.j2
+++ b/roles/ldap-pam/templates/nslcd.conf.j2
@@ -32,4 +32,3 @@ base shadow {{ nslcd_base_shadow }}
 
 # SSL options
 tls_reqcert demand
-tls_cacertfile {{ ldap_ca }}
diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml
index 3bb3929..7a6725b 100644
--- a/roles/mail/tasks/main.yml
+++ b/roles/mail/tasks/main.yml
@@ -105,9 +105,6 @@
 - name: Ensure postfix chroot has an LDAP CA directory
   file: path=/var/spool/postfix/etc/ldap/ssl/ state=directory
 
-- name: Ensure postfix chroot has the LDAP CA file
-  copy: remote_src=yes src=/etc/ldap/ssl/BKCA.crt dest=/var/spool/postfix/etc/ldap/ssl/BKCA.crt
-
 - name: Ensure postfix certificates are available
   command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
   notify: Restart postfix
diff --git a/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2 b/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
index 7e5a844..11b94b2 100644
--- a/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
+++ b/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
@@ -43,9 +43,9 @@ dnpass = {{ ldap_bindpw }}
 #sasl_authz_id =
 
 # Use TLS to connect to the LDAP server.
-tls = no
+tls = yes
 # TLS options, currently supported only with OpenLDAP:
-tls_ca_cert_file = {{ ldap_ca }}
+#tls_ca_cert_file =
 #tls_ca_cert_dir =
 #tls_cipher_suite =
 # TLS cert/key is used only if LDAP server requires a client certificate.
diff --git a/roles/mail/templates/postfix/ldap-aliases.cf.j2 b/roles/mail/templates/postfix/ldap-aliases.cf.j2
index 25fa1ed..d70125d 100644
--- a/roles/mail/templates/postfix/ldap-aliases.cf.j2
+++ b/roles/mail/templates/postfix/ldap-aliases.cf.j2
@@ -1,5 +1,4 @@
 server_host = {{ ldap_uri }}
-tls_ca_cert_file = {{ ldap_ca }}
 tls_require_cert = yes
 bind = yes
 bind_dn = {{ ldap_binddn }}
diff --git a/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2 b/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2
index 68812b5..c227d54 100644
--- a/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2
+++ b/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2
@@ -1,5 +1,4 @@
 server_host = {{ ldap_uri }}
-tls_ca_cert_file = {{ ldap_ca }}
 tls_require_cert = yes
 bind = yes
 bind_dn = {{ ldap_binddn }}
diff --git a/roles/slapd/templates/slapd.conf.j2 b/roles/slapd/templates/slapd.conf.j2
index fd6931e..4948079 100644
--- a/roles/slapd/templates/slapd.conf.j2
+++ b/roles/slapd/templates/slapd.conf.j2
@@ -67,7 +67,6 @@ access to *
 
 TLSCertificateFile	/etc/ldap/ssl/srv.crt
 TLSCertificateKeyFile	/etc/ldap/ssl/srv.key
-TLSCACertificateFile	{{ ldap_ca }}
 TLSCipherSuite		NORMAL
 TLSVerifyClient		never
 
-- 
2.39.2