Run tests with macOS 10.15. (#112)

* Run tests with macOS 10.15.

* Update prepare_http_tests as in https://github.com/ansible/ansible/pull/71841/files.

* Also skip luks_device tests on macOS.

* Temporarily restrict to macOS/OSX nodes.

* Show full OpenSSL version.

* Show pyOpenSSL debug details.

* Make location of openssl binary configurable.

* Try to upgrade openssl on macOS when LibreSSL is found.

* Use other variable.

* Use found binary instead of default.

* Revert "Temporarily restrict to macOS/OSX nodes."

This reverts commit ea379382e5.

ci_complete

* Avoid crashing when OpenSSL.debug does not exist.

* Combine setup_openssl_cli with setup_openssl

* Split up setup_openssl in setup_openssl (openssl + cryptography) and setup_pyopenssl.

* Fix package name.

* Don't install cryptography on CentOS 6, print environment.

* Work around ansible-test limitation.

shippable.yml

@@ -14,6 +14,7 @@ matrix:
     - env: T=devel/units/1
 
     - env: T=devel/osx/10.11/1
+    - env: T=devel/macos/10.15/1
     - env: T=devel/rhel/7.8/1
     - env: T=devel/rhel/8.2/1
     - env: T=devel/freebsd/11.1/1

tests/integration/targets/acme_account/tasks/impl.yml

@@ -1,5 +1,5 @@
 - name: Generate account keys
-  command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ item }}.pem
+  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ item }}.pem"
   loop:
     - accountkey
     - accountkey2
@@ -8,7 +8,7 @@
     - accountkey5
 
 - name: Parse account keys (to ease debugging some test failures)
-  command: openssl ec -in {{ output_dir }}/{{ item }}.pem -noout -text
+  command: "{{ openssl_binary }} ec -in {{ output_dir }}/{{ item }}.pem -noout -text"
   loop:
     - accountkey
     - accountkey2

tests/integration/targets/acme_account_info/tasks/impl.yml

@@ -1,12 +1,12 @@
 ---
 - name: Generate account key
-  command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem
+  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem"
 
 - name: Generate second account key
-  command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey2.pem
+  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey2.pem"
 
 - name: Parse account key (to ease debugging some test failures)
-  command: openssl ec -in {{ output_dir }}/accountkey.pem -noout -text
+  command: "{{ openssl_binary }} ec -in {{ output_dir }}/accountkey.pem -noout -text"
 
 - name: Check that account does not exist
   acme_account_info:

tests/integration/targets/acme_certificate/tasks/impl.yml

@@ -1,11 +1,11 @@
 ---
 ## SET UP ACCOUNT KEYS ########################################################################
 - name: Create ECC256 account key
-  command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
+  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem"
 - name: Create ECC384 account key
-  command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem
+  command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem"
 - name: Create RSA-2048 account key
-  command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048
+  command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/account-rsa2048.pem 2048"
 ## SET UP ACCOUNTS ############################################################################
 - name: Make sure ECC256 account hasn't been created yet
   acme_account:
@@ -325,61 +325,61 @@
 ## DISSECT CERTIFICATES #######################################################################
 # Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
 - name: Verifying cert 1
-  command: openssl verify -CAfile "{{ output_dir }}/cert-1-root.pem" -untrusted "{{ output_dir }}/cert-1-chain.pem" "{{ output_dir }}/cert-1.pem"
+  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-1-root.pem" -untrusted "{{ output_dir }}/cert-1-chain.pem" "{{ output_dir }}/cert-1.pem"'
   ignore_errors: yes
   register: cert_1_valid
 - name: Verifying cert 2
-  command: openssl verify -CAfile "{{ output_dir }}/cert-2-root.pem" -untrusted "{{ output_dir }}/cert-2-chain.pem" "{{ output_dir }}/cert-2.pem"
+  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-2-root.pem" -untrusted "{{ output_dir }}/cert-2-chain.pem" "{{ output_dir }}/cert-2.pem"'
   ignore_errors: yes
   register: cert_2_valid
 - name: Verifying cert 3
-  command: openssl verify -CAfile "{{ output_dir }}/cert-3-root.pem" -untrusted "{{ output_dir }}/cert-3-chain.pem" "{{ output_dir }}/cert-3.pem"
+  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-3-root.pem" -untrusted "{{ output_dir }}/cert-3-chain.pem" "{{ output_dir }}/cert-3.pem"'
   ignore_errors: yes
   register: cert_3_valid
 - name: Verifying cert 4
-  command: openssl verify -CAfile "{{ output_dir }}/cert-4-root.pem" -untrusted "{{ output_dir }}/cert-4-chain.pem" "{{ output_dir }}/cert-4.pem"
+  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-4-root.pem" -untrusted "{{ output_dir }}/cert-4-chain.pem" "{{ output_dir }}/cert-4.pem"'
   ignore_errors: yes
   register: cert_4_valid
 - name: Verifying cert 5
-  command: openssl verify -CAfile "{{ output_dir }}/cert-5-root.pem" -untrusted "{{ output_dir }}/cert-5-chain.pem" "{{ output_dir }}/cert-5.pem"
+  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-5-root.pem" -untrusted "{{ output_dir }}/cert-5-chain.pem" "{{ output_dir }}/cert-5.pem"'
   ignore_errors: yes
   register: cert_5_valid
 - name: Verifying cert 6
-  command: openssl verify -CAfile "{{ output_dir }}/cert-6-root.pem" -untrusted "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem"
+  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-6-root.pem" -untrusted "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem"'
   ignore_errors: yes
   register: cert_6_valid
 - name: Verifying cert 7
-  command: openssl verify -CAfile "{{ output_dir }}/cert-7-root.pem" -untrusted "{{ output_dir }}/cert-7-chain.pem" "{{ output_dir }}/cert-7.pem"
+  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-7-root.pem" -untrusted "{{ output_dir }}/cert-7-chain.pem" "{{ output_dir }}/cert-7.pem"'
   ignore_errors: yes
   register: cert_7_valid
 - name: Verifying cert 8
-  command: openssl verify -CAfile "{{ output_dir }}/cert-8-root.pem" -untrusted "{{ output_dir }}/cert-8-chain.pem" "{{ output_dir }}/cert-8.pem"
+  command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-8-root.pem" -untrusted "{{ output_dir }}/cert-8-chain.pem" "{{ output_dir }}/cert-8.pem"'
   ignore_errors: yes
   register: cert_8_valid
 # Dump certificate info
 - name: Dumping cert 1
-  command: openssl x509 -in "{{ output_dir }}/cert-1.pem" -noout -text
+  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-1.pem" -noout -text'
   register: cert_1_text
 - name: Dumping cert 2
-  command: openssl x509 -in "{{ output_dir }}/cert-2.pem" -noout -text
+  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-2.pem" -noout -text'
   register: cert_2_text
 - name: Dumping cert 3
-  command: openssl x509 -in "{{ output_dir }}/cert-3.pem" -noout -text
+  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-3.pem" -noout -text'
   register: cert_3_text
 - name: Dumping cert 4
-  command: openssl x509 -in "{{ output_dir }}/cert-4.pem" -noout -text
+  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-4.pem" -noout -text'
   register: cert_4_text
 - name: Dumping cert 5
-  command: openssl x509 -in "{{ output_dir }}/cert-5.pem" -noout -text
+  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-5.pem" -noout -text'
   register: cert_5_text
 - name: Dumping cert 6
-  command: openssl x509 -in "{{ output_dir }}/cert-6.pem" -noout -text
+  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-6.pem" -noout -text'
   register: cert_6_text
 - name: Dumping cert 7
-  command: openssl x509 -in "{{ output_dir }}/cert-7.pem" -noout -text
+  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-7.pem" -noout -text'
   register: cert_7_text
 - name: Dumping cert 8
-  command: openssl x509 -in "{{ output_dir }}/cert-8.pem" -noout -text
+  command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-8.pem" -noout -text'
   register: cert_8_text
 # Dump certificate info
 - name: Dumping cert 1

tests/integration/targets/acme_certificate_revoke/tasks/impl.yml

@@ -1,11 +1,11 @@
 ---
 ## SET UP ACCOUNT KEYS ########################################################################
 - name: Create ECC256 account key
-  command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
+  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem"
 - name: Create ECC384 account key
-  command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem
+  command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem"
 - name: Create RSA-2048 account key
-  command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048
+  command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/account-rsa2048.pem 2048"
 ## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
 - name: Obtain cert 1
   include_tasks: obtain-cert.yml

tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml

@@ -6,7 +6,7 @@
 
 - block:
   - name: Create ECC256 account key
-    command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
+    command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem"
   - name: Obtain cert 1
     include_tasks: obtain-cert.yml
     vars:

tests/integration/targets/acme_inspect/tasks/impl.yml

@@ -1,9 +1,9 @@
 ---
 - name: Generate account key
-  command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem
+  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem"
 
 - name: Parse account key (to ease debugging some test failures)
-  command: openssl ec -in {{ output_dir }}/accountkey.pem -noout -text
+  command: "{{ openssl_binary }} ec -in {{ output_dir }}/accountkey.pem -noout -text"
 
 - name: Get directory
   acme_inspect:

tests/integration/targets/ecs_certificate/tasks/main.yml

@@ -206,7 +206,7 @@
 
   # For bug 61738, verify that the full chain is valid
   - name: Verify that the full chain path can be successfully imported
-    command: openssl verify "{{ example4_full_chain_path }}"
+    command: '{{ openssl_binary }} verify "{{ example4_full_chain_path }}"'
     register: openssl_result
 
   - assert:

tests/integration/targets/get_certificate/meta/main.yml

@@ -1,3 +1,4 @@
 dependencies:
   - setup_openssl
+  - setup_pyopenssl
   - prepare_http_tests

tests/integration/targets/luks_device/aliases

@@ -1,5 +1,6 @@
 shippable/posix/group1
 skip/osx
+skip/macos
 skip/freebsd
 skip/docker
 needs/root

tests/integration/targets/openssl_csr/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_openssl
+  - setup_pyopenssl

tests/integration/targets/openssl_csr/tests/validate.yml

@@ -1,14 +1,14 @@
 ---
 - name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)"
-  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
+  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
   register: privatekey_modulus
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)"
-  shell: "openssl req -noout -subject -in {{ output_dir }}/csr.csr -nameopt oneline,-space_eq"
+  shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr.csr -nameopt oneline,-space_eq"
   register: csr_cn
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)"
-  shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr.csr'
+  shell: '{{ openssl_binary }} req -noout -modulus -in {{ output_dir }}/csr.csr'
   register: csr_modulus
 
 - name: "({{ select_crypto_backend }}) Validate CSR (assert)"
@@ -49,11 +49,11 @@
       - csr_ku_xku_change_2 is changed
 
 - name: "({{ select_crypto_backend }}) Validate old_API CSR (test - Common Name)"
-  shell: "openssl req -noout -subject -in {{ output_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
+  shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
   register: csr_oldapi_cn
 
 - name: "({{ select_crypto_backend }}) Validate old_API CSR (test - csr modulus)"
-  shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr_oldapi.csr'
+  shell: '{{ openssl_binary }} req -noout -modulus -in {{ output_dir }}/csr_oldapi.csr'
   register: csr_oldapi_modulus
 
 - name: "({{ select_crypto_backend }}) Validate old_API CSR (assert)"
@@ -78,7 +78,7 @@
   when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.0', '<')
 
 - name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (test - everything)"
-  shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
+  shell: "{{ openssl_binary }} req -noout -in {{ output_dir }}/csr_ocsp.csr -text"
   register: csr_ocsp
 
 - name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (assert)"
@@ -93,15 +93,15 @@
       - csr_ocsp_idempotency is not changed
 
 - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - privatekey's public key)"
-  shell: 'openssl ec -pubout -in {{ output_dir }}/privatekey2.pem'
+  shell: '{{ openssl_binary }} ec -pubout -in {{ output_dir }}/privatekey2.pem'
   register: privatekey_ecc_key
 
 - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - Common Name)"
-  shell: "openssl req -noout -subject -in {{ output_dir }}/csr2.csr -nameopt oneline,-space_eq"
+  shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr2.csr -nameopt oneline,-space_eq"
   register: csr_ecc_cn
 
 - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - CSR pubkey)"
-  shell: 'openssl req -noout -pubkey -in {{ output_dir }}/csr2.csr'
+  shell: '{{ openssl_binary }} req -noout -pubkey -in {{ output_dir }}/csr2.csr'
   register: csr_ecc_pubkey
 
 - name: "({{ select_crypto_backend }}) Validate ECC CSR (assert)"
@@ -111,7 +111,7 @@
       - csr_ecc_pubkey.stdout == privatekey_ecc_key.stdout
 
 - name: "({{ select_crypto_backend }}) Validate CSR (text common name - Common Name)"
-  shell: "openssl req -noout -subject -in {{ output_dir }}/csr3.csr -nameopt oneline,-space_eq"
+  shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr3.csr -nameopt oneline,-space_eq"
   register: csr3_cn
 
 - name: "({{ select_crypto_backend }}) Validate CSR (assert)"

tests/integration/targets/openssl_csr_info/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_openssl
+  - setup_pyopenssl

tests/integration/targets/openssl_csr_pipe/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_openssl
+  - setup_pyopenssl

tests/integration/targets/openssl_csr_pipe/tasks/impl.yml

@@ -59,17 +59,17 @@
   register: generate_csr_changed_check
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)"
-  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
+  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
   register: privatekey_modulus
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)"
-  shell: "openssl req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
+  shell: "{{ openssl_binary }} req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
   args:
     stdin: "{{ generate_csr.csr }}"
   register: csr_cn
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)"
-  shell: 'openssl req -noout -modulus -in /dev/stdin'
+  shell: '{{ openssl_binary }} req -noout -modulus -in /dev/stdin'
   args:
     stdin: "{{ generate_csr.csr }}"
   register: csr_modulus

tests/integration/targets/openssl_dhparam/tests/validate.yml

@@ -1,12 +1,12 @@
 ---
 - name: "[{{ select_crypto_backend }}] Validate generated params"
-  shell: 'openssl dhparam -in {{ output_dir }}/{{ item }}.pem -noout -check'
+  shell: '{{ openssl_binary }} dhparam -in {{ output_dir }}/{{ item }}.pem -noout -check'
   with_items:
     - dh768
     - dh512
 
 - name: "[{{ select_crypto_backend }}] Get bit size of 768"
-  shell: 'openssl dhparam -noout -in {{ output_dir }}/dh768.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
+  shell: '{{ openssl_binary }} dhparam -noout -in {{ output_dir }}/dh768.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
   register: bit_size_dhparam
 
 - name: "[{{ select_crypto_backend }}] Check bit size of default"
@@ -15,7 +15,7 @@
       - bit_size_dhparam.stdout == "768"
 
 - name: "[{{ select_crypto_backend }}] Get bit size of 512"
-  shell: 'openssl dhparam -noout -in {{ output_dir }}/dh512.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
+  shell: '{{ openssl_binary }} dhparam -noout -in {{ output_dir }}/dh512.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
   register: bit_size_dhparam_512
 
 - name: "[{{ select_crypto_backend }}] Check bit size of default"

tests/integration/targets/openssl_pkcs12/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_openssl
+  - setup_pyopenssl

tests/integration/targets/openssl_pkcs12/tests/validate.yml

@@ -1,14 +1,14 @@
 ---
 - name: 'Validate PKCS#12'
-  command: "openssl pkcs12 -info -in {{ output_dir }}/ansible.p12 -nodes -passin pass:''"
+  command: "{{ openssl_binary }} pkcs12 -info -in {{ output_dir }}/ansible.p12 -nodes -passin pass:''"
   register: p12
 
 - name: 'Validate PKCS#12 with no private key'
-  command: "openssl pkcs12 -info -in {{ output_dir }}/ansible_no_pkey.p12 -nodes -passin pass:''"
+  command: "{{ openssl_binary }} pkcs12 -info -in {{ output_dir }}/ansible_no_pkey.p12 -nodes -passin pass:''"
   register: p12_validate_no_pkey
 
 - name: 'Validate PKCS#12 with multiple certs'
-  shell: "openssl pkcs12 -info -in {{ output_dir }}/ansible_multi_certs.p12 -nodes -passin pass:'' | grep subject"
+  shell: "{{ openssl_binary }} pkcs12 -info -in {{ output_dir }}/ansible_multi_certs.p12 -nodes -passin pass:'' | grep subject"
   register: p12_validate_multi_certs
 
 - name: 'Validate PKCS#12 (assert)'

tests/integration/targets/openssl_privatekey/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_openssl
+  - setup_pyopenssl

tests/integration/targets/openssl_privatekey/tasks/main.yml

@@ -5,7 +5,7 @@
 ####################################################################
 
 - name: Find out which elliptic curves are supported by installed OpenSSL
-  command: openssl ecparam -list_curves
+  command: "{{ openssl_binary }} ecparam -list_curves"
   register: openssl_ecc
 
 - name: Compile list of elliptic curves supported by OpenSSL

tests/integration/targets/openssl_privatekey/tests/validate.yml

@@ -11,7 +11,7 @@
 
 
 - name: "({{ select_crypto_backend }}) Validate privatekey1 (test - RSA key with size 4096 bits)"
-  shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey1.pem  | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
+  shell: "{{ openssl_binary }} rsa -noout -text -in {{ output_dir }}/privatekey1.pem  | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
   register: privatekey1
 
 - name: "({{ select_crypto_backend }}) Validate privatekey1 (assert - RSA key with size 4096 bits)"
@@ -21,7 +21,7 @@
 
 
 - name: "({{ select_crypto_backend }}) Validate privatekey2 (test - RSA key with size 2048 bits)"
-  shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey2.pem  | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
+  shell: "{{ openssl_binary }} rsa -noout -text -in {{ output_dir }}/privatekey2.pem  | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
   register: privatekey2
 
 - name: "({{ select_crypto_backend }}) Validate privatekey2 (assert - RSA key with size 2048 bits)"
@@ -31,7 +31,7 @@
 
 
 - name: "({{ select_crypto_backend }}) Validate privatekey3 (test - DSA key with size 3072 bits)"
-  shell: "openssl dsa -noout -text -in {{ output_dir }}/privatekey3.pem  | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
+  shell: "{{ openssl_binary }} dsa -noout -text -in {{ output_dir }}/privatekey3.pem  | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
   register: privatekey3
 
 - name: Validate privatekey3 (assert - DSA key with size 3072 bits)
@@ -59,7 +59,7 @@
 
 
 - name: "({{ select_crypto_backend }}) Validate privatekey5 (test - Passphrase protected key + idempotence)"
-  shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey5.pem -passin pass:ansible  | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
+  shell: "{{ openssl_binary }} rsa -noout -text -in {{ output_dir }}/privatekey5.pem -passin pass:ansible  | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
   register: privatekey5
   # Current version of OS/X that runs in the CI (10.11) does not have an up to date version of the OpenSSL library
   # leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned succesfully.
@@ -78,7 +78,7 @@
 
 
 - name: "({{ select_crypto_backend }}) Validate privatekey6 (test - Passphrase protected key with non ascii character)"
-  shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
+  shell: "{{ openssl_binary }} rsa -noout -text -in {{ output_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
   register: privatekey6
   when: openssl_version.stdout is version('0.9.8zh', '>=')
 
@@ -89,7 +89,7 @@
   when: openssl_version.stdout is version('0.9.8zh', '>=')
 
 - name: "({{ select_crypto_backend }}) Validate ECC generation (dump with OpenSSL)"
-  shell: "openssl ec -in {{ output_dir }}/privatekey-{{ item.item.curve }}.pem -noout -text | grep 'ASN1 OID: ' | sed 's/ASN1 OID: \\([^ ]*\\)/\\1/'"
+  shell: "{{ openssl_binary }} ec -in {{ output_dir }}/privatekey-{{ item.item.curve }}.pem -noout -text | grep 'ASN1 OID: ' | sed 's/ASN1 OID: \\([^ ]*\\)/\\1/'"
   loop: "{{ privatekey_ecc_generate.results }}"
   register: privatekey_ecc_dump
   when: openssl_version.stdout is version('0.9.8zh', '>=') and 'skip_reason' not in item

tests/integration/targets/openssl_privatekey_info/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_openssl
+  - setup_pyopenssl

tests/integration/targets/openssl_privatekey_pipe/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_openssl
+  - setup_pyopenssl

tests/integration/targets/openssl_publickey/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_openssl
+  - setup_pyopenssl

tests/integration/targets/openssl_publickey/tests/validate.yml

@@ -8,11 +8,11 @@
       - publickey.publickey == publickey_idempotence.publickey
 
 - name: "({{ select_crypto_backend }}) Validate public key (test - privatekey modulus)"
-  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
+  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
   register: privatekey_modulus
 
 - name: "({{ select_crypto_backend }}) Validate public key (test - publickey modulus)"
-  shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey.pub'
+  shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ output_dir }}/publickey.pub'
   register: publickey_modulus
 
 - name: "({{ select_crypto_backend }}) Validate public key (assert)"
@@ -62,12 +62,12 @@
 
 
 - name: "({{ select_crypto_backend }}) Validate publickey3 (test - privatekey modulus)"
-  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey3.pem -passin pass:ansible'
+  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey3.pem -passin pass:ansible'
   register: privatekey3_modulus
   when: openssl_version.stdout is version('0.9.8zh', '>=')
 
 - name: "({{ select_crypto_backend }}) Validate publickey3 (test - publickey modulus)"
-  shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey3.pub'
+  shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ output_dir }}/publickey3.pub'
   register: publickey3_modulus
   when: openssl_version.stdout is version('0.9.8zh', '>=')
 
@@ -83,12 +83,12 @@
       - publickey3_idempotence is not changed
 
 - name: "({{ select_crypto_backend }}) Validate publickey4 (test - privatekey modulus)"
-  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
+  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
   register: privatekey4_modulus
   when: openssl_version.stdout is version('0.9.8zh', '>=')
 
 - name: "({{ select_crypto_backend }}) Validate publickey4 (test - publickey modulus)"
-  shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey4.pub'
+  shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ output_dir }}/publickey4.pub'
   register: publickey4_modulus
   when: openssl_version.stdout is version('0.9.8zh', '>=')
 
@@ -109,12 +109,12 @@
       - privatekey5_3.backup_file is string
 
 - name: "({{ select_crypto_backend }}) Validate public key 5 (test - privatekey's pubkey)"
-  command: 'openssl ec -in {{ output_dir }}/privatekey5.pem -pubout'
+  command: '{{ openssl_binary }} ec -in {{ output_dir }}/privatekey5.pem -pubout'
   register: privatekey5_pubkey
 
 - name: "({{ select_crypto_backend }}) Validate public key 5 (test - publickey pubkey)"
   # Fancy way of writing "cat {{ output_dir }}/publickey5.pub"
-  command: 'openssl ec -pubin -in {{ output_dir }}/publickey5.pub -pubout'
+  command: '{{ openssl_binary }} ec -pubin -in {{ output_dir }}/publickey5.pub -pubout'
   register: publickey5_pubkey
 
 - name: "({{ select_crypto_backend }}) Validate public key 5 (assert)"

tests/integration/targets/openssl_signature/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_openssl
+  - setup_pyopenssl

tests/integration/targets/prepare_http_tests/tasks/default.yml

@@ -49,11 +49,16 @@
   when: ansible_os_family == 'FreeBSD'
 
 - name: MacOS - Retrieve test cacert
-  get_url:
-    url: "http://ansible.http.tests/cacert.pem"
-    dest: "/usr/local/etc/openssl/certs/ansible.pem"
   when: ansible_os_family == 'Darwin'
+  block:
+    - uri:
+        url: "http://ansible.http.tests/cacert.pem"
+        return_content: true
+      register: cacert_pem
 
-- name: MacOS - Update ca certificates
+    - raw: '{{ ansible_python_interpreter }} -c "import ssl; print(ssl.get_default_verify_paths().cafile)"'
-  command: /usr/local/opt/openssl/bin/c_rehash
+      register: macos_cafile
-  when: ansible_os_family == 'Darwin'
+
+    - blockinfile:
+        path: "{{ macos_cafile.stdout_lines|first }}"
+        block: "{{ cacert_pem.content }}"

tests/integration/targets/setup_acme/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies: []
+#  - setup_openssl

tests/integration/targets/setup_acme/tasks/main.yml

@@ -4,12 +4,19 @@
 # and should not be used as examples of how to write Ansible roles #
 ####################################################################
 
-- name: register openssl version
+# BEGIN HACK: remove whenever we know how to properly detect 'default' docker container !!!!!!!!!!!!!!!!!!!!!
-  shell: "openssl version | cut -d' ' -f2"
+- name: Default value for OpenSSL binary path
+  set_fact:
+    openssl_binary: openssl
+
+- name: Register openssl version
+  shell: "{{ openssl_binary }}  version | cut -d' ' -f2"
   register: openssl_version
 
-- name: register cryptography version
+- name: Register cryptography version
   command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
   register: cryptography_version
+# END HACK !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
-- debug: msg="ACME test container IP is {{ acme_host }}; OpenSSL version is {{ openssl_version.stdout }}; cryptography version is {{ cryptography_version.stdout }}"
+- debug:
+    msg: "ACME test container IP is {{ acme_host }}; OpenSSL version is {{ openssl_version.stdout }}; cryptography version is {{ cryptography_version.stdout }}"

tests/integration/targets/setup_acme/tasks/obtain-cert.yml

@@ -1,16 +1,16 @@
 ---
 ## PRIVATE KEY ################################################################################
 - name: ({{ certgen_title }}) Create cert private key (RSA)
-  command: "openssl genrsa -out {{ output_dir }}/{{ certificate_name }}.key {{ rsa_bits if key_type == 'rsa' else 2048 }}"
+  command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/{{ certificate_name }}.key {{ rsa_bits if key_type == 'rsa' else 2048 }}"
   when: "key_type == 'rsa'"
 - name: ({{ certgen_title }}) Create cert private key (ECC 256)
-  command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key
+  command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key"
   when: "key_type == 'ec256'"
 - name: ({{ certgen_title }}) Create cert private key (ECC 384)
-  command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key
+  command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key"
   when: "key_type == 'ec384'"
 - name: ({{ certgen_title }}) Create cert private key (ECC 512)
-  command: openssl ecparam -name secp521r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key
+  command: "{{ openssl_binary }} ecparam -name secp521r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key"
   when: "key_type == 'ec521'"
 ## CSR ########################################################################################
 - name: ({{ certgen_title }}) Create cert CSR

tests/integration/targets/setup_openssl/tasks/main.yml

@@ -4,43 +4,95 @@
 # and should not be used as examples of how to write Ansible roles #
 ####################################################################
 
+- name: Register system environment
+  command: "{{ ansible_python.executable }} -c 'import os; print(dict(os.environ))'"
+  register: sys_environment
+
+- debug: var=sys_environment
+
+- name: Default value for OpenSSL binary path
+  set_fact:
+    openssl_binary: openssl
+
 - name: Include OS-specific variables
   include_vars: '{{ ansible_os_family }}.yml'
   when: not ansible_os_family == "Darwin"
 
 - name: Install OpenSSL
-  become: True
+  become: true
   package:
     name: '{{ openssl_package_name }}'
   when: not ansible_os_family == 'Darwin'
 
-- name: Install pyOpenSSL (Python 3)
+- name: Register openssl version (full)
-  become: True
+  shell: "{{ openssl_binary }} version"
-  package:
+  register: openssl_version_full
-    name: '{{ pyopenssl_package_name_python3 }}'
-  when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '>=')
 
-- name: Install pyOpenSSL (Python 2)
+- name: Show openssl version (full)
-  become: True
+  debug:
-  package:
+    var: openssl_version_full.stdout_lines
-    name: '{{ pyopenssl_package_name }}'
-  when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '<')
 
-- name: Install pyOpenSSL (Darwin)
+- when: ansible_os_family == "Darwin" and "LibreSSL" in openssl_version_full.stdout
-  become: True
+  # In case LibreSSL is installed on macOS, we need to install a more modern OpenSSL
-  pip:
+  block:
-    name: pyOpenSSL
+    - name: MACOS | Find brew binary
-    extra_args: "-c {{ remote_constraints }}"
+      command: which brew
-  when: ansible_os_family == 'Darwin'
+      register: brew_which
 
-- name: register pyOpenSSL version
+    - name: MACOS | Get owner of brew binary
-  command: "{{ ansible_python.executable }} -c 'import OpenSSL; print(OpenSSL.__version__)'"
+      stat:
-  register: pyopenssl_version
+        path: "{{ brew_which.stdout }}"
+      register: brew_stat
 
-- name: register openssl version
+    - name: MACOS | Install openssl
-  shell: "openssl version | cut -d' ' -f2"
+      homebrew:
+        name: openssl
+        state: present
+      become: yes
+      become_user: "{{ brew_stat.stat.pw_name }}"
+
+    - name: MACOS | Locale openssl binary
+      command: brew --prefix openssl
+      register: brew_openssl_prefix
+
+    - name: MACOS | Point to OpenSSL binary
+      set_fact:
+        openssl_binary: "{{ brew_openssl_prefix.stdout }}/bin/openssl"
+
+    - name: MACOS | Register openssl version (full)
+      shell: "{{ openssl_binary }} version"
+      register: openssl_version_full_again
+      # We must use a different variable to prevent the 'when' condition of the surrounding block to fail
+
+    - name: MACOS | Show openssl version (full)
+      debug:
+        var: openssl_version_full_again.stdout_lines
+
+- name: Register openssl version
+  shell: "{{ openssl_binary }}  version | cut -d' ' -f2"
   register: openssl_version
 
-- name: register cryptography version
+- when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in  ['CentOS6', 'RedHat6']
+  block:
+  - name: Install cryptography (Python 3)
+    become: true
+    package:
+      name: '{{ cryptography_package_name_python3 }}'
+    when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '>=')
+
+  - name: Install cryptography (Python 2)
+    become: true
+    package:
+      name: '{{ cryptography_package_name }}'
+    when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '<')
+
+  - name: Install cryptography (Darwin)
+    become: true
+    pip:
+      name: cryptography
+      extra_args: "-c {{ remote_constraints }}"
+    when: ansible_os_family == 'Darwin'
+
+- name: Register cryptography version
   command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
   register: cryptography_version

tests/integration/targets/setup_openssl/vars/Debian.yml

@@ -1,3 +1,4 @@
-pyopenssl_package_name: python-openssl
+---
-pyopenssl_package_name_python3: python3-openssl
 openssl_package_name: openssl
+cryptography_package_name: python-cryptography
+cryptography_package_name_python3: python3-cryptography

tests/integration/targets/setup_openssl/vars/FreeBSD.yml

@@ -1,3 +1,4 @@
-pyopenssl_package_name: py27-openssl
+---
-pyopenssl_package_name_python3: py36-openssl
 openssl_package_name: openssl
+cryptography_package_name: py27-cryptography
+cryptography_package_name_python3: py36-cryptography

tests/integration/targets/setup_openssl/vars/RedHat.yml

@@ -1,3 +1,4 @@
-pyopenssl_package_name: pyOpenSSL
+---
-pyopenssl_package_name_python3: python3-pyOpenSSL
 openssl_package_name: openssl
+cryptography_package_name: python-cryptography
+cryptography_package_name_python3: python3-cryptography

tests/integration/targets/setup_openssl/vars/Suse.yml

@@ -1,3 +1,4 @@
-pyopenssl_package_name: python-pyOpenSSL
+---
-pyopenssl_package_name_python3: python3-pyOpenSSL
 openssl_package_name: openssl
+cryptography_package_name: python-cryptography
+cryptography_package_name_python3: python3-cryptography

tests/integration/targets/setup_pyopenssl/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+  - setup_remote_constraints
+  - setup_pkg_mgr

tests/integration/targets/setup_pyopenssl/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Include OS-specific variables
+  include_vars: '{{ ansible_os_family }}.yml'
+  when: not ansible_os_family == "Darwin"
+
+- name: Install pyOpenSSL (Python 3)
+  become: true
+  package:
+    name: '{{ pyopenssl_package_name_python3 }}'
+  when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '>=')
+
+- name: Install pyOpenSSL (Python 2)
+  become: true
+  package:
+    name: '{{ pyopenssl_package_name }}'
+  when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '<')
+
+- name: Install pyOpenSSL (Darwin)
+  become: true
+  pip:
+    name: pyOpenSSL
+    extra_args: "-c {{ remote_constraints }}"
+  when: ansible_os_family == 'Darwin'
+
+- name: Register pyOpenSSL version
+  command: "{{ ansible_python.executable }} -c 'import OpenSSL; print(OpenSSL.__version__)'"
+  register: pyopenssl_version
+
+- name: Register pyOpenSSL debug details
+  command: "{{ ansible_python.executable }} -m OpenSSL.debug"
+  register: pyopenssl_debug_version
+  ignore_errors: yes

tests/integration/targets/setup_pyopenssl/vars/Debian.yml

@@ -0,0 +1,3 @@
+---
+pyopenssl_package_name: python-openssl
+pyopenssl_package_name_python3: python3-openssl

tests/integration/targets/setup_pyopenssl/vars/FreeBSD.yml

@@ -0,0 +1,3 @@
+---
+pyopenssl_package_name: py27-openssl
+pyopenssl_package_name_python3: py36-openssl

tests/integration/targets/setup_pyopenssl/vars/RedHat.yml

@@ -0,0 +1,3 @@
+---
+pyopenssl_package_name: pyOpenSSL
+pyopenssl_package_name_python3: python3-pyOpenSSL

tests/integration/targets/setup_pyopenssl/vars/Suse.yml

@@ -0,0 +1,3 @@
+---
+pyopenssl_package_name: python-pyOpenSSL
+pyopenssl_package_name_python3: python3-pyOpenSSL

tests/integration/targets/x509_certificate/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_openssl
+  - setup_pyopenssl

tests/integration/targets/x509_certificate/tasks/expired.yml

@@ -23,7 +23,7 @@
   when: select_crypto_backend == 'pyopenssl' # cryptography won't allow creating expired certificates
 
 - name: (Expired, {{select_crypto_backend}}) Generate expired selfsigned certificate
-  command: "openssl x509 -req -days -1 -in {{ output_dir }}/has_expired_csr.csr -signkey {{ output_dir }}/has_expired_privatekey.pem -out {{ output_dir }}/has_expired_cert.pem"
+  command: "{{ openssl_binary }} x509 -req -days -1 -in {{ output_dir }}/has_expired_csr.csr -signkey {{ output_dir }}/has_expired_privatekey.pem -out {{ output_dir }}/has_expired_cert.pem"
   when: select_crypto_backend == 'cryptography' # So we create it with 'command'
 
 - name: "(Expired) Check task fails because cert is expired (has_expired: false)"

tests/integration/targets/x509_certificate/tests/validate_ownca.yml

@@ -1,18 +1,18 @@
 ---
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - verify CA)
-  shell: 'openssl verify -CAfile {{ output_dir }}/ca_cert.pem {{ output_dir }}/ownca_cert.pem | sed "s/.*: \(.*\)/\1/g"'
+  shell: '{{ openssl_binary }} verify -CAfile {{ output_dir }}/ca_cert.pem {{ output_dir }}/ownca_cert.pem | sed "s/.*: \(.*\)/\1/g"'
   register: ownca_verify_ca
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certificate modulus)
-  shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/ownca_cert.pem'
+  shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/ownca_cert.pem'
   register: ownca_cert_modulus
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca issuer value)
-  shell: 'openssl x509 -noout  -in {{ output_dir}}/ownca_cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"'
+  shell: '{{ openssl_binary }} x509 -noout  -in {{ output_dir}}/ownca_cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"'
   register: ownca_cert_issuer
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certficate version == default == 3)
-  shell: 'openssl x509 -noout  -in {{ output_dir}}/ownca_cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
+  shell: '{{ openssl_binary }} x509 -noout  -in {{ output_dir}}/ownca_cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
   register: ownca_cert_version
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (assert)
@@ -39,7 +39,7 @@
 
 - block:
   - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate v2 (test - ownca certificate version == 2)
-    shell: 'openssl x509 -noout  -in {{ output_dir}}/ownca_cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
+    shell: '{{ openssl_binary }} x509 -noout  -in {{ output_dir}}/ownca_cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
     register: ownca_cert_v2_version
 
   - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate version 2 (assert)
@@ -57,7 +57,7 @@
 
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate2 (test - ownca certificate modulus)
-  shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/ownca_cert2.pem'
+  shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/ownca_cert2.pem'
   register: ownca_cert2_modulus
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate2 (assert)
@@ -66,11 +66,11 @@
       - ownca_cert2_modulus.stdout == privatekey2_modulus.stdout
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate owncal certificate3 (test - notBefore)
-  shell: 'openssl x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
+  shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
   register: ownca_cert3_notBefore
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate3 (test - notAfter)
-  shell: 'openssl x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
+  shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
   register: ownca_cert3_notAfter
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate3 (assert - notBefore)
@@ -84,11 +84,11 @@
       - ownca_cert3_notAfter.stdout == 'Oct 23 13:37:42 2019'
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca certificate pubkey)
-  shell: 'openssl x509 -noout -pubkey -in {{ output_dir }}/ownca_cert_ecc.pem'
+  shell: '{{ openssl_binary }} x509 -noout -pubkey -in {{ output_dir }}/ownca_cert_ecc.pem'
   register: ownca_cert_ecc_pubkey
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca issuer value)
-  shell: 'openssl x509 -noout  -in {{ output_dir}}/ownca_cert_ecc.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"'
+  shell: '{{ openssl_binary }} x509 -noout  -in {{ output_dir}}/ownca_cert_ecc.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"'
   register: ownca_cert_ecc_issuer
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (assert)

tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml

@@ -1,6 +1,6 @@
 ---
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - privatekey modulus)
-  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
+  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
   register: privatekey_modulus
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate behavior for no CSR
@@ -11,11 +11,11 @@
       - selfsigned_certificate_no_csr_idempotence_check is not changed
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (test - certificate modulus)
-  shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert_no_csr.pem'
+  shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/cert_no_csr.pem'
   register: cert_modulus
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (test - certficate version == default == 3)
-  shell: 'openssl x509 -noout  -in {{ output_dir}}/cert_no_csr.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
+  shell: '{{ openssl_binary }} x509 -noout  -in {{ output_dir}}/cert_no_csr.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
   register: cert_version
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (assert)
@@ -38,16 +38,16 @@
       - selfsigned_certificate_no_csr.certificate == selfsigned_certificate_no_csr_idempotence.certificate
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certificate modulus)
-  shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert.pem'
+  shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/cert.pem'
   register: cert_modulus
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - issuer value)
-  shell: 'openssl x509 -noout  -in {{ output_dir}}/cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g; s/ //g;"'
+  shell: '{{ openssl_binary }} x509 -noout  -in {{ output_dir}}/cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g; s/ //g;"'
   register: cert_issuer
 
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certficate version == default == 3)
-  shell: 'openssl x509 -noout  -in {{ output_dir}}/cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
+  shell: '{{ openssl_binary }} x509 -noout  -in {{ output_dir}}/cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
   register: cert_version
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (assert)
@@ -77,7 +77,7 @@
 
 - block:
   - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate v2 (test - certificate version == 2)
-    shell: 'openssl x509 -noout  -in {{ output_dir}}/cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
+    shell: '{{ openssl_binary }} x509 -noout  -in {{ output_dir}}/cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
     register: cert_v2_version
 
   - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate version 2 (assert)
@@ -95,11 +95,11 @@
   when: select_crypto_backend == 'cryptography'
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - privatekey modulus)
-  shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey2.pem'
+  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey2.pem'
   register: privatekey2_modulus
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - certificate modulus)
-  shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert2.pem'
+  shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/cert2.pem'
   register: cert2_modulus
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (assert)
@@ -108,11 +108,11 @@
       - cert2_modulus.stdout == privatekey2_modulus.stdout
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (test - notBefore)
-  shell: 'openssl x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
+  shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
   register: cert3_notBefore
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (test - notAfter)
-  shell: 'openssl x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
+  shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
   register: cert3_notAfter
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (assert - notBefore)
@@ -126,11 +126,11 @@
       - cert3_notAfter.stdout == 'Oct 23 13:37:42 2019'
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - privatekey's pubkey)
-  shell: 'openssl ec -pubout -in {{ output_dir }}/privatekey_ecc.pem'
+  shell: '{{ openssl_binary }} ec -pubout -in {{ output_dir }}/privatekey_ecc.pem'
   register: privatekey_ecc_pubkey
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - certificate pubkey)
-  shell: 'openssl x509 -noout -pubkey -in {{ output_dir }}/cert_ecc.pem'
+  shell: '{{ openssl_binary }} x509 -noout -pubkey -in {{ output_dir }}/cert_ecc.pem'
   register: cert_ecc_pubkey
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (assert)

tests/integration/targets/x509_certificate_info/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_openssl
+  - setup_pyopenssl

tests/utils/shippable/macos.sh

@@ -0,0 +1 @@
+remote.sh