Use a variable to define the path of deb CAs.

2021-09-30 10:42:01 +02:00 · 2021-09-30 10:42:01 +02:00 · 714ac353f9
parent 40bd44e50a
commit 714ac353f9
2 changed files with 10 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -76,6 +76,7 @@ no_proxy_targets:
  - 'localhost'

 trusted_ca_el_anchors_path: '/etc/pki/ca-trust/source/anchors'
+trusted_ca_deb_path: '/usr/local/share/ca-certificates'
 # it shoudn't be needed
 trusted_ca_letsencrypt_install: False
 trusted_ca_letsencrypt_ca_certificates_url: https://letsencrypt.org/certs
--- a/tasks/trusted_ca.yml
+++ b/tasks/trusted_ca.yml
@ -51,7 +51,7 @@
    apt: pkg=ca-certificates state=present cache_valid_time=1800

  - name: Get the CA files that we want to trust on deb
-    get_url: url={{ item.ca_url }} dest=/usr/local/share/ca-certificates/{{ item.ca }} owner=root group=root mode='0444'
+    get_url: url={{ item.ca_url }} dest={{ trusted_ca_deb_path }}/{{ item.ca }} owner=root group=root mode='0444'
    with_items: '{{ trusted_ca_additional_ca_files }}'
    register: ca_files_installation

@ -67,7 +67,7 @@
  - name: Download the letsencrypt CA files on deb
    get_url:
      url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca }}'
-      dest: '/usr/local/share/ca-certificates/{{ item.ca }}'
+      dest: '{{ trusted_ca_deb_path }}/{{ item.ca }}'
      owner: root
      group: root
      mode: 0444
@ -85,6 +85,13 @@
    loop: '{{ expired_ca_letsencrypt_ca_files }}'
    register: letsencrypt_ca_files_removal

+  - name: Ensure that the expired CA files are not present
+    file:
+      dest: '{{ trusted_ca_deb_path }}/{{ item }}'
+      state: absent
+    loop: '{{ expired_ca_letsencrypt_ca_files }}'
+    register: letsencrypt_ca_files_removal
+
  - name: Trust the CA files on deb
    command: /usr/sbin/update-ca-certificates
    when: letsencrypt_ca_files_removal is changed