diff --git a/defaults/main.yml b/defaults/main.yml
index 45aebca..bdb606b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -76,6 +76,7 @@ no_proxy_targets:
   - 'localhost'
 
 trusted_ca_el_anchors_path: '/etc/pki/ca-trust/source/anchors'
+trusted_ca_deb_path: '/usr/local/share/ca-certificates'
 # it shoudn't be needed
 trusted_ca_letsencrypt_install: False
 trusted_ca_letsencrypt_ca_certificates_url: https://letsencrypt.org/certs
diff --git a/tasks/trusted_ca.yml b/tasks/trusted_ca.yml
index 8eee28c..651dfbc 100644
--- a/tasks/trusted_ca.yml
+++ b/tasks/trusted_ca.yml
@@ -51,7 +51,7 @@
     apt: pkg=ca-certificates state=present cache_valid_time=1800
 
   - name: Get the CA files that we want to trust on deb
-    get_url: url={{ item.ca_url }} dest=/usr/local/share/ca-certificates/{{ item.ca }} owner=root group=root mode='0444'
+    get_url: url={{ item.ca_url }} dest={{ trusted_ca_deb_path }}/{{ item.ca }} owner=root group=root mode='0444'
     with_items: '{{ trusted_ca_additional_ca_files }}'
     register: ca_files_installation
 
@@ -67,7 +67,7 @@
   - name: Download the letsencrypt CA files on deb
     get_url:
       url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca }}'
-      dest: '/usr/local/share/ca-certificates/{{ item.ca }}'
+      dest: '{{ trusted_ca_deb_path }}/{{ item.ca }}'
       owner: root
       group: root
       mode: 0444
@@ -85,6 +85,13 @@
     loop: '{{ expired_ca_letsencrypt_ca_files }}'
     register: letsencrypt_ca_files_removal
 
+  - name: Ensure that the expired CA files are not present
+    file:
+      dest: '{{ trusted_ca_deb_path }}/{{ item }}'
+      state: absent
+    loop: '{{ expired_ca_letsencrypt_ca_files }}'
+    register: letsencrypt_ca_files_removal
+
   - name: Trust the CA files on deb
     command: /usr/sbin/update-ca-certificates
     when: letsencrypt_ca_files_removal is changed