Distrust DST X3.

tasks/trusted_ca.yml

@@ -62,6 +62,25 @@
   when: ansible_distribution_file_variety == "Debian"
   tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ]
 
+- name: Distrust the DST Root CA X3 in Ubuntu Trusty
+  block:
+  - name: Comment the mozilla/DST_Root_CA_X3.crt entry
+    lineinfile:
+      path: /etc/ca-certificates.conf
+      regexp: '^mozilla/DST_Root_CA_X3.crt'
+      line: '!mozilla/DST_Root_CA_X3.crt'
+    register: dst_x3_distrust
+
+  - name: Trust the CA files on deb
+    command: /usr/sbin/update-ca-certificates
+    when: dst_x3_distrust is changed
+
+  when:
+    - ansible_distribution_file_variety == "Debian"
+    - ansible_distribution_version is version_compare('14.04', '==')
+  tags: [ 'pki', 'obsolete_ca' ]
+
+
 - name: Manage the Letsencrypt CA files on deb
   block:
   - name: Download the letsencrypt CA files on deb