--- - name: Manage optional CA files on EL tags: ['pki', 'trusted_ca', 'letsencrypt_ca'] block: - name: Get the CA files that we want to trust on EL get_url: url={{ item.ca_url }} dest=/etc/pki/ca-trust/source/anchors/{{ item.ca }} owner=root group=root mode='0444' with_items: '{{ trusted_ca_additional_ca_files }}' register: ca_files_installation - name: Trust the CA files on EL command: /bin/update-ca-trust extract when: ca_files_installation is changed when: ansible_distribution_file_variety == "RedHat" - name: Manage the Letsencrypt CA files on EL when: - trusted_ca_letsencrypt_install - ansible_distribution_file_variety == "RedHat" tags: ['pki', 'trusted_ca', 'letsencrypt_ca'] block: - name: Download the letsencrypt CA files on EL get_url: url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}' dest: '/etc/pki/ca-trust/source/anchors/{{ item.ca }}' owner: root group: root mode: 0444 loop: '{{ trusted_ca_letsencrypt_ca_files }}' register: letsencrypt_ca_files_installation - name: Rebuild the trust CA files on EL command: /bin/update-ca-trust extract when: letsencrypt_ca_files_installation is changed - name: Ensure that the expired CA files are not present file: dest: '/etc/pki/ca-trust/source/anchors/{{ item }}' state: absent loop: '{{ expired_ca_letsencrypt_ca_files }}' register: letsencrypt_ca_files_removal - name: Rebuild the trust CA files on EL command: /bin/update-ca-trust extract when: letsencrypt_ca_files_removal is changed - name: Manage optional CA files on deb when: ansible_distribution_file_variety == "Debian" tags: ['pki', 'trusted_ca', 'letsencrypt_ca'] block: - name: Ensure that ca-certificates is installed and up to date apt: pkg: ca-certificates state: latest cache_valid_time: 1800 - name: Get the CA files that we want to trust on deb get_url: url={{ item.ca_url }} dest={{ trusted_ca_deb_path }}/{{ item.ca }} owner=root group=root mode='0444' with_items: '{{ trusted_ca_additional_ca_files }}' register: ca_files_installation - name: Trust the CA files on deb command: /usr/sbin/update-ca-certificates when: ca_files_installation is changed - name: Distrust the DST Root CA X3 in Ubuntu Trusty when: - ansible_distribution_file_variety == "Debian" - ansible_distribution_version is version_compare('14.04', '==') tags: ['pki', 'obsolete_ca'] block: - name: Comment the mozilla/DST_Root_CA_X3.crt entry lineinfile: path: /etc/ca-certificates.conf regexp: '^mozilla/DST_Root_CA_X3.crt' line: '!mozilla/DST_Root_CA_X3.crt' register: dst_x3_distrust - name: Trust the CA files on deb command: /usr/sbin/update-ca-certificates when: dst_x3_distrust is changed - name: Manage the Letsencrypt CA files on deb when: - trusted_ca_letsencrypt_install - ansible_distribution_file_variety == "Debian" tags: ['pki', 'trusted_ca', 'letsencrypt_ca'] block: - name: Download the letsencrypt CA files on deb get_url: url: '{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}' dest: '{{ trusted_ca_deb_path }}/{{ item.ca }}' owner: root group: root mode: 0444 loop: '{{ trusted_ca_letsencrypt_ca_files }}' register: letsencrypt_ca_files_installation - name: Trust the CA files on deb command: /usr/sbin/update-ca-certificates when: letsencrypt_ca_files_installation is changed - name: Ensure that the expired CA files are not present file: dest: '/etc/ssl/certs/{{ item }}' state: absent loop: '{{ expired_ca_letsencrypt_ca_files }}' register: letsencrypt_ca_files_removal - name: Ensure that the expired CA files are not present file: dest: '{{ trusted_ca_deb_path }}/{{ item }}' state: absent loop: '{{ expired_ca_letsencrypt_ca_files }}' register: letsencrypt_ca_files_removal - name: Trust the CA files on deb command: /usr/sbin/update-ca-certificates when: letsencrypt_ca_files_removal is changed