---
- name: Manage optional CA files on EL
  block:
  - name: Get the CA files that we want to trust
    get_url: url={{ item.ca_url }} dest=/etc/pki/ca-trust/source/anchors/{{ item.ca }} owner=root group=root mode='0444'
    with_items: '{{ trusted_ca_additional_ca_files }}'
    register: ca_files_installation

  - name: Trust the CA files
    command: /bin/update-ca-trust extract
    when: ca_files_installation is changed

  when: ansible_distribution_file_variety == "RedHat"
  tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ]

- name: Manage the Letsencrypt CA files on EL
  block:
  - name: Copy the letsencrypt CA files on EL
    copy: src=letsencrypt_ca_files/{{ item.ca }} dest=/etc/pki/ca-trust/source/anchors/{{ item.ca }} owner=root group=root mode='0444'
    with_items: '{{ trusted_ca_letsencrypt_ca_files }}'
    register: letsencrypt_ca_files_installation

  - name: Trust the CA files on EL
    command: /bin/update-ca-trust extract
    when: letsencrypt_ca_files_installation is changed

  when:
    - trusted_ca_letsencrypt_install
    - ansible_distribution_file_variety == "RedHat"
  tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ]

- name: Manage optional CA files on deb
  block:
  - name: Ensure that ca-certificates is installed
    apt: pkg=ca-certificates state=present cache_valid_time=1800

  - name: Get the CA files that we want to trust
    get_url: url={{ item.ca_url }} dest=/etc/ssl/certs/{{ item.ca }} owner=root group=root mode='0444'
    with_items: '{{ trusted_ca_additional_ca_files }}'
    register: ca_files_installation

  - name: Trust the CA files
    command: /usr/sbin/update-ca-certificates
    when: ca_files_installation is changed

  when: ansible_distribution_file_variety == "Debian"
  tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ]

- name: Manage the Letsencrypt CA files on deb
  block:
  - name: Copy the letsencrypt CA files on deb
    copy: src=letsencrypt_ca_files/{{ item.ca }} dest=/etc/pki/ca-trust/source/anchors/{{ item.ca }} owner=root group=root mode='0444'
    with_items: '{{ trusted_ca_letsencrypt_ca_files }}'
    register: letsencrypt_ca_files_installation

  - name: Trust the CA files on EL
    command: /usr/sbin/update-ca-certificates
    when: letsencrypt_ca_files_installation is changed

  when:
    - trusted_ca_letsencrypt_install
    - ansible_distribution_file_variety == "Debian"
  tags: [ 'pki', 'trusted_ca', 'letsencrypt_ca' ]