From 1f5f775ae20942b22b2990ac70fa5c29459519c5 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Tue, 25 Sep 2018 20:05:53 +0200
Subject: [PATCH] Use the Root letsencrypt CA certificate. See
 https://support.d4science.org/issues/12443#note-16

---
 mongodb-org/defaults/main.yml                      | 4 +++-
 mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml | 3 ++-
 mongodb-org/tasks/mongodb.yml                      | 8 ++------
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/mongodb-org/defaults/main.yml b/mongodb-org/defaults/main.yml
index 384d86c..9d60eac 100644
--- a/mongodb-org/defaults/main.yml
+++ b/mongodb-org/defaults/main.yml
@@ -49,6 +49,7 @@ mongodb_storage_engine: wiredTiger
 
 mongodb_ssl_enabled: False
 mongodb_ssl_letsencrypt_managed: True
+mongodb_letsencrypt_download_ca_file: False
 mongodb_ssl_letsencrypt_ca_url: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt'
 mongodb_ssl_letsencrypt_ca_dir: '{{ mongodb_ssl_cert_dir }}'
 mongodb_ssl_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem
@@ -56,7 +57,8 @@ mongodb_ssl_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem
 mongodb_ssl_mode: requireSSL
 mongodb_ssl_cert_dir: /etc/pki/mongodb
 mongodb_ssl_certkey_file: '{{ mongodb_ssl_cert_dir }}/mongodb.pem'
-mongodb_ssl_CA_file: '{{ mongodb_ssl_letsencrypt_ca_dir }}/{{ mongodb_ssl_letsencrypt_ca_filename }}'
+# mongodb_ssl_CA_file: '{{ mongodb_ssl_letsencrypt_ca_dir }}/{{ mongodb_ssl_letsencrypt_ca_filename }}'
+mongodb_ssl_CA_file: '/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt'
 mongodb_ssl_allowConnectionsWithoutCertificates: 'true'
 mongodb_ssl_disabled_protocols: 'TLS1_0,TLS1_1'
 
diff --git a/mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml b/mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml
index d66de0a..66f2f45 100644
--- a/mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml
+++ b/mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml
@@ -9,8 +9,9 @@
   - name: Create the mongodb certificate directory
     file: dest={{ mongodb_ssl_cert_dir }} state=directory owner=root group=mongodb mode=0750
 
-  - name: Get the Letsencrypt CA file 
+  - name: Get the Letsencrypt CA file if there is no local copy yet
     get_url: url={{ mongodb_ssl_letsencrypt_ca_url }} dest={{ mongodb_ssl_cert_dir }}/{{ mongodb_ssl_letsencrypt_ca_filename }}
+    when: mongodb_letsencrypt_download_ca_file
 
   - name: Verify if the mongodb pem file exists
     stat: path={{ mongodb_ssl_certkey_file }}
diff --git a/mongodb-org/tasks/mongodb.yml b/mongodb-org/tasks/mongodb.yml
index 65f18f6..97006b5 100644
--- a/mongodb-org/tasks/mongodb.yml
+++ b/mongodb-org/tasks/mongodb.yml
@@ -41,17 +41,13 @@
 - block:
     - name: Install/Update the mongodb configuration
       template: src=mongod-{{ mongodb_version }}.conf.j2 dest=/etc/mongod.conf owner=root group=root mode=0444 backup=yes
-      when: mongodb_install_server or mongodb_install_conf or mongodb_update_conf
+      when: mongodb_install_conf or mongodb_update_conf
       notify: Restart mongodb
 
+  when: mongodb_install_server 
   tags: [ 'mongodb', 'mongodb_update_conf' ]
 
 - block:
-#    - name: Install the mongodb configuration
-#      template: src=mongod-{{ mongodb_version }}.conf.j2 dest=/etc/mongod.conf owner=root group=root mode=0444 backup=yes
-#      when: mongodb_install_conf
-#      notify: Restart mongodb
-
     - name: We are upgrading, install the latest version of the mongodb packages
       apt: pkg={{ item }} state=latest update_cache=yes cache_valid_time=1800
       with_items: '{{ mongodb_server_pkgs }}'