mongodb: Download and place the letsencrypt CA into the system. mongodb wants exactly one CA.

mongodb-org/defaults/main.yml

@@ -50,10 +50,13 @@ mongodb_storage_engine: wiredTiger
 
 mongodb_ssl_enabled: False
 mongodb_ssl_letsencrypt_managed: True
+mongodb_ssl_letsencrypt_ca_url: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt'
+mongodb_ssl_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem
 # Options: disabled, requireSSL, allowSSL, preferSSL
 mongodb_ssl_mode: requireSSL
-mongodb_ssl_certkey_file: /etc/pki/mongodb/mongodb.pem
-mongodb_ssl_CA_file: /etc/ssl/certs/ca-certificates.crt
+mongodb_ssl_cert_dir: /etc/pki/mongodb
+mongodb_ssl_certkey_file: '{{ mongodb_ssl_cert_dir }}/mongodb.pem'
+mongodb_ssl_CA_file: '{{ mongodb_ssl_letsencrypt_ca_filename }}'
 mongodb_ssl_allowConnectionsWithoutCertificates: 'true'
 mongodb_ssl_disabled_protocols: 'TLS1_0,TLS1_1'
 

mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml

@@ -6,6 +6,12 @@
   - name: Install a script that fix the letsencrypt certificate for mongodb and then reload the service
     template: src=mongodb-letsencrypt-acmetool.sh dest={{ letsencrypt_acme_services_scripts_dir }}/mongodb owner=root group=root mode=4555
 
+  - name: Create the mongodb certificate directory
+    file: dest={{ mongodb_ssl_cert_dir }} state=directory owner=root group=mongodb mode=0750
+
+  - name: Get the Letsencrypt CA file 
+    get_url: url={{ mongodb_ssl_letsencrypt_ca_url }} dest={{ mongodb_ssl_cert_dir }}/{{ mongodb_ssl_letsencrypt_ca_filename }}
+
   - name: Verify if the mongodb pem file exists
     stat: path={{ mongodb_ssl_certkey_file }}
     register: mongodb_pem