library/roles/oracle-jdk: Install a complete cacerts keyring on jdk <=7. The new keyring includes the letsencrypt CA cert and the INFN one.

library/roles/oracle-jdk: Add the INFN CA cert to the default keyring if jdk version is >=8.

oracle-jdk/tasks/main.yml

@@ -44,14 +44,18 @@
     - name: Set fact jdk_installed
       set_fact: jdk_installed=True
 
-    - name: Get the Letsencrypt cross signed X3 CA certificate
-      get_url: url='https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.der' dest=/srv/lets-encrypt-x3-cross-signed.der
-      when: jdk_default <= 7
-
-    - name: Change the default keyring. Insert the Letsencrypt X3 cross signed CA certificate
-      shell: keytool -trustcacerts -keystore {{ jdk_java_home }}/jre/lib/security/cacerts -storepass changeit -noprompt -importcert -alias lets-encrypt-x3-cross-signed -file /srv/lets-encrypt-x3-cross-signed.der
-      when:
-        - ( jdk_install | changed )
-        - jdk_default <= 7
-
   tags: [ 'oracle_jdk', 'jdk' ]
+
+- block:
+    - name: Install a default keyring that includes the Letsencrypt X3 cross signed CA and the INFN CA certificate
+      copy: src=cacerts-jdk7 dest={{ jdk_java_home }}/jre/lib/security/cacerts owner=root group=root mode=0644
+
+  when: jdk_default <= 7 
+  tags: [ 'oracle_jdk', 'jdk', 'jdk_cacert' ]
+
+- block:
+    - name: Change the default keyring. Insert the INFN CA certificate
+      shell: keytool -list -keystore {{ jdk_java_home }}/jre/lib/security/cacerts  -storepass changeit -noprompt | grep infn-ca-2015 ; RETVAL=$? ; if [ $RETVAL -ne 0 ] ; then keytool -trustcacerts -keystore {{ jdk_java_home }}/jre/lib/security/cacerts -storepass changeit -noprompt -importcert -alias infn-ca-2015-2030 -file /usr/local/share/ca-certificates/infn-ca-2015.crt ; fi
+
+  when: jdk_default >= 8
+  tags: [ 'oracle_jdk', 'jdk', 'jdk_cacert' ]