no idempotent yet

handlers/main.yml

@@ -2,4 +2,5 @@
 # handlers file for import_vault_root_ca
 - name: "Update the trust store"
   ansible.builtin.command: update-ca-certificates
+  changed_when: false
   listen: "update-ca-certificates"

molecule/with_custom_ca/group_vars/all.yml

@@ -1,4 +1,4 @@
 ---
 import_vault_root_ca_certificate_list:
-  - url: "https://openstack01.ednz.fr:8200/v1/ednz-root-ca/ca"
+  - url: "https://letsencrypt.org/certs/isrg-root-x2.pem"
-    cert_name: "ednz_ca"
+    cert_name: "isrg_root"

molecule/with_custom_ca/verify.yml

@@ -12,7 +12,13 @@
             path: "/usr/local/share/ca-certificates"
           register: usr_local_share_ca_certificates
 
-        - name: "Verify directory {{ import_vault_root_ca_cert_dir }}"
+        - name: "Find files in directory /usr/local/share/ca-certificates"
+          ansible.builtin.find:
+            paths: "/usr/local/share/ca-certificates"
+            file_type: file
+          register: usr_local_share_ca_certificates_ls
+
+        - name: "Verify directory /usr/local/share/ca-certificates"
           ansible.builtin.assert:
             that:
               - usr_local_share_ca_certificates.stat.exists
@@ -20,5 +26,29 @@
               - usr_local_share_ca_certificates.stat.pw_name == 'root'
               - usr_local_share_ca_certificates.stat.gr_name == 'root'
               - usr_local_share_ca_certificates.stat.mode == '0755'
+              - (usr_local_share_ca_certificates_ls.files|length) == 1
+              - (usr_local_share_ca_certificates_ls.files[0].path|basename) == 'isrg_root.crt'
 
-    - name: "Get certificate information"
+    - name: "Test: certificate isrg_root.crt"
+      block:
+        - name: "Stat file /usr/local/share/ca-certificates/isrg_root.crt"
+          ansible.builtin.stat:
+            path: "/usr/local/share/ca-certificates/isrg_root.crt"
+          register: isrg_root_file
+
+        - name: "Get certificate info"
+          community.crypto.x509_certificate_info:
+            path: "/usr/local/share/ca-certificates/isrg_root.crt"
+          register: isrg_root_pem
+
+        - name: "Verify certificate is readable"
+          ansible.builtin.assert:
+            that:
+              - isrg_root_file.stat.exists
+              - isrg_root_file.stat.isreg
+              - isrg_root_file.stat.pw_name == 'root'
+              - isrg_root_file.stat.gr_name == 'root'
+              - isrg_root_file.stat.mode == '0644'
+              - not isrg_root_pem.failed
+              - not isrg_root_pem.expired
+              - isrg_root_pem.issuer == isrg_root_pem.subject

tasks/import.yml

@@ -4,6 +4,7 @@
   ansible.builtin.get_url:
     url: "{{ item.url }}"
     validate_certs: false
+    force: false
     dest: "/tmp/{{ item.cert_name }}.tmp"
     mode: '0600'
   loop: "{{ import_vault_root_ca_certificate_list }}"
@@ -15,3 +16,9 @@
   loop: "{{ import_vault_root_ca_certificate_list }}"
   notify:
     - update-ca-certificates
+
+- name: "Delete temporary certificate"
+  ansible.builtin.file:
+    path: "/tmp/{{ item.cert_name }}.tmp"
+    state: absent
+  loop: "{{ import_vault_root_ca_certificate_list }}"