ansible/test/integration/targets/prepare_http_tests/tasks/default.yml

- name: RedHat - Enable the dynamic CA configuration feature
  command: update-ca-trust force-enable
  when: ansible_os_family == 'RedHat'

- name: RedHat - Retrieve test cacert
  get_url:
    url: "http://ansible.http.tests/cacert.pem"
    dest: "/etc/pki/ca-trust/source/anchors/ansible.pem"
  when: ansible_os_family == 'RedHat'

- name: Get client cert/key
  get_url:
    url: "http://ansible.http.tests/{{ item }}"
    dest: "{{ remote_tmp_dir }}/{{ item }}"
  with_items:
    - client.pem
    - client.key

- name: Suse - Retrieve test cacert
  get_url:
    url: "http://ansible.http.tests/cacert.pem"
    dest: "/etc/pki/trust/anchors/ansible.pem"
  when: ansible_os_family == 'Suse'

- name: Debian/Alpine - Retrieve test cacert
  get_url:
    url: "http://ansible.http.tests/cacert.pem"
    dest: "/usr/local/share/ca-certificates/ansible.crt"
  when: ansible_os_family in ['Debian', 'Alpine']

- name: Redhat - Update ca trust
  command: update-ca-trust extract
  when: ansible_os_family == 'RedHat'

- name: Debian/Alpine/Suse - Update ca certificates
  command: update-ca-certificates
  when: ansible_os_family in ['Debian', 'Alpine', 'Suse']

- name: Update cacert
  when: ansible_os_family in ['FreeBSD', 'Darwin']
  block:
    - name: Retrieve test cacert
      uri:
        url: "http://ansible.http.tests/cacert.pem"
        return_content: true
      register: cacert_pem

    - name: Get cafile and capath
      command: '{{ ansible_python_interpreter }} -c "import ssl, json; paths = ssl.get_default_verify_paths(); print(json.dumps(dict(cafile=paths.cafile, capath=paths.capath)));"'
      register: capaths

    - name: Parse cafile and capath
      set_fact:
        capaths: "{{ capaths.stdout | from_json }}"

    - name: Add cacert to capath
      copy:
        content: "{{ cacert_pem.content }}"
        dest: "{{ capaths.capath }}/ansible-http-test.pem"
      notify: Remove cacert from capath
      when: capaths.capath is not none

    - name: Register cacert
      command: openssl rehash {{ capaths.capath }}
      notify: Unregister cacert
      when: capaths.capath is not none

    - name: Add cacert to cafile
      blockinfile:
        path: "{{ capaths.cafile }}"
        block: "{{ cacert_pem.content }}"
      notify: Remove cacert from cafile
      when: capaths.capath is none