Didn’t work for me.
I checked the output of /etc/ssl/certs/ca-certificates.crt, and I confirmed both root and intermediate certs are there.
Here’s the Ansible config I push on Ubuntu computers in our environment:
- name: Make sure p11-kit is installeed
ansible.builtin.apt:
name:
- p11-kit
- p11-kit-modules
- name: Backup libnssckbi.so
ansible.builtin.copy:
src: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
dest: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so.old
remote_src: true
ignore_errors: true
- name: Delete original libnssckbi.so
ansible.builtin.file:
name: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
state: absent
- name: Symlink p11-kit-trust.so to libnssckbi.so
ansible.builtin.file:
src: /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
dest: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
state: link
ignore_errors: true
- name: Create Intermediate certificate
ansible.builtin.copy:
dest: /usr/local/share/ca-certificates/<hidden>_intermediate_ca-chain.crt
content: |
-----BEGIN CERTIFICATE-----
<hidden>
-----END CERTIFICATE-----
mode: '0644'
- name: Create root certificate
ansible.builtin.copy:
dest: /usr/local/share/ca-certificates/<hidden>_root_ca-chain.crt
content: |
-----BEGIN CERTIFICATE-----
<hidden>
-----END CERTIFICATE-----
mode: '0644'
- name: Update certificate store
ansible.builtin.command: /usr/sbin/update-ca-certificates --fresh
register: ubuntu_cert
changed_when: ubuntu_cert.rc != 0
Here, you showed that they’re supposed to reflect, but that doesn’t seem to be the case for me