From 6a0878dd9a8008a3cff3581c0868a4dd311d73dc Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Wed, 19 Sep 2018 17:41:37 +0200
Subject: [PATCH] mongodb: Download and place the letsencrypt CA into the
 system. mongodb wants exactly one CA.

---
 mongodb-org/defaults/main.yml                      | 7 +++++--
 mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml | 6 ++++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/mongodb-org/defaults/main.yml b/mongodb-org/defaults/main.yml
index f9133091..3bca8985 100644
--- a/mongodb-org/defaults/main.yml
+++ b/mongodb-org/defaults/main.yml
@@ -50,10 +50,13 @@ mongodb_storage_engine: wiredTiger
 
 mongodb_ssl_enabled: False
 mongodb_ssl_letsencrypt_managed: True
+mongodb_ssl_letsencrypt_ca_url: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt'
+mongodb_ssl_letsencrypt_ca_filename: lets-encrypt-x3-cross-signed.pem
 # Options: disabled, requireSSL, allowSSL, preferSSL
 mongodb_ssl_mode: requireSSL
-mongodb_ssl_certkey_file: /etc/pki/mongodb/mongodb.pem
-mongodb_ssl_CA_file: /etc/ssl/certs/ca-certificates.crt
+mongodb_ssl_cert_dir: /etc/pki/mongodb
+mongodb_ssl_certkey_file: '{{ mongodb_ssl_cert_dir }}/mongodb.pem'
+mongodb_ssl_CA_file: '{{ mongodb_ssl_letsencrypt_ca_filename }}'
 mongodb_ssl_allowConnectionsWithoutCertificates: 'true'
 mongodb_ssl_disabled_protocols: 'TLS1_0,TLS1_1'
 
diff --git a/mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml b/mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml
index da6cf344..d66de0af 100644
--- a/mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml
+++ b/mongodb-org/tasks/mongodb-letsencrypt-acmetool.yml
@@ -6,6 +6,12 @@
   - name: Install a script that fix the letsencrypt certificate for mongodb and then reload the service
     template: src=mongodb-letsencrypt-acmetool.sh dest={{ letsencrypt_acme_services_scripts_dir }}/mongodb owner=root group=root mode=4555
 
+  - name: Create the mongodb certificate directory
+    file: dest={{ mongodb_ssl_cert_dir }} state=directory owner=root group=mongodb mode=0750
+
+  - name: Get the Letsencrypt CA file 
+    get_url: url={{ mongodb_ssl_letsencrypt_ca_url }} dest={{ mongodb_ssl_cert_dir }}/{{ mongodb_ssl_letsencrypt_ca_filename }}
+
   - name: Verify if the mongodb pem file exists
     stat: path={{ mongodb_ssl_certkey_file }}
     register: mongodb_pem