Oddly · Oddly · Mar 12, 2026
diff --git a/roles/elasticstack/tasks/certs/cert_validate.yml b/roles/elasticstack/tasks/certs/cert_validate.yml
@@ -13,12 +13,12 @@
 #   _validate_key_fact           Fact name to store resolved key path
 #   _validate_ca_extracted_fact  Fact name for whether CA was auto-extracted from chain

 - name: "Check certificate file exists — {{ _validate_service }}"
  ansible.builtin.stat:
     path: "{{ _validate_cert_path }}"
   register: _validate_cert_stat
   delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
-  become: false
+  become: "{{ _validate_remote_src | bool }}"
 
 - name: "Fail if certificate file missing — {{ _validate_service }}"
   ansible.builtin.fail:
@@ -29,16 +29,16 @@

 # --- Format detection ---

 - name: "Probe for PEM format — {{ _validate_service }}"
  ansible.builtin.command:
    cmd: openssl x509 -in {{ _validate_cert_path }} -noout
  register: _validate_pem_probe
   failed_when: false
   changed_when: false
   delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
-  become: false
+  become: "{{ _validate_remote_src | bool }}"
 
 - name: "Probe for P12 format — {{ _validate_service }}"
   ansible.builtin.command:
    cmd: >-
      openssl pkcs12 -in {{ _validate_cert_path }} -noout
@@ -47,7 +47,7 @@
   failed_when: false
   changed_when: false
   delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
-  become: false
+  become: "{{ _validate_remote_src | bool }}"
   no_log: true
   when: _validate_pem_probe.rc != 0
 
@@ -71,16 +71,16 @@
    - (_validate_key_path | default('', true)) | length == 0
    - _validate_pem_probe.rc == 0
  block:
    - name: "Compute derived key path — {{ _validate_service }}"
      ansible.builtin.set_fact:
        _validate_derived_key: "{{ _validate_cert_path | regex_replace('\\.(crt|pem|cert)$', '.key') }}"

    - name: "Check derived key exists — {{ _validate_service }}"
      ansible.builtin.stat:
         path: "{{ _validate_derived_key }}"
       register: _validate_derived_key_stat
       delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
-      become: false
+      become: "{{ _validate_remote_src | bool }}"
 
     - name: "Fail if derived key not found — {{ _validate_service }}"
       ansible.builtin.fail:
@@ -110,13 +110,13 @@
 - name: "Check for CA chain in PEM bundle — {{ _validate_service }}"
  when: _validate_pem_probe.rc == 0
  block:
    - name: "Count PEM blocks in certificate file — {{ _validate_service }}"
      ansible.builtin.command:
        cmd: grep -c 'BEGIN CERTIFICATE' {{ _validate_cert_path }}
       register: _validate_pem_count
       changed_when: false
       delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
-      become: false
+      become: "{{ _validate_remote_src | bool }}"
 
     - name: "Set CA extracted fact — {{ _validate_service }}"
       ansible.builtin.set_fact:
@@ -129,14 +129,14 @@

 # --- Certificate expiry check ---

 - name: "Check certificate has not expired — {{ _validate_service }}"
  ansible.builtin.command:
    cmd: openssl x509 -in {{ _validate_cert_path }} -noout -checkend 0
  register: _validate_expiry_check
   failed_when: false
   changed_when: false
   delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
-  become: false
+  become: "{{ _validate_remote_src | bool }}"
   when: _validate_pem_probe.rc == 0
 
 - name: "Fail if certificate already expired — {{ _validate_service }}"
@@ -155,16 +155,16 @@
    - _validate_pem_probe.rc == 0
    - lookup('vars', _validate_key_fact) | length > 0
  block:
    - name: "Get certificate modulus — {{ _validate_service }}"
      ansible.builtin.shell:
        cmd: set -o pipefail && openssl x509 -in {{ _validate_cert_path }} -noout -modulus 2>/dev/null | openssl md5
        executable: /bin/bash
       register: _validate_cert_modulus
       changed_when: false
       delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
-      become: false
+      become: "{{ _validate_remote_src | bool }}"
 
     - name: "Get key modulus — {{ _validate_service }}"
       ansible.builtin.shell:
        cmd: >-
          set -o pipefail &&
@@ -176,11 +176,11 @@
       changed_when: false
       failed_when: false
       delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
-      become: false
+      become: "{{ _validate_remote_src | bool }}"
       no_log: true
 
     # If RSA modulus failed, try EC key
    - name: "Get EC key fingerprint — {{ _validate_service }}"
      ansible.builtin.shell:
        cmd: >-
          set -o pipefail &&
@@ -192,7 +192,7 @@
       changed_when: false
       failed_when: false
       delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
-      become: false
+      become: "{{ _validate_remote_src | bool }}"
       no_log: true
       when: _validate_key_modulus.rc != 0
 
@@ -203,7 +203,7 @@
       register: _validate_ec_cert_fp
       changed_when: false
       delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
-      become: false
+      become: "{{ _validate_remote_src | bool }}"
       when: _validate_key_modulus.rc != 0
 
     - name: "Fail if RSA key does not match certificate — {{ _validate_service }}"
@@ -240,7 +240,7 @@
       register: _validate_san_output
       changed_when: false
       delegate_to: "{{ omit if (_validate_remote_src | bool) else 'localhost' }}"
-      become: false
+      become: "{{ _validate_remote_src | bool }}"
 
     - name: "Warn if SAN does not include this node — {{ _validate_service }}"
       ansible.builtin.debug: