Find certificates and include them by direct name

tasks/main.yml

@@ -74,6 +74,21 @@
   loop: '{{ ensure_mariadb.seboolean_list }}'
   loop_control:
     label: '{{ item.name }} will be {{ item.state }}'
+- name: 'find certificates'
+  when:
+    - ansible_system == 'Linux'
+    - ensure_mariadb is defined
+    - ensure_mariadb.template_list is defined
+    - ensure_mariadb.template_list is iterable
+  ansible.builtin.find:
+    file_type: 'file'
+    paths:
+      - '/etc/httpd/md/domains/'
+    patterns:
+      - 'pubcert.pem'
+      - 'privkey.pem'
+    recursive: 'yes'
+  register: 'certificates'
 - name: 'ensure configurations'
   when:
     - ansible_system == 'Linux'

templates/Fedora/34/etc/my.cnf.d/client.cnf

@@ -9,4 +9,6 @@ default-character-set = utf8mb4
 # If you use the same .cnf file for MySQL and MariaDB,
 # use it for MariaDB-only client options
 [client-mariadb]
+ssl
+ssl-verify-server-cert
 

templates/Fedora/34/etc/my.cnf.d/mariadb-server.cnf

@@ -20,8 +20,17 @@ log-error=/var/log/mariadb/mariadb.log
 pid-file=/run/mariadb/mariadb.pid
 character-set-server = utf8mb4
 ssl-ca=/etc/pki/tls/certs/ca-bundle.crt
-ssl-cert=/etc/httpd/md/domains/*/pubcert.pem
-ssl-key=/etc/httpd/md/domains/*/privkey.pem
+{% for certificate in certificates.files %}
+{% if certificate.path is regex('/pubcert.pem$') %}
+ssl-cert={% certificate.path %}
+{% endif %}
+{% endfor %}
+{% for certificate in certificates.files %}
+{% if certificate.path is regex('/privkey.pem$') %}
+ssl-key={% certificate.path %}
+{% endif %}
+{% endfor %}
+tls-version=TLSv1.2,TLSv1.3
 
 
 #