diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 98c4a5f4f205df9e8f9aea15f72db1247aa3019a..7dbaf3b928dba46fc3a05635fc5edb48b3aeb63f 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -150,7 +150,7 @@ defaults to be used for all servers, and then overrides it for one server:
 
   ---
 
-  ansible_key: /root/ansible/private.key
+  ansible_key: {{ lookup('file', '~/.ssh/id_rsa.pub') }}
   preseed_country: UK
   preseed_directory: /var/www/preseed
   preseed_keymap: UK
@@ -325,11 +325,10 @@ Parameters
   server. Each element of the list should be a simple string denoting the name
   of the package.
 
-**ca_certificates** (list, optional, ``[]``)
-  List of additional CA certificate files that should be deployed on the
-  server. Each element of the list should be a filepath to a CA certificate file
-  on originating (Ansible) host that should be copied to destination
-  server.
+**ca_certificates** (list, optional, ``{}``)
+  Dictionary containing the CA certificates to deploy. Keys are filenames to be
+  used when placing a certificate file in directory ``/etc/ssl/certs/``, while
+  values are corresponding content to be placed in the file.
 
 **incoming_connection_limit** (string, optional, ``3/second``)
   Rate at which the incoming ICMP echo-request packages and new TCP connections
@@ -375,7 +374,7 @@ packages on all servers:
     - debconf-utils
 
   ca_certificates:
-    - ../certs/truststore.pem
+    "truststore.pem": "{{ lookup('file', '../certs/truststore.pem') }}"
 
   incoming_connection_limit: 2/second
 
diff --git a/docs/usage.rst b/docs/usage.rst
index ecfc0984d1dcecb5f25da43d0cff6003532cb543..f2688f709d8722b660b01a3cdcedae6c394c558c 100644
--- a/docs/usage.rst
+++ b/docs/usage.rst
@@ -607,7 +607,7 @@ one up first. This includes both the LDAP *server* and *client* configuration.
       tls_private_key_dir: "~/mysite/tls/"
       tls_certificate_dir: "~/mysite/tls/"
       ca_certificates:
-         - "~/mysite/tls/truststore.pem"
+         "truststore.pem": "{{ lookup('file', '~/mysite/tls/truststore.pem') }}"
 
 8. And now as finishing touch, simply run the playbooks again::
 
diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml
index c02cf3d7df6c6b4908da4157ccb9cd3f32d31dbe..5acf961f69e373dda6a99d189a8e7111ac038d7a 100644
--- a/roles/backup_client/tasks/main.yml
+++ b/roles/backup_client/tasks/main.yml
@@ -37,12 +37,14 @@
   shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sed -re 's/^.{8}//'"
   register: backup_encryption_key_id
   changed_when: False
+  failed_when: backup_encryption_key_id.stdout == ""
 
 - name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format)
   shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sort -u | sed -re 's/^.{8}//' | tr '\n' ',' | sed -e 's/,$//'"
   register: backup_additional_encryption_keys_ids
   when: backup_additional_encryption_keys
   changed_when: False
+  failed_when: backup_additional_encryption_keys_ids.stdout == ""
 
 - name: Deploy private SSH key for logging-in into backup server
   copy: content="{{ backup_ssh_key }}" dest="/etc/duply/main/ssh/identity"
diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml
index df3c20e26d035424d2a459ffeb2b37c4bb929b8e..65a7ef0de0758a98541dc78b86dfd98d0cb8a088 100644
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@@ -4,6 +4,6 @@ enable_backup: False
 common_packages: []
 os_users: []
 os_groups: []
-ca_certificates: []
+ca_certificates: {}
 incoming_connection_limit: 3/second
 incoming_connection_limit_burst: 9
\ No newline at end of file
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 845dba94c350224d87745bcc2c6dd9a26ee4369e..51e5d54615fe8ad1222e62ba3d5bc0349d28fdd0 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -63,8 +63,8 @@
     - Restart SSH
 
 - name: Deploy CA certificates
-  copy: src="{{ item }}" dest="/etc/ssl/certs/{{ item | basename }}" mode=644 owner=root group=root
-  with_items: ca_certificates
+  copy: content="{{ item.value }}" dest="/etc/ssl/certs/{{ item.key }}" mode=644 owner=root group=root
+  with_dict: ca_certificates
   notify:
     - Update CA certificate cache
 
diff --git a/roles/mail_forwarder/handlers/main.yml b/roles/mail_forwarder/handlers/main.yml
index ef33ee95cca4a6187cf7bb801d0a34a70c80a2b9..32356d6aedaa46976368141fbfe2cf77c26c95a4 100644
--- a/roles/mail_forwarder/handlers/main.yml
+++ b/roles/mail_forwarder/handlers/main.yml
@@ -1,8 +1,5 @@
 ---
 
-- name: Purge Exim configuration
-  apt: name="exim4*" state=absent purge=yes
-
 - name: Rebuild mail aliases
   command: /usr/bin/newaliases
 
diff --git a/roles/mail_forwarder/tasks/main.yml b/roles/mail_forwarder/tasks/main.yml
index ac2af0284e2a611241210a82c9bc82b15f3540d4..e29c19a42cfd9046db9e85098bd0ee0ae82e9a24 100644
--- a/roles/mail_forwarder/tasks/main.yml
+++ b/roles/mail_forwarder/tasks/main.yml
@@ -2,8 +2,9 @@
 
 - name: Install Postfix
   apt: name="postfix" state=installed
-  notify:
-    - Purge Exim configuration
+
+- name: Purge Exim configuration
+  apt: name="exim4*" state=absent purge=yes
 
 - name: Deploy Postfix main configuration
   template: src="main.cf.j2" dest="/etc/postfix/main.cf"
diff --git a/roles/mail_server/handlers/main.yml b/roles/mail_server/handlers/main.yml
index 139af3eaf1ad8125777298081ea6d84c3025474b..059dbba606abaa235f70bcf526d8b5817fd82667 100644
--- a/roles/mail_server/handlers/main.yml
+++ b/roles/mail_server/handlers/main.yml
@@ -1,8 +1,5 @@
 ---
 
-- name: Purge Exim configuration
-  apt: name="exim4*" state=absent purge=yes
-
 - name: Restart Postfix
   service: name="postfix" state=restarted
 
diff --git a/roles/mail_server/tasks/main.yml b/roles/mail_server/tasks/main.yml
index 6de1d770fd3ee77669ff67d539dd68cc0e7202ce..a4f4fb2b9a80c0e2c0a094079edebc2160c09ed6 100644
--- a/roles/mail_server/tasks/main.yml
+++ b/roles/mail_server/tasks/main.yml
@@ -16,8 +16,9 @@
   with_items:
     - postfix
     - postfix-ldap
-  notify:
-    - Purge Exim configuration
+
+- name: Purge Exim configuration
+  apt: name="exim4*" state=absent purge=yes
 
 - name: Allow Postfix user to traverse the directory with TLS private keys
   user: name=postfix append=yes groups=ssl-cert
diff --git a/testsite/group_vars/all.yml b/testsite/group_vars/all.yml
index 0aa3174506c97cec9337feae67249c52bef097e5..d3f3f02b715362ffc71de53c998518e8d3ed5656 100644
--- a/testsite/group_vars/all.yml
+++ b/testsite/group_vars/all.yml
@@ -41,7 +41,7 @@ common_packages:
   - unzip
 
 ca_certificates:
-  - "{{ inventory_dir }}/tls/ca.pem"
+  "ca.pem": "{{ lookup('file', inventory_dir + '/tls/ca.pem') }}"
 
 incoming_connection_limit: 2/second