If Elasticsearch is installed with Ansible and a custom CA is used, the installation fails when es_validate_certs is true. The reason is that Ansible just copies the CA from the Ansible host to the nodes certificate directory (/etc/elasticsearch/certs). This breaks Ansible uri calls, since uri does not have an option to specify specific CAs (like cacert option in CURL). In order to make certificate validation work, the CA certificate needs to be added to the main ca-certification bundle, which is different for e.g. Debian or Redhat Systems. One other way would be use of curl, which provides the option of specifying the Certificate.
Regards
Bernhard