It would be useful to have a local CA so tests can be run on a machine with no public IP and therefore no access to letsencrypt.
And maybe there are ansible roles to do that already? If not @fpoulain suggests adding to
molecule/certs/certs-playbook.yml and using
easy-rsa instead of