diff --git a/.github/workflows/zammad.yml b/.github/workflows/zammad.yml
index 0916f984..0cb89156 100644
--- a/.github/workflows/zammad.yml
+++ b/.github/workflows/zammad.yml
@@ -42,6 +42,7 @@ jobs:
       fail-fast: false
       matrix:
         image:
+          - "ghcr.io/hifis-net/almalinux-systemd:9"
           - "ghcr.io/hifis-net/ubuntu-systemd:22.04"
           - "ghcr.io/hifis-net/ubuntu-systemd:24.04"
 
diff --git a/molecule/zammad/converge.yml b/molecule/zammad/converge.yml
index 9a60aed3..131d2e08 100644
--- a/molecule/zammad/converge.yml
+++ b/molecule/zammad/converge.yml
@@ -6,9 +6,11 @@
 ---
 - name: "Converge"
   hosts: "all"
+  become: false
   tasks:
 
     - name: "Get private key content"
+      become: true
       ansible.builtin.command: "cat /etc/ssl/private/ssl-cert-snakeoil.key"
       changed_when: false
       check_mode: false
diff --git a/molecule/zammad/molecule.yml b/molecule/zammad/molecule.yml
index 4fa54629..b7e506c5 100644
--- a/molecule/zammad/molecule.yml
+++ b/molecule/zammad/molecule.yml
@@ -26,5 +26,10 @@ provisioner:
   playbooks:
     prepare: "prepare.yml"
     converge: "converge.yml"
+  inventory:
+    hosts:
+      all:
+        vars:
+          ansible_user: "ansible"
 verifier:
   name: "ansible"
diff --git a/molecule/zammad/prepare.yml b/molecule/zammad/prepare.yml
index 51f74317..8a2fee16 100644
--- a/molecule/zammad/prepare.yml
+++ b/molecule/zammad/prepare.yml
@@ -6,10 +6,11 @@
 ---
 - name: "Prepare"
   hosts: "all"
+  become: true
   vars:
     # Apply suggested Elasticsearch configuration
     elasticsearch_version: "8.x"
-    elasticsearch_package: "elasticsearch=8.8.1"
+    elasticsearch_package: "elasticsearch"
     elasticsearch_heap_size_min: "256m"
     elasticsearch_heap_size_max: "256m"
     elasticsearch_extra_options: |
@@ -22,6 +23,7 @@
   tasks:
 
     - name: "Install required packages"
+      when: "ansible_facts.os_family == 'Debian'"
       ansible.builtin.apt:
         name:
           - "sudo"
@@ -33,6 +35,37 @@
         state: "present"
         update_cache: true
 
+    - name: "Provide SSL/TLS certificate on AlmaLinux"
+      when: "ansible_facts.os_family == 'RedHat'"
+      block:
+        - name: "Ensure SSL/TLS directories exist"
+          ansible.builtin.file:
+            path: "{{ item }}"
+            state: "directory"
+            mode: '0755'
+          loop:
+            - "/etc/ssl/private"
+            - "/etc/ssl/certs"
+
+        - name: "Install python-cryptography"
+          ansible.builtin.pip:
+            name: "cryptography"
+
+        - name: "Create RSA private key"
+          community.crypto.openssl_privatekey:
+            path: "/etc/ssl/private/ssl-cert-snakeoil.key"
+            size: 2048
+            type: "RSA"
+            mode: '0600'
+
+        - name: "Create a snakeoil certificate"
+          community.crypto.x509_certificate:
+            path: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+            privatekey_path: "/etc/ssl/private/ssl-cert-snakeoil.key"
+            provider: "selfsigned"
+            selfsigned_not_after: "+365d"
+            mode: '0644'
+
     - name: "Include geerlingguy.elasticsearch"
       ansible.builtin.include_role:
         name: "geerlingguy.elasticsearch"
diff --git a/roles/zammad/README.md b/roles/zammad/README.md
index ca627e49..fb973fcf 100644
--- a/roles/zammad/README.md
+++ b/roles/zammad/README.md
@@ -64,7 +64,7 @@ File path to the SSL/TLS certificate which is used for HTTPS.
 zammad_ssl_key_path: "/etc/ssl/private/zammad_key.pem"
 ```
 
-File path to the SSL/TLS private key  which is used for HTTPS.
+File path to the SSL/TLS private key which is used for HTTPS.
 
 ```yaml
 zammad_ssl_cert:
diff --git a/roles/zammad/handlers/main.yml b/roles/zammad/handlers/main.yml
index 54e5ebca..f031fde3 100644
--- a/roles/zammad/handlers/main.yml
+++ b/roles/zammad/handlers/main.yml
@@ -5,16 +5,19 @@
 
 ---
 - name: "Reload nginx"
+  become: true
   ansible.builtin.service:
     name: "nginx"
     state: "reloaded"
 
 - name: "Set Elasticsearch server address"
+  become: true
   ansible.builtin.command: >-
     zammad run rails r "Setting.set('es_url', '{{ zammad_elasticsearch_url | quote }}')"
   changed_when: true
 
 - name: "Build search index"
+  become: true
   ansible.builtin.command: "zammad run rake zammad:searchindex:rebuild"
   changed_when: true
   when: "not __zammad_is_installed or zammad_force_es_searchindex_rebuild"
diff --git a/roles/zammad/tasks/install.yml b/roles/zammad/tasks/install.yml
index 7955a05b..2b78ff85 100644
--- a/roles/zammad/tasks/install.yml
+++ b/roles/zammad/tasks/install.yml
@@ -10,11 +10,13 @@
   block:
 
     - name: "Install | Install EPEL repo"
+      become: true
       ansible.builtin.dnf:
         name: "epel-release"
         state: "present"
 
     - name: "Install | Add Zammad yum repository"
+      become: true
       ansible.builtin.yum_repository:
         name: "zammad"
         state: "present"
@@ -31,11 +33,13 @@
   block:
 
     - name: "Remove Zammad apt key from legacy trusted.gpg keyring"
+      become: true
       ansible.builtin.apt_key:
         url: "https://dl.packager.io/srv/zammad/zammad/key"
         state: "absent"
 
     - name: "Remove Zammad DEB repository from sources.list"
+      become: true
       ansible.builtin.apt_repository:
         repo: "deb https://dl.packager.io/srv/deb/zammad/zammad/{{ zammad_release_channel }}/ubuntu {{ ansible_facts.distribution_version }} main"
         state: "absent"
@@ -43,6 +47,7 @@
         update_cache: false
 
     - name: "Install | Add Zammad DEB repository"
+      become: true
       ansible.builtin.deb822_repository:
         name: "zammad"
         types: "deb"
@@ -56,6 +61,7 @@
         enabled: true
 
     - name: "Update apt cache"
+      become: true
       ansible.builtin.apt:
         update_cache: true
       changed_when: false
@@ -69,15 +75,17 @@
     __zammad_is_installed: "{{ 'zammad' in ansible_facts.packages }}"
 
 - name: "Install | Install Zammad package"
+  become: true
   ansible.builtin.package:
     name: "zammad={{ zammad_version }}*"
     state: "present"
-    force: true
+    allow_downgrade: true
   notify:
     - "Set Elasticsearch server address"
     - "Build search index"
 
 - name: "Install | Start and enable services"
+  become: true
   ansible.builtin.service:
     name: "{{ item }}"
     state: "started"
diff --git a/roles/zammad/tasks/nginx-config.yml b/roles/zammad/tasks/nginx-config.yml
index 8005f0cb..4cd936a0 100644
--- a/roles/zammad/tasks/nginx-config.yml
+++ b/roles/zammad/tasks/nginx-config.yml
@@ -6,6 +6,7 @@
 ---
 
 - name: "Nginx | Create config"
+  become: true
   ansible.builtin.template:
     src: "nginx-zammad.conf.j2"
     dest: "{{ zammad_nginx_config_path }}"
diff --git a/roles/zammad/tasks/ssl.yml b/roles/zammad/tasks/ssl.yml
index 92dfd034..9512ac51 100644
--- a/roles/zammad/tasks/ssl.yml
+++ b/roles/zammad/tasks/ssl.yml
@@ -6,6 +6,7 @@
 ---
 
 - name:  "SSL | Insert private key"
+  become: true
   ansible.builtin.blockinfile:
     path: "{{ zammad_ssl_key_path }}"
     create: true
@@ -17,6 +18,7 @@
   when: "zammad_ssl_key | default('') | length > 0"
 
 - name: "SSL | Insert certificate"
+  become: true
   ansible.builtin.blockinfile:
     path: "{{ zammad_ssl_cert_path }}"
     create: true
@@ -34,6 +36,7 @@
   ignore_errors: "{{ ansible_check_mode }}"
 
 - name: "SSL | Ensure certificate and private key match"
+  become: true
   community.crypto.openssl_privatekey_info:
     path: "{{ zammad_ssl_key_path }}"
   register: "__private_key"