diff --git a/tests/tasks/cleanup.yml b/tests/tasks/cleanup.yml
index 5fb1d97..359267c 100644
--- a/tests/tasks/cleanup.yml
+++ b/tests/tasks/cleanup.yml
@@ -12,6 +12,16 @@
     - always
     - tests::cleanup
 
+- name: Cleanup - services
+  service:
+    name: "{{ __cockpit_daemon }}"
+    state: stopped
+    enabled: false
+  when: __cockpit_is_ostree | d(false)
+  tags:
+    - always
+    - tests::cleanup
+
 - name: Cleanup - find certificates
   find:
     paths: /etc/cockpit/ws-certs.d/
diff --git a/tests/tests_certificate_existing.yml b/tests/tests_certificate_existing.yml
index 032b569..71e2082 100644
--- a/tests/tests_certificate_existing.yml
+++ b/tests/tests_certificate_existing.yml
@@ -2,14 +2,16 @@
 # yamllint disable rule:line-length
 - name: Test using an existing certificate with cockpit
   hosts: all
-  roles:
-    - role: linux-system-roles.cockpit
+  tasks:
+    - name: Include role
+      include_role:
+        name: linux-system-roles.cockpit
+        public: true
       vars:
         cockpit_packages: minimal
         cockpit_cert: /etc/myserver.crt
         cockpit_private_key: /etc/myserver.key
 
-  tasks:
     - name: Collect installed package versions
       package_facts:
 
@@ -26,6 +28,14 @@
           args:
             creates: /etc/myserver.crt
 
+        # ostree cannot remove packages and cannot cleanup properly
+        # this works around that issue
+        - name: Restart cockpit to use the new certificates
+          service:
+            name: "{{ __cockpit_daemon }}"
+            state: restarted
+          when: __cockpit_is_ostree | d(false)
+
         - name: Test - cockpit works with TLS and expected certificate
           # noqa command-instead-of-module
           command:
diff --git a/tests/tests_certificate_external.yml b/tests/tests_certificate_external.yml
index 1074444..abee39e 100644
--- a/tests/tests_certificate_external.yml
+++ b/tests/tests_certificate_external.yml
@@ -1,20 +1,16 @@
 ---
-# yamllint disable rule:line-length
-# This approach relies on https://github.com/linux-system-roles/certificate/pull/97 and cockpit ≥ 211,
-# so it does not work on RHEL/CentOS 7. tests_certificate_runafter.yml covers an approach which
-# works everywhere, but has to use a `runafter` script.
-- name: Install cockpit
-  hosts: all
-  vars:
-    cockpit_packages: minimal
-  roles:
-    - linux-system-roles.cockpit
-
-- name: Generate self-signed certmonger certificate
+- name: Test with generated self-signed certmonger certificate
   hosts: all
   tasks:
     - name: Tests
       block:
+        - name: Include role
+          include_role:
+            name: linux-system-roles.cockpit
+            public: true
+          vars:
+            cockpit_packages: minimal
+
         - name: Collect installed package versions
           package_facts:
 
@@ -41,6 +37,14 @@
                     ca: self-sign
                     group: cockpit-ws
 
+            # ostree cannot remove packages and cannot cleanup properly
+            # this works around that issue
+            - name: Restart cockpit to use the new certificates
+              service:
+                name: "{{ __cockpit_daemon }}"
+                state: restarted
+              when: __cockpit_is_ostree | d(false)
+
             #
             # Validate installation
             #
diff --git a/tests/tests_certificate_internal.yml b/tests/tests_certificate_internal.yml
index 4afaec2..9c9edd6 100644
--- a/tests/tests_certificate_internal.yml
+++ b/tests/tests_certificate_internal.yml
@@ -19,6 +19,7 @@
                     group: cockpit-ws
               include_role:
                 name: linux-system-roles.cockpit
+                public: true
           rescue:
             - name: Check the error message
               vars:
@@ -42,6 +43,14 @@
             - name: Collect installed package versions
               package_facts:
 
+            # ostree cannot remove packages and cannot cleanup properly
+            # this works around that issue
+            - name: Restart cockpit to use the new certificates
+              service:
+                name: "{{ __cockpit_daemon }}"
+                state: restarted
+              when: __cockpit_is_ostree | d(false)
+
             # Validate installation
             - name: Test - cockpit works with TLS and expected certificate
               # noqa command-instead-of-module
diff --git a/tests/tests_certificate_runafter.yml b/tests/tests_certificate_runafter.yml
index 811cc26..9978573 100644
--- a/tests/tests_certificate_runafter.yml
+++ b/tests/tests_certificate_runafter.yml
@@ -11,6 +11,7 @@
         cockpit_packages: minimal
       include_role:
         name: linux-system-roles.cockpit
+        public: true
 
     # self-signed is broken (https://github.com/linux-system-roles/certificate/issues/98),
     # and has too restrictive keyUsage so that using the certificate as CA is not allowed
@@ -47,6 +48,14 @@
 
     - name: Validate installation
       block:
+        # ostree cannot remove packages and cannot cleanup properly
+        # this works around that issue
+        - name: Restart cockpit to use the new certificates
+          service:
+            name: "{{ __cockpit_daemon }}"
+            state: restarted
+          when: __cockpit_is_ostree | d(false)
+
         # ugh, is there really no better way to do that?
         - name: Get PEM of certmonger's local CA
           command:
diff --git a/tests/tests_port.yml b/tests/tests_port.yml
index e51febb..2ee7741 100644
--- a/tests/tests_port.yml
+++ b/tests/tests_port.yml
@@ -19,6 +19,7 @@
         - name: Run cockpit role
           include_role:
             name: linux-system-roles.cockpit
+            public: true
           vars:
             cockpit_packages: minimal
             cockpit_port: 443