geerlingguy · Hoeze · Sep 20, 2024 · Sep 20, 2024 · Sep 20, 2024 · Sep 20, 2024
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -47,7 +47,7 @@ jobs:
           - distro: ubuntu2004
             playbook: converge.yml
             experimental: false
-          - distro: debian10
+          - distro: debian11
             playbook: converge.yml
             experimental: false
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -6,6 +6,7 @@ certbot_auto_renew_hour: "3"
 certbot_auto_renew_minute: "30"
 certbot_auto_renew_options: "--quiet"
 
+certbot_expand: false
 certbot_testmode: false
 certbot_hsts: false
 
@@ -14,13 +15,13 @@ certbot_hsts: false
 certbot_create_if_missing: false
 certbot_create_method: standalone
 certbot_admin_email: [email protected]
-certbot_expand: false
 
 # Default webroot, overwritten by individual per-cert webroot directories
 certbot_webroot: /var/www/letsencrypt
 
 certbot_certs: []
-# - email: [email protected]
+# - name: example.com
+#   email: [email protected]
 #   webroot: "/var/www/html/"
 #   domains:
 #     - example1.com
@@ -40,13 +41,18 @@ certbot_create_command: >-
   {{ '--webroot-path ' if certbot_create_method == 'webroot'  else '' }}
   {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
   {{ certbot_create_extra_args }}
+  --cert-name {{ cert_item_name }}
   -d {{ cert_item.domains | join(',') }}
+  {{ '--expand' if certbot_expand else '' }}
   {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services'
     if certbot_create_standalone_stop_services and certbot_create_method == 'standalone'
   else '' }}
   {{ '--post-hook /etc/letsencrypt/renewal-hooks/post/start_services'
     if certbot_create_standalone_stop_services and certbot_create_method == 'standalone'
   else '' }}
+  {{ "--deploy-hook '" ~ cert_item.deploy_hook ~ "'"
+    if 'deploy_hook' in cert_item
+  else '' }}
 
 certbot_create_standalone_stop_services:
   - nginx

diff --git a/molecule/default/playbook-standalone-nginx-aws.yml b/molecule/default/playbook-standalone-nginx-aws.yml
@@ -91,7 +91,8 @@
     certbot_create_if_missing: true
     certbot_create_standalone_stop_services: []
     certbot_certs:
-      - domains:
+      - name: certbot-test.servercheck.in
+        domains:
           - certbot-test.servercheck.in
     nginx_vhosts:
       - listen: "443 ssl http2"

diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml
@@ -1,4 +1,13 @@
 ---
+- name: Determine certificate name
+  set_fact:
+    cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
+
+- name: Check if certificate already exists.
+  stat:
+    path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
+  register: letsencrypt_cert
+
 - name: Ensure pre and post hook folders exist.
   file:
     path: /etc/letsencrypt/renewal-hooks/{{ item }}
@@ -32,7 +41,23 @@
     - certbot_create_standalone_stop_services is defined
     - certbot_create_standalone_stop_services
 
+- name: Check if domains have changed
+  block:
+    - name: Register certificate domains
+      shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
+      changed_when: false
+      register: letsencrypt_cert_domains_dirty
+
+    - name: Cleanup domain list
+      set_fact:
+        letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
+
+    - name: Determine if domains have changed
+      set_fact:
+        letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
+
+  when: letsencrypt_cert.stat.exists
+
 - name: Generate new certificate if one doesn't exist.
   command: "{{ certbot_create_command }}"
-  register: certbot_create
-  changed_when: "'no action taken' not in certbot_create.stdout"
+  when: not letsencrypt_cert.stat.exists or letsencrypt_cert_domains_changed | default(false)
diff --git a/tasks/create-cert-webroot.yml b/tasks/create-cert-webroot.yml
@@ -1,10 +1,35 @@
 ---
+- name: Determine certificate name
+  set_fact:
+    cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
+
+- name: Check if certificate already exists.
+  stat:
+    path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
+  register: letsencrypt_cert
+
 - name: Create webroot directory if it doesn't exist yet
   file:
     path: "{{ cert_item.webroot | default(certbot_webroot) }}"
     state: directory
 
+- name: Check if domains have changed
+  block:
+    - name: Register certificate domains
+      shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
+      changed_when: false
+      register: letsencrypt_cert_domains_dirty
+
+    - name: Cleanup domain list
+      set_fact:
+        letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
+
+    - name: Determine if domains have changed
+      set_fact:
+        letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
+
+  when: letsencrypt_cert.stat.exists
+
 - name: Generate new certificate if one doesn't exist.
   command: "{{ certbot_create_command }}"
-  register: certbot_create
-  changed_when: "'no action taken' not in certbot_create.stdout"
+  when: not letsencrypt_cert.stat.exists or letsencrypt_cert_domains_changed | default(false)