- name: get expiry date before
  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
  ignore_errors: true
  become: true
  changed_when: false
  register: certbot__cert_expiry_before

- name: obtain the certificate using certbot
  ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --webroot --webroot-path /webroot-for-acme-challenge -d "{{ item }}"
  become: true
  changed_when: false

- name: get expiry date after
  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
  become: true
  changed_when: false
  register: certbot__cert_expiry_after

- name: potentially report changed
  ansible.builtin.debug:
    msg: "If this reports changed, then the certificate expiry date and therefore the certificate changed."
  changed_when: certbot__cert_expiry_before.stdout != certbot__cert_expiry_after.stdout