ansible-infra/roles/certbot/tasks/main/cert.yaml

- name: get expiry date before
  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item.commonName }}/fullchain.pem
  ignore_errors: true
  become: true
  changed_when: false
  register: certbot__cert_expiry_before

- name: ensure directory for cert configs exists
  ansible.builtin.file:
    path: "/etc/ansible_certbot/cert_configs/"
    state: directory
    owner: root
    group: root
    mode: "0750"
  become: true

- name: ensure cert config is stored
  ansible.builtin.copy:
    content: "{{ cert_config_defaults[item.challengeType] | combine(item, recursive=True) | ansible.builtin.to_nice_json }}"
    dest: "/etc/ansible_certbot/cert_configs/{{ item.commonName }}.json"
    owner: root
    group: root
    mode: "0640"
  become: true
  vars:
    cert_config_defaults:
      dns-01-acme-dns:
        dns_01_acme_dns:
          serverUrl: "https://acmedns.hamburg.ccc.de"

# # https://eff-certbot.readthedocs.io/en/stable/using.html#manual
- name: obtain the certificate using certbot and the manual auth hook
  ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --manual --preferred-challenge dns --manual-auth-hook "/usr/local/lib/ansible_certbot/manual_auth_scripts/{{ item.challengeType }}.sh" -d "{{ item.commonName }}"
  become: true
  changed_when: false

- name: get expiry date after
  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item.commonName }}/fullchain.pem
  become: true
  changed_when: false
  register: certbot__cert_expiry_after

- name: potentially report changed
  ansible.builtin.debug:
    msg: "If this reports changed, then the certificate expiry date and therefore the certificate changed."
  changed_when: certbot__cert_expiry_before.stdout != certbot__cert_expiry_after.stdout