geerlingguy · geerlingguy · Mar 25, 2025 · Sep 20, 2024 · Sep 20, 2024 · Sep 20, 2024
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -21,16 +21,15 @@ certbot_expand: false
 certbot_webroot: /var/www/letsencrypt
 
 certbot_certs: []
-# - email: janedoe@example.com
+# - name: example.com
+#   email: janedoe@example.com
 #   webroot: "/var/www/html/"
 #   domains:
 #     - example1.com
 #     - example2.com
 # - domains:
 #     - example3.com
 
-certbot_create_extra_args: ""
-
 certbot_create_command: >-
   {{ certbot_script }} certonly --{{ certbot_create_method  }}
   {{ '--hsts' if certbot_hsts else '' }}
@@ -41,13 +40,18 @@ certbot_create_command: >-
   {{ '--webroot-path ' if certbot_create_method == 'webroot'  else '' }}
   {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
   {{ certbot_create_extra_args }}
+  --cert-name {{ cert_item_name }}
   -d {{ cert_item.domains | join(',') }}
+  {{ '--expand' if certbot_expand else '' }}
   {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services'
     if certbot_create_standalone_stop_services and certbot_create_method == 'standalone'
   else '' }}
   {{ '--post-hook /etc/letsencrypt/renewal-hooks/post/start_services'
     if certbot_create_standalone_stop_services and certbot_create_method == 'standalone'
   else '' }}
+  {{ "--deploy-hook '" ~ cert_item.deploy_hook ~ "'"
+    if 'deploy_hook' in cert_item
+  else '' }}
 
 certbot_create_standalone_stop_services:
   - nginx

diff --git a/molecule/default/playbook-standalone-nginx-aws.yml b/molecule/default/playbook-standalone-nginx-aws.yml
@@ -91,7 +91,8 @@
     certbot_create_if_missing: true
     certbot_create_standalone_stop_services: []
     certbot_certs:
-      - domains:
+      - name: certbot-test.servercheck.in
+        domains:
           - certbot-test.servercheck.in
     nginx_vhosts:
       - listen: "443 ssl http2"

diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml
@@ -1,4 +1,13 @@
 ---
+- name: Determine certificate name
+  set_fact:
+    cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
+
+- name: Check if certificate already exists.
+  stat:
+    path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
+  register: letsencrypt_cert
+
 - name: Ensure pre and post hook folders exist.
   file:
     path: /etc/letsencrypt/renewal-hooks/{{ item }}
@@ -32,7 +41,23 @@
     - certbot_create_standalone_stop_services is defined
     - certbot_create_standalone_stop_services
 
+- name: Check if domains have changed
+  block:
+    - name: Register certificate domains
+      shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
+      changed_when: false
+      register: letsencrypt_cert_domains_dirty
+
+    - name: Cleanup domain list
+      set_fact:
+        letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
+
+    - name: Determine if domains have changed
+      set_fact:
+        letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
+
+  when: letsencrypt_cert.stat.exists
+
 - name: Generate new certificate if one doesn't exist.
   command: "{{ certbot_create_command }}"
-  register: certbot_create
-  changed_when: "'no action taken' not in certbot_create.stdout"
+  when: not letsencrypt_cert.stat.exists or letsencrypt_cert_domains_changed | default(false)
diff --git a/tasks/create-cert-webroot.yml b/tasks/create-cert-webroot.yml
@@ -1,10 +1,35 @@
 ---
+- name: Determine certificate name
+  set_fact:
+    cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
+
+- name: Check if certificate already exists.
+  stat:
+    path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
+  register: letsencrypt_cert
+
 - name: Create webroot directory if it doesn't exist yet
   file:
     path: "{{ cert_item.webroot | default(certbot_webroot) }}"
     state: directory
 
+- name: Check if domains have changed
+  block:
+    - name: Register certificate domains
+      shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
+      changed_when: false
+      register: letsencrypt_cert_domains_dirty
+
+    - name: Cleanup domain list
+      set_fact:
+        letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
+
+    - name: Determine if domains have changed
+      set_fact:
+        letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
+
+  when: letsencrypt_cert.stat.exists
+
 - name: Generate new certificate if one doesn't exist.
   command: "{{ certbot_create_command }}"
-  register: certbot_create
-  changed_when: "'no action taken' not in certbot_create.stdout"
+  when: not letsencrypt_cert.stat.exists or letsencrypt_cert_domains_changed | default(false)