#49 Handle domain list change for a certificate

defaults/main.yml

@@ -19,7 +19,7 @@ certbot_certs: []
 #     - example3.com
 certbot_create_command: >-
   {{ certbot_script }} certonly --standalone --noninteractive --agree-tos
-  --email {{ cert_item.email | default(certbot_admin_email) }}
+  --expand --email {{ cert_item.email | default(certbot_admin_email) }}
   -d {{ cert_item.domains | join(',') }}
 
 certbot_create_standalone_stop_services:

tasks/create-cert-standalone.yml

@@ -1,23 +1,28 @@
 ---
-- name: Check if certificate already exists.
-  stat:
-    path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
-  register: letsencrypt_cert
+- name: Check if certificate exists or has been changed.
+  import_tasks: test-cert-exists.yml
 
 - name: Stop services to allow certbot to generate a cert.
   service:
     name: "{{ item }}"
     state: stopped
-  when: not letsencrypt_cert.stat.exists
+  when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated
   with_items: "{{ certbot_create_standalone_stop_services }}"
 
 - name: Generate new certificate if one doesn't exist.
-  command: "{{ certbot_create_command }}"
-  when: not letsencrypt_cert.stat.exists
+  shell: "{{ certbot_create_command }}"
+  when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated
+
+- name: Persist domain list to /etc/letsencrypt/domains-{{ cert_item.domains | first }}.
+  copy:
+    dest: /etc/letsencrypt/domains-{{ cert_item.domains | first }}.json
+    # Add a space here because of https://github.com/ansible/ansible/issues/6077
+    content: " {{ cert_item.domains | to_json }}\n"
+  when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated
 
 - name: Start services after cert has been generated.
   service:
     name: "{{ item }}"
     state: started
-  when: not letsencrypt_cert.stat.exists
+  when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated
   with_items: "{{ certbot_create_standalone_stop_services }}"

tasks/test-cert-exists.yml

@@ -0,0 +1,19 @@
+---
+- name: Check if certificate already exists.
+  stat:
+    path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
+  register: letsencrypt_cert_exists
+
+- name: Check if certificate domain list has changed.
+  lineinfile:
+    path: /etc/letsencrypt/domains-{{ cert_item.domains | first | replace('*.', '') }}.json
+    line: " {{ cert_item.domains | to_json }}"
+    state: present
+    create: true
+  check_mode: true
+  register: letsencrypt_cert_contents
+  when: letsencrypt_cert_exists.stat.exists
+
+- set_fact:
+    letsencrypt_cert_updated: "{{ (letsencrypt_cert_contents is changed) or (letsencrypt_cert_contents is failed) }}"
+  when: letsencrypt_cert_exists.stat.exists