From 11aa29849ac8eef44f4277b02c545735c5c1866a Mon Sep 17 00:00:00 2001
From: Nikolaos Kakouros <nkak@kth.se>
Date: Wed, 6 Sep 2017 20:24:42 +0200
Subject: [PATCH 01/13] Registers and generates certificates

---
 defaults/main.yml        | 20 +++++++++++++++++++-
 tasks/generate-certs.yml |  7 +++++++
 tasks/main.yml           |  3 +++
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 tasks/generate-certs.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index 7f6f0d3..58f9ef7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,7 +1,10 @@
 ---
+# Global options for configuration file
+certbot_config_file_options: {}
+
 # Certbot auto-renew cron job configuration (for certificate renewals).
 certbot_auto_renew: true
-certbot_auto_renew_user: "{{ ansible_user }}"
+certbot_auto_renew_user: "{{ lookup('env', 'USER') }}"
 certbot_auto_renew_hour: 3
 certbot_auto_renew_minute: 30
 
@@ -14,3 +17,18 @@ certbot_keep_updated: yes
 
 # Where to put Certbot when installing from source.
 certbot_dir: /opt/certbot
+
+# Set to true to have this role register and generate certificates for your
+# domains.
+certbot_handle_certs: true
+certbot_register_email: user@example.com
+
+# The command to run to register with Let's Encrypt
+certbot_register_command: certbot --non-interactive --agree-tos --email "{{ certbot_register_email }}"
+
+# The domains to generate certs for
+certbot_domains:
+- 'example.com'
+
+# The command to run to generate the certificates
+certbot_cert_command: certbot certonly --noninteractive --standalone
diff --git a/tasks/generate-certs.yml b/tasks/generate-certs.yml
new file mode 100644
index 0000000..78633c7
--- /dev/null
+++ b/tasks/generate-certs.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Register with Let's Encrypt
+  command: "{{ certbot_register_command }}"
+
+- name: Generate certificates
+  command: "{{ certbot_cert_command }} -d {{ certbot_domains | join(' -d ') }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index 5324ff9..fde7828 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -7,5 +7,8 @@
 - include: install-from-source.yml
   when: certbot_install_from_source
 
+- include: generate-certs.yml
+  when: certbot_handle_certs
+
 - include: renew-cron.yml
   when: certbot_auto_renew

From 4efe192db2021cf7ff2d6ef32c3a251ed9c90bbd Mon Sep 17 00:00:00 2001
From: Nikolaos Kakouros <nkak@kth.se>
Date: Wed, 6 Sep 2017 20:42:03 +0200
Subject: [PATCH 02/13] Fixes certbot executable name

---
 defaults/main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 58f9ef7..2d27b10 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -24,11 +24,11 @@ certbot_handle_certs: true
 certbot_register_email: user@example.com
 
 # The command to run to register with Let's Encrypt
-certbot_register_command: certbot --non-interactive --agree-tos --email "{{ certbot_register_email }}"
+certbot_register_command: "{{ certbot_script }} --non-interactive --agree-tos --email {{ certbot_register_email }}"
 
 # The domains to generate certs for
 certbot_domains:
 - 'example.com'
 
 # The command to run to generate the certificates
-certbot_cert_command: certbot certonly --noninteractive --standalone
+certbot_cert_command: "{{ certbot_script }} certonly --noninteractive --standalone"

From 133935d5af1c082a1d6da62be26e1955b730d904 Mon Sep 17 00:00:00 2001
From: Nikolaos Kakouros <nkak@kth.se>
Date: Wed, 6 Sep 2017 20:58:32 +0200
Subject: [PATCH 03/13] Adds missing operation

---
 defaults/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 2d27b10..55d2072 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -24,7 +24,7 @@ certbot_handle_certs: true
 certbot_register_email: user@example.com
 
 # The command to run to register with Let's Encrypt
-certbot_register_command: "{{ certbot_script }} --non-interactive --agree-tos --email {{ certbot_register_email }}"
+certbot_register_command: "{{ certbot_script }} register --non-interactive --agree-tos --email {{ certbot_register_email }}"
 
 # The domains to generate certs for
 certbot_domains:

From 5ef3c252dffc6d178bc1117d4a4cfcece624dbb1 Mon Sep 17 00:00:00 2001
From: Nikolaos Kakouros <nkak@kth.se>
Date: Wed, 6 Sep 2017 22:15:15 +0200
Subject: [PATCH 04/13] Checks if email is given

---
 defaults/main.yml        | 4 +++-
 tasks/generate-certs.yml | 6 ++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 55d2072..7a71d80 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -21,7 +21,9 @@ certbot_dir: /opt/certbot
 # Set to true to have this role register and generate certificates for your
 # domains.
 certbot_handle_certs: true
-certbot_register_email: user@example.com
+
+# The email to register with (required).
+certbot_register_email: ''
 
 # The command to run to register with Let's Encrypt
 certbot_register_command: "{{ certbot_script }} register --non-interactive --agree-tos --email {{ certbot_register_email }}"
diff --git a/tasks/generate-certs.yml b/tasks/generate-certs.yml
index 78633c7..ff3a236 100644
--- a/tasks/generate-certs.yml
+++ b/tasks/generate-certs.yml
@@ -1,5 +1,11 @@
 ---
 
+- name: Make sure we have an email
+  assert:
+    that:
+    - "certbot_register_email is defined"
+    msg: "You need to provide an email address you own to register with Let's Encrypt."
+
 - name: Register with Let's Encrypt
   command: "{{ certbot_register_command }}"
 

From 31bf48e5cfe605efa307396e6f0a2f88d3704543 Mon Sep 17 00:00:00 2001
From: Nikolaos Kakouros <nkak@kth.se>
Date: Wed, 6 Sep 2017 22:17:40 +0200
Subject: [PATCH 05/13] Changes the email check

---
 tasks/generate-certs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/generate-certs.yml b/tasks/generate-certs.yml
index ff3a236..59f1633 100644
--- a/tasks/generate-certs.yml
+++ b/tasks/generate-certs.yml
@@ -3,7 +3,7 @@
 - name: Make sure we have an email
   assert:
     that:
-    - "certbot_register_email is defined"
+    - "certbot_register_email is not empty"
     msg: "You need to provide an email address you own to register with Let's Encrypt."
 
 - name: Register with Let's Encrypt

From 4fa0838635a94df6dafc5ce532adc56ca9cb0702 Mon Sep 17 00:00:00 2001
From: Nikolaos Kakouros <nkak@kth.se>
Date: Wed, 6 Sep 2017 22:18:32 +0200
Subject: [PATCH 06/13] Changes the email check

---
 tasks/generate-certs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/generate-certs.yml b/tasks/generate-certs.yml
index 59f1633..4716b14 100644
--- a/tasks/generate-certs.yml
+++ b/tasks/generate-certs.yml
@@ -3,7 +3,7 @@
 - name: Make sure we have an email
   assert:
     that:
-    - "certbot_register_email is not empty"
+    - "certbot_register_email == ''"
     msg: "You need to provide an email address you own to register with Let's Encrypt."
 
 - name: Register with Let's Encrypt

From 6953004efc8c7734e15ae4f19e2830d99c0cefca Mon Sep 17 00:00:00 2001
From: Nikolaos Kakouros <nkak@kth.se>
Date: Wed, 6 Sep 2017 22:19:35 +0200
Subject: [PATCH 07/13] Changes the email check

---
 tasks/generate-certs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/generate-certs.yml b/tasks/generate-certs.yml
index 4716b14..aa5ee5b 100644
--- a/tasks/generate-certs.yml
+++ b/tasks/generate-certs.yml
@@ -3,7 +3,7 @@
 - name: Make sure we have an email
   assert:
     that:
-    - "certbot_register_email == ''"
+    - "certbot_register_email != ''"
     msg: "You need to provide an email address you own to register with Let's Encrypt."
 
 - name: Register with Let's Encrypt

From 368de86163a572168fd7981077f732155190dcbd Mon Sep 17 00:00:00 2001
From: Nikolaos Kakouros <nkak@kth.se>
Date: Wed, 6 Sep 2017 22:27:59 +0200
Subject: [PATCH 08/13] Runs registration once

---
 tasks/generate-certs.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tasks/generate-certs.yml b/tasks/generate-certs.yml
index aa5ee5b..ee6c913 100644
--- a/tasks/generate-certs.yml
+++ b/tasks/generate-certs.yml
@@ -8,6 +8,8 @@
 
 - name: Register with Let's Encrypt
   command: "{{ certbot_register_command }}"
+  args:
+    creates: /etc/letsencrypt/accounts
 
 - name: Generate certificates
   command: "{{ certbot_cert_command }} -d {{ certbot_domains | join(' -d ') }}"

From de14ee24760509e391baf5fa244b343e558f3d8c Mon Sep 17 00:00:00 2001
From: Nikolaos Kakouros <nkak@kth.se>
Date: Wed, 6 Sep 2017 22:57:59 +0200
Subject: [PATCH 09/13] Checks if domain names are given

---
 defaults/main.yml        | 3 +--
 tasks/generate-certs.yml | 6 ++++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 7a71d80..fefbe1d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -29,8 +29,7 @@ certbot_register_email: ''
 certbot_register_command: "{{ certbot_script }} register --non-interactive --agree-tos --email {{ certbot_register_email }}"
 
 # The domains to generate certs for
-certbot_domains:
-- 'example.com'
+certbot_domains: []
 
 # The command to run to generate the certificates
 certbot_cert_command: "{{ certbot_script }} certonly --noninteractive --standalone"
diff --git a/tasks/generate-certs.yml b/tasks/generate-certs.yml
index ee6c913..5f3e797 100644
--- a/tasks/generate-certs.yml
+++ b/tasks/generate-certs.yml
@@ -6,6 +6,12 @@
     - "certbot_register_email != ''"
     msg: "You need to provide an email address you own to register with Let's Encrypt."
 
+- name: Make sure we have domains
+  assert:
+    that:
+    - "certbot_domains != []"
+    msg: "You need to provide at least one domain to generate certificates for."
+
 - name: Register with Let's Encrypt
   command: "{{ certbot_register_command }}"
   args:

From f9cbd99299fd677bb72377fd12326ea05c2d5f23 Mon Sep 17 00:00:00 2001
From: Nikolaos Kakouros <nkak@kth.se>
Date: Wed, 6 Sep 2017 23:00:13 +0200
Subject: [PATCH 10/13] Updates README

---
 README.md | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 5c04cf7..a2194a6 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,23 @@ The variable `certbot_install_from_source` controls whether to install Certbot f
 
 By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
 
+### Certificate generation
+`certbot_handle_certs: true`
+Set to true to have this role register and generate certificates for your
+domains.
+
+`certbot_register_email: ''``
+The email to register with. This is required (if you set `certbot_handle_certs` to true) or else the role will fail.
+
+certbot_domains: []
+The domains to generate certs for. This is required (if you set `certbot_handle_certs` to true) or else the role will fail.
+
+`certbot_register_command: "{{ certbot_script }} register --non-interactive --agree-tos --email {{ certbot_register_email }}"`
+The command to run to register with Let's Encrypt.
+
+`certbot_cert_command: "{{ certbot_script }} certonly --noninteractive --standalone"`
+The command to run to generate the certificates.
+
 ### Source Installation from Git
 
 You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).
@@ -41,16 +58,18 @@ None.
 ## Example Playbook
 
     - hosts: servers
-    
+
       vars:
         certbot_auto_renew_user: your_username_here
         certbot_auto_renew_minute: 20
         certbot_auto_renew_hour: 5
-    
+
       roles:
         - geerlingguy.certbot
 
-### Creating certificates with certbot
+### Manually creating certificates with certbot
+
+If you do not enable certificate generation via this role (`certbot_handle_certs: true`), you can follow the steps below to generate your certificates.
 
 After installation, you can create certificates using the `certbot` (or `certbot-auto`) script (use `letsencrypt` on Ubuntu 16.04, or use `/opt/certbot/certbot-auto` if installing from source/Git. Here are some example commands to configure certificates with Certbot:
 

From 68591ede4cb759d3817fef33f3e55560d8ed43e5 Mon Sep 17 00:00:00 2001
From: Nikolaos Kakouros <nkak@kth.se>
Date: Thu, 7 Sep 2017 20:16:00 +0200
Subject: [PATCH 11/13] Fixes expanding existing certificate

---
 defaults/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index fefbe1d..b4cd916 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -32,4 +32,4 @@ certbot_register_command: "{{ certbot_script }} register --non-interactive --agr
 certbot_domains: []
 
 # The command to run to generate the certificates
-certbot_cert_command: "{{ certbot_script }} certonly --noninteractive --standalone"
+certbot_cert_command: "{{ certbot_script }} certonly --noninteractive --standalone --expand"

From d8d77bac76a007fd79c784658d9e3c882f8fca9a Mon Sep 17 00:00:00 2001
From: Nikolaos Kakouros <nkak@kth.se>
Date: Thu, 7 Sep 2017 20:16:19 +0200
Subject: [PATCH 12/13] Checks if certbot has actually generated sth

---
 tasks/generate-certs.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tasks/generate-certs.yml b/tasks/generate-certs.yml
index 5f3e797..6112828 100644
--- a/tasks/generate-certs.yml
+++ b/tasks/generate-certs.yml
@@ -19,3 +19,5 @@
 
 - name: Generate certificates
   command: "{{ certbot_cert_command }} -d {{ certbot_domains | join(' -d ') }}"
+  register: result
+  changed_when: result.stdout.find("Certificate not yet due for renewal") == -1

From fbe6399b007666e641a9c23c11f744c9067b3ddc Mon Sep 17 00:00:00 2001
From: Nikolaos Kakouros <nkak@kth.se>
Date: Thu, 7 Sep 2017 20:20:22 +0200
Subject: [PATCH 13/13] Updates README

---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a2194a6..a3aec0f 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,11 @@ domains.
 The email to register with. This is required (if you set `certbot_handle_certs` to true) or else the role will fail.
 
 certbot_domains: []
-The domains to generate certs for. This is required (if you set `certbot_handle_certs` to true) or else the role will fail.
+The domains to generate certs for. This is required (if you set `certbot_handle_certs` to true) or else the role will fail. If you are also using the [geerlingguy/ansible-role-apache](https://github.com/geerlingguy/ansible-role-apache) role, you can use something like this to get a list of your domains:
+```yaml
+certbot_domains: "{{ [0,1,2] | map('extract', apache_vhosts, 'servername') | list }}"
+```
+where `[0,1,2,]` means the first, second and third virtual host specification respectively.
 
 `certbot_register_command: "{{ certbot_script }} register --non-interactive --agree-tos --email {{ certbot_register_email }}"`
 The command to run to register with Let's Encrypt.