Actually update certificate when domain list file is absent or has changed

7 years ago · b469b40ed6
parent e1d787d811
commit b469b40ed6
2 changed files with 13 additions and 6 deletions
--- a/tasks/create-cert-standalone.yml
+++ b/tasks/create-cert-standalone.yml
@ -6,23 +6,24 @@
  service:
    name: "{{ item }}"
    state: stopped
-  when: not letsencrypt_cert_exists.stat.exists
+  when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated
  with_items: "{{ certbot_create_standalone_stop_services }}"
 - name: Generate new certificate if one doesn't exist.
  shell: "{{ certbot_create_command }}"
-  when: not letsencrypt_cert_exists.stat.exists
+  when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated
 - name: Persist domain list to host
  lineinfile:
    path: /etc/letsencrypt/domains-{{ cert_item.domains | first }}
    line: "{{ cert_item.domains }}"
    state: present
    create: yes
  when: letsencrypt_cert_updated
 - name: Start services after cert has been generated.
  service:
    name: "{{ item }}"
    state: started
-  when: not letsencrypt_cert_exists.stat.exists
+  when: not letsencrypt_cert_exists.stat.exists or letsencrypt_cert_updated
  with_items: "{{ certbot_create_standalone_stop_services }}"
--- a/tasks/test-cert-exists.yml
+++ b/tasks/test-cert-exists.yml
@ -4,15 +4,21 @@
    path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem
  register: letsencrypt_cert_exists
- name: Check if certificate has changed.
+- name: Check if certificate domain list exists.
  stat:
    path: /etc/letsencrypt/domains-{{ cert_item.domains | first }}
  register: letsencrypt_cert_list_exists
  when: letsencrypt_cert_exists.stat.exists
 - name: Check if certificate domain list has changed.
  lineinfile:
    path: /etc/letsencrypt/domains-{{ cert_item.domains | first }}
    line: "{{ cert_item.domains }}"
    state: present
  check_mode: yes
  register: letsencrypt_cert_contents
-  when: letsencrypt_cert_exists.stat.exists
+  when: letsencrypt_cert_exists.stat.exists and letsencrypt_cert_list_exists.stat.exists
 - set_fact:
-    letsencrypt_cert_updated: "{{ (letsencrypt_cert_contents | changed) or (letsencrypt_cert_contents | failed) }}"
+    letsencrypt_cert_updated: "{{ not letsencrypt_cert_list_exists.stat.exists or (letsencrypt_cert_contents | changed) or (letsencrypt_cert_contents | failed) }}"
  when: letsencrypt_cert_exists.stat.exists