2025-12-15 17:21:09 +01:00
22 changed files with 151 additions and 166 deletions
--- a/.github/stale.yml
+++ b/.github/stale.yml
@ -0,0 +1,57 @@
 # Configuration for probot-stale - https://github.com/probot/stale
 # Number of days of inactivity before an Issue or Pull Request becomes stale
 daysUntilStale: 90
 # Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
 # Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
 daysUntilClose: 30
 # Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
 onlyLabels: []
 # Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
 exemptLabels:
  - bug
  - pinned
  - security
  - planned
 # Set to true to ignore issues in a project (defaults to false)
 exemptProjects: false
 # Set to true to ignore issues in a milestone (defaults to false)
 exemptMilestones: false
 # Set to true to ignore issues with an assignee (defaults to false)
 exemptAssignees: false
 # Label to use when marking as stale
 staleLabel: stale
 # Limit the number of actions per hour, from 1-30. Default is 30
 limitPerRun: 30
 pulls:
  markComment: |-
    This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!
    Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale.
  unmarkComment: >-
    This pull request is no longer marked for closure.
  closeComment: >-
    This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.
 issues:
  markComment: |-
    This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
    Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
  unmarkComment: >-
    This issue is no longer marked for closure.
  closeComment: >-
    This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -19,14 +19,14 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out the codebase.
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
        with:
          path: 'geerlingguy.certbot'
      - name: Set up Python 3.
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v2
        with:
-          python-version: '3.13'  # Can't go to 3.14+ until Ansible 13.x
+          python-version: '3.x'
      - name: Install test dependencies.
        run: pip3 install yamllint
@ -41,17 +41,15 @@ jobs:
    strategy:
      matrix:
        include:
-          - distro: rockylinux9
+          - distro: centos8
            playbook: converge.yml
            experimental: false
-          - distro: ubuntu2404
+          - distro: centos7
            playbook: converge.yml
            experimental: false
-          - distro: debian12
+          - distro: ubuntu1804
            playbook: converge.yml
            experimental: false
 <<<<<<< Updated upstream
 =======
          - distro: debian10
            playbook: converge.yml
            experimental: false
@ -59,25 +57,24 @@ jobs:
          # - distro: centos7
          #   playbook: playbook-source-install.yml
          #   experimental: false
 >>>>>>> Stashed changes
-          - distro: rockylinux9
+          - distro: centos7
            playbook: playbook-snap-install.yml
            experimental: true
    steps:
      - name: Check out the codebase.
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
        with:
          path: 'geerlingguy.certbot'
      - name: Set up Python 3.
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v2
        with:
-          python-version: '3.13'  # Can't go to 3.14+ until Ansible 13.x
+          python-version: '3.x'
      - name: Install test dependencies.
-        run: pip3 install ansible molecule molecule-plugins[docker] docker
+        run: pip3 install ansible molecule[docker] docker
      - name: Run Molecule tests.
        run: molecule test
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -22,14 +22,14 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out the codebase.
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
        with:
          path: 'geerlingguy.certbot'
      - name: Set up Python 3.
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v2
        with:
-          python-version: '3.13'  # Can't go to 3.14+ until Ansible 13.x
+          python-version: '3.x'
      - name: Install Ansible.
        run: pip3 install ansible-core
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -1,34 +0,0 @@
 ---
 name: Close inactive issues
 'on':
  schedule:
    - cron: "55 12 * * 1"  # semi-random time
 jobs:
  close-issues:
    runs-on: ubuntu-latest
    permissions:
      issues: write
      pull-requests: write
    steps:
      - uses: actions/stale@v8
        with:
          days-before-stale: 120
          days-before-close: 60
          exempt-issue-labels: bug,pinned,security,planned
          exempt-pr-labels: bug,pinned,security,planned
          stale-issue-label: "stale"
          stale-pr-label: "stale"
          stale-issue-message: |
            This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
            Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
          close-issue-message: |
            This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
          stale-pr-message: |
            This pr has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
            Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
          close-pr-message: |
            This pr has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
          repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.yamllint
+++ b/.yamllint
@ -5,9 +5,6 @@ rules:
  line-length:
    max: 180
    level: warning
  indentation:
    spaces: 2
    indent-sequences: consistent
 ignore: |
-  .github/workflows/stale.yml
+  .github/stale.yml
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 # Ansible Role: Certbot (for Let's Encrypt)
-[![CI](https://github.com/geerlingguy/ansible-role-certbot/actions/workflows/ci.yml/badge.svg)](https://github.com/geerlingguy/ansible-role-certbot/actions/workflows/ci.yml)
+[![CI](https://github.com/geerlingguy/ansible-role-certbot/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-certbot/actions?query=workflow%3ACI)
 Installs and configures Certbot (for Let's Encrypt).
@ -20,7 +20,7 @@ Controls how Certbot is installed. Available options are 'package', 'snap', and
    certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
    certbot_auto_renew_hour: "3"
    certbot_auto_renew_minute: "30"
-    certbot_auto_renew_options: "--quiet"
+    certbot_auto_renew_options: "--quiet --no-self-upgrade"
 By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
@ -63,7 +63,7 @@ A list of domains (and other data) for which certs should be generated. You can
    certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
-The `certbot_create_command` defines the command used to generate the cert. See the full default command inside `defaults/main.yml` for a full example—and you can easily add in extra arguments that are not in the default command with the `certbot_create_extra_args` variable.
+The `certbot_create_command` defines the command used to generate the cert.
 #### Standalone Certificate Generation
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -4,7 +4,7 @@ certbot_auto_renew: true
 certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
 certbot_auto_renew_hour: "3"
 certbot_auto_renew_minute: "30"
-certbot_auto_renew_options: "--quiet"
+certbot_auto_renew_options: "--quiet --no-self-upgrade"
 certbot_testmode: false
 certbot_hsts: false
@ -13,16 +13,13 @@ certbot_hsts: false
 # Parameters used when creating new Certbot certs.
 certbot_create_if_missing: false
 certbot_create_method: standalone
 certbot_create_extra_args: ""
 certbot_admin_email: email@example.com
 certbot_expand: false
 # Default webroot, overwritten by individual per-cert webroot directories
 certbot_webroot: /var/www/letsencrypt
 certbot_certs: []
-# - name: example.com
+# - email: janedoe@example.com
 #   email: janedoe@example.com
 #   webroot: "/var/www/html/"
 #   domains:
 #     - example1.com
@ -36,21 +33,14 @@ certbot_create_command: >-
  {{ '--test-cert' if certbot_testmode else '' }}
  --noninteractive --agree-tos
  --email {{ cert_item.email | default(certbot_admin_email) }}
  {{ '--expand' if certbot_expand else '' }}
  {{ '--webroot-path ' if certbot_create_method == 'webroot'  else '' }}
  {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
  {{ certbot_create_extra_args }}
  --cert-name {{ cert_item_name }}
  -d {{ cert_item.domains | join(',') }}
  {{ '--expand' if certbot_expand else '' }}
  {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services'
-    if certbot_create_standalone_stop_services and certbot_create_method == 'standalone'
+    if certbot_create_standalone_stop_services
  else '' }}
  {{ '--post-hook /etc/letsencrypt/renewal-hooks/post/start_services'
-    if certbot_create_standalone_stop_services and certbot_create_method == 'standalone'
+    if certbot_create_standalone_stop_services
  else '' }}
  {{ "--deploy-hook '" ~ cert_item.deploy_hook ~ "'"
    if 'deploy_hook' in cert_item
  else '' }}
 certbot_create_standalone_stop_services:
--- a/meta/main.yml
+++ b/meta/main.yml
@ -7,8 +7,12 @@ galaxy_info:
  description: "Installs and configures Certbot (for Let's Encrypt)."
  company: "Midwestern Mac, LLC"
  license: "license (BSD, MIT)"
-  min_ansible_version: 2.10
+  min_ansible_version: 2.4
  platforms:
    - name: EL
      versions:
        - 7
        - 8
    - name: Fedora
      versions:
        - all
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@ -1,7 +1,7 @@
 ---
 - name: Converge
  hosts: all
-  # become: true
+  become: true
  vars:
    certbot_auto_renew_user: root
@ -9,7 +9,7 @@
  pre_tasks:
    - name: Update apt cache.
      apt: update_cache=yes cache_valid_time=600
-      when: ansible_facts.os_family == 'Debian'
+      when: ansible_os_family == 'Debian'
      changed_when: false
    - name: Install dependencies (RedHat).
@ -18,11 +18,11 @@
          - cronie
          - epel-release
        state: present
-      when: ansible_facts.os_family == 'RedHat'
+      when: ansible_os_family == 'RedHat'
    - name: Install cron (Debian).
      apt: name=cron state=present
-      when: ansible_facts.os_family == 'Debian'
+      when: ansible_os_family == 'Debian'
  roles:
    - geerlingguy.certbot
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@ -1,18 +1,14 @@
 ---
 role_name_check: 1
 dependency:
  name: galaxy
  options:
    ignore-errors: true
 driver:
  name: docker
 platforms:
  - name: instance
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux9}-ansible:latest"
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
    command: ${MOLECULE_DOCKER_COMMAND:-""}
    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    cgroupns_mode: host
    privileged: true
    pre_build_image: true
 provisioner:
--- a/molecule/default/playbook-snap-install.yml
+++ b/molecule/default/playbook-snap-install.yml
@ -1,7 +1,7 @@
 ---
 - name: Converge
  hosts: all
-  #become: true
+  become: true
  vars:
    certbot_install_method: 'snap'
@ -10,16 +10,16 @@
  pre_tasks:
    - name: Update apt cache.
      apt: update_cache=yes cache_valid_time=600
-      when: ansible_facts.os_family == 'Debian'
+      when: ansible_os_family == 'Debian'
      changed_when: false
    - name: Install cron (RedHat).
      yum: name=cronie state=present
-      when: ansible_facts.os_family == 'RedHat'
+      when: ansible_os_family == 'RedHat'
    - name: Install cron (Debian).
      apt: name=cron state=present
-      when: ansible_facts.os_family == 'Debian'
+      when: ansible_os_family == 'Debian'
  roles:
    - geerlingguy.git
--- a/molecule/default/playbook-source-install.yml
+++ b/molecule/default/playbook-source-install.yml
@ -1,7 +1,7 @@
 ---
 - name: Converge
  hosts: all
-  #become: true
+  become: true
  vars:
    certbot_install_method: 'source'
@ -10,16 +10,16 @@
  pre_tasks:
    - name: Update apt cache.
      apt: update_cache=yes cache_valid_time=600
-      when: ansible_facts.os_family == 'Debian'
+      when: ansible_os_family == 'Debian'
      changed_when: false
    - name: Install cron (RedHat).
      yum: name=cronie state=present
-      when: ansible_facts.os_family == 'RedHat'
+      when: ansible_os_family == 'RedHat'
    - name: Install cron (Debian).
      apt: name=cron state=present
-      when: ansible_facts.os_family == 'Debian'
+      when: ansible_os_family == 'Debian'
  roles:
    - geerlingguy.git
--- a/molecule/default/playbook-standalone-nginx-aws.yml
+++ b/molecule/default/playbook-standalone-nginx-aws.yml
@ -91,8 +91,7 @@
    certbot_create_if_missing: true
    certbot_create_standalone_stop_services: []
    certbot_certs:
-      - name: certbot-test.servercheck.in
+      - domains:
        domains:
          - certbot-test.servercheck.in
    nginx_vhosts:
      - listen: "443 ssl http2"
@ -111,19 +110,19 @@
  pre_tasks:
    - name: Update apt cache.
      apt: update_cache=true cache_valid_time=600
-      when: ansible_facts.os_family == 'Debian'
+      when: ansible_os_family == 'Debian'
      changed_when: false
    - name: Install dependencies (RedHat).
      yum: name={{ item }} state=present
-      when: ansible_facts.os_family == 'RedHat'
+      when: ansible_os_family == 'RedHat'
      with_items:
        - cronie
        - epel-release
    - name: Install cron (Debian).
      apt: name=cron state=present
-      when: ansible_facts.os_family == 'Debian'
+      when: ansible_os_family == 'Debian'
  roles:
    - geerlingguy.certbot
--- a/tasks/create-cert-standalone.yml
+++ b/tasks/create-cert-standalone.yml
@ -1,11 +1,7 @@
 ---
 - name: Determine certificate name
  set_fact:
    cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
 - name: Check if certificate already exists.
  stat:
-    path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
+    path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
  register: letsencrypt_cert
 - name: Ensure pre and post hook folders exist.
@ -28,7 +24,7 @@
    mode: 0750
  when:
    - certbot_create_standalone_stop_services is defined
-    - certbot_create_standalone_stop_services is truthy
+    - certbot_create_standalone_stop_services
 - name: Create post hook to start services.
  template:
@ -39,25 +35,8 @@
    mode: 0750
  when:
    - certbot_create_standalone_stop_services is defined
-    - certbot_create_standalone_stop_services is truthy
+    - certbot_create_standalone_stop_services
 - name: Check if domains have changed
  block:
    - name: Register certificate domains
      shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
      changed_when: false
      register: letsencrypt_cert_domains_dirty
    - name: Cleanup domain list
      set_fact:
        letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
    - name: Determine if domains have changed
      set_fact:
        letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
  when: letsencrypt_cert.stat.exists
 - name: Generate new certificate if one doesn't exist.
  command: "{{ certbot_create_command }}"
-  when: not letsencrypt_cert.stat.exists or letsencrypt_cert_domains_changed | default(false)
+  when: not letsencrypt_cert.stat.exists
--- a/tasks/create-cert-webroot.yml
+++ b/tasks/create-cert-webroot.yml
@ -1,11 +1,7 @@
 ---
 - name: Determine certificate name
  set_fact:
    cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
 - name: Check if certificate already exists.
  stat:
-    path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
+    path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem
  register: letsencrypt_cert
 - name: Create webroot directory if it doesn't exist yet
@ -13,23 +9,6 @@
    path: "{{ cert_item.webroot | default(certbot_webroot) }}"
    state: directory
 - name: Check if domains have changed
  block:
    - name: Register certificate domains
      shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
      changed_when: false
      register: letsencrypt_cert_domains_dirty
    - name: Cleanup domain list
      set_fact:
        letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
    - name: Determine if domains have changed
      set_fact:
        letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
  when: letsencrypt_cert.stat.exists
 - name: Generate new certificate if one doesn't exist.
  command: "{{ certbot_create_command }}"
-  when: not letsencrypt_cert.stat.exists or letsencrypt_cert_domains_changed | default(false)
+  when: not letsencrypt_cert.stat.exists
--- a/tasks/include-vars.yml
+++ b/tasks/include-vars.yml
@ -2,7 +2,7 @@
 - name: Load a variable file based on the OS type, or a default if not found.
  include_vars: "{{ item }}"
  with_first_found:
-    - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_version }}.yml"
+    - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
-    - "{{ ansible_facts.distribution }}.yml"
+    - "{{ ansible_distribution }}.yml"
-    - "{{ ansible_facts.os_family }}.yml"
+    - "{{ ansible_os_family }}.yml"
    - "default.yml"
--- a/tasks/install-with-package.yml
+++ b/tasks/install-with-package.yml
@ -1,8 +1,6 @@
 ---
 - name: Install Certbot.
-  package:
+  package: "name={{ certbot_package }} state=present"
    name: "{{ certbot_package }}"
    state: present
 - name: Set Certbot script variable.
  set_fact:
--- a/tasks/install-with-snap.yml
+++ b/tasks/install-with-snap.yml
@ -16,7 +16,7 @@
    src: /var/lib/snapd/snap
    dest: /snap
    state: link
-  when: ansible_facts.os_family != "Debian"
+  when: ansible_os_family != "Debian"
 - name: Update snap after install.
  shell: snap install core; snap refresh core
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -2,7 +2,7 @@
 - import_tasks: include-vars.yml
 - import_tasks: setup-RedHat.yml
-  when: ansible_facts.os_family == 'RedHat'
+  when: ansible_os_family == 'RedHat'
 - import_tasks: install-with-package.yml
  when: certbot_install_method == 'package'
--- a/tasks/setup-RedHat.yml
+++ b/tasks/setup-RedHat.yml
@ -1,11 +1,34 @@
 ---
 # See: https://github.com/geerlingguy/ansible-role-certbot/issues/107
- name: Ensure dnf-plugins are installed on Rocky/AlmaLinux.
+- block:
  - name: Ensure dnf-plugins are installed on CentOS 8+.
    yum:
      name: dnf-plugins-core
      state: present
- name: Enable DNF module for Rocky/AlmaLinux.
+  - block:
      - name: Enable DNF module for CentOS 8.3+.
        shell: |
-    dnf config-manager --set-enabled crb
+          dnf config-manager --set-enabled powertools
        args:
          warn: false
        register: dnf_module_enable
        changed_when: false
        when: ansible_facts['distribution_version'] is version('8.3', '>=')
      - name: Enable DNF module for CentOS 8.0–8.2.
        shell: |
          dnf config-manager --set-enabled PowerTools
        args:
          warn: false
        register: dnf_module_enable
        changed_when: false
    when: ansible_facts['distribution_version'] is version('8.2', '<=')
  when:
    - ansible_distribution == 'CentOS'
    - ansible_distribution_major_version | int >= 8
--- a/templates/start_services.j2
+++ b/templates/start_services.j2
@ -3,11 +3,11 @@
 {% for item in certbot_create_standalone_stop_services %}
 echo "starting service {{ item }}"
-{% if ansible_facts.service_mgr == 'systemd' %}
+{% if ansible_service_mgr == 'systemd' %}
 systemctl start {{ item }}
-{% elif ansible_facts.service_mgr == 'upstart' %}
+{% elif ansible_service_mgr == 'upstart' %}
 initctl start {{ item }}
-{% elif ansible_facts.service_mgr == 'openrc' %}
+{% elif ansible_service_mgr == 'openrc' %}
 rc-service {{ item }} start
 {% else %}
 service {{ item }} start
--- a/templates/stop_services.j2
+++ b/templates/stop_services.j2
@ -3,11 +3,11 @@
 {% for item in certbot_create_standalone_stop_services %}
 echo "stopping service {{ item }}"
-{% if ansible_facts.service_mgr == 'systemd' %}
+{% if ansible_service_mgr == 'systemd' %}
 systemctl stop {{ item }}
-{% elif ansible_facts.service_mgr == 'upstart' %}
+{% elif ansible_service_mgr == 'upstart' %}
 initctl stop {{ item }}
-{% elif ansible_facts.service_mgr == 'openrc' %}
+{% elif ansible_service_mgr == 'openrc' %}
 rc-service {{ item }} stop
 {% else %}
 service {{ item }} stop