LetsEncrypt certbot will now renew the certificate if domains were added or removed

filter_plugins/utils.py

@@ -10,6 +10,7 @@ class FilterModule(object):
             "valid_domain": self.valid_domain,
             "valid_ip": self.valid_ip,
             "check_email": self.check_email,
+            "le_domains_changed": self.le_domains_changed,
         }
 
     @staticmethod
@@ -39,3 +40,42 @@ class FilterModule(object):
 
         return True
 
+    @staticmethod
+    def le_domains_changed(running_config: str, cert_key: str, config_domains: list) -> bool:
+        changed = False
+        run_domains = []
+
+        for non_domain in ['_', '*']:
+            # removing wildcards
+            try:
+                config_domains.remove(non_domain)
+            except ValueError:
+                pass
+
+        block_started = False
+        for line in running_config.split('\n'):
+            if block_started:
+                if line.find('Certificate Name:') != -1:
+                    # block ended
+                    break
+
+                elif line.find('Domains:') != -1:
+                    run_domains = line.split(': ')[1].split(' ')
+
+            elif line.find(f"Certificate Name: {cert_key}") != -1:
+                block_started = True
+
+        # checking if any domain was added
+        for domain in config_domains:
+            if domain not in run_domains:
+                changed = True
+                break
+
+        if not changed:
+            # checking if any domain was removed
+            for domain in run_domains:
+                if domain not in config_domains:
+                    changed = True
+                    break
+
+        return changed

tasks/debian/letsencrypt/apache.yml

@@ -6,9 +6,10 @@
     state: present
 
 - name: Certificates | Debian | LetsEncrypt Certbot | Apache | Checking sites
-  ansible.builtin.shell: 'ls /etc/apache2/sites-enabled/'
+  ansible.builtin.command: 'ls /etc/apache2/sites-enabled/'
   changed_when: false
   register: enabled_apache_sites
+  check_mode: false
 
 - name: Certificates | Debian | LetsEncrypt Certbot | Apache | Deploying temporary apache site
   ansible.builtin.template:

tasks/debian/letsencrypt/cert.yml

@@ -1,7 +1,5 @@
 ---
 
-# todo: check domains registered in current certificate (certbot certificates) and remove it if there are more than configured before re-configuring it
-
 - name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Creating directory"
   ansible.builtin.file:
     path: "{{ item }}"
@@ -13,7 +11,7 @@
     - "{{ CERT_CONFIG.path }}"
     - "{{ le_path }}"
 
-- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Command to be executed"
+- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Certbot command (FYI)"
   ansible.builtin.debug:
     msg: "certbot certonly --non-interactive --agree-tos --no-redirect 
     --{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }}
@@ -22,9 +20,9 @@
     --config-dir {{ CERT_CONFIG.letsencrypt.path }}
     {% for domain in le_cert.domains %}{% if domain | valid_domain %}--domain {{ domain }} {% endif %}{% endfor %}
     {% if le_cert.email is not none %}--email {{ le_cert.email }} {% else %}--email {{ CERT_CONFIG.cert.email }} {% endif %}"
-  when: existing_certs_raw.stdout.find(name) == -1
+  when: le_changed
 
-- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Starting certbot"
+- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Running certbot"
   ansible.builtin.command: "certbot certonly --non-interactive --agree-tos --no-redirect
     --{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }}
     -{{ CERT_CONFIG.letsencrypt.verbosity }}
@@ -32,7 +30,7 @@
     --config-dir {{ CERT_CONFIG.letsencrypt.path }}
     {% for domain in le_cert.domains %}{% if domain | valid_domain %}--domain {{ domain }} {% endif %}{% endfor %}
     {% if le_cert.email is not none %}--email {{ le_cert.email }} {% else %}--email {{ CERT_CONFIG.cert.email }} {% endif %}"
-  when: existing_certs_raw.stdout.find(name) == -1
+  when: le_changed
 
 - name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Linking cert"
   ansible.builtin.file:

tasks/debian/letsencrypt/main.yml

@@ -24,9 +24,10 @@
   when: CERT_CONFIG.letsencrypt.service == 'nginx'
 
 - name: Certificates | Debian | LetsEncrypt Certbot | Pulling existing certs
-  ansible.builtin.shell: 'certbot certificates'
+  ansible.builtin.command: 'certbot certificates'
   register: existing_certs_raw
   changed_when: false
+  check_mode: false
 
 - name: Certificates | Debian | LetsEncrypt Certbot | Adding certificates
   ansible.builtin.include_tasks: cert.yml
@@ -37,12 +38,12 @@
     le_cert: "{{ default_le_certbot_cert_config | combine(cert_item.value, recursive=true) }}"
     le_name: "{{ cert_item.key | safe_key }}"
     le_path: "{{ CERT_CONFIG.letsencrypt.path }}/live/{{ le_name }}"
+    le_changed: "{{ existing_certs_raw.stdout | le_domains_changed(le_name, le_cert.domains) }}"
   loop_control:
     loop_var: cert_item
   no_log: true
   with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"
 
-
 - name: Certificates | Debian | LetsEncrypt Certbot | Removing certificates
   ansible.builtin.command: "certbot revoke --cert-name {{ le_name }} && certbot delete --cert-name {{ le_name }}"
   when:

tasks/debian/letsencrypt/nginx.yml

@@ -6,9 +6,10 @@
     state: present
 
 - name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Checking sites
-  ansible.builtin.shell: 'ls /etc/nginx/sites-enabled/'
+  ansible.builtin.command: 'ls /etc/nginx/sites-enabled/'
   changed_when: false
   register: enabled_nginx_sites
+  check_mode: false
 
 - name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Deploying temporary apache site
   ansible.builtin.template: