From 54d52cee98f667fdb6b331a1d2c1745fb307751d Mon Sep 17 00:00:00 2001
From: AnsibleGuy <guy@ansibleguy.net>
Date: Tue, 16 Aug 2022 17:07:06 +0200
Subject: [PATCH] updates to letsencrypt multi-cert processing

---
 defaults/main.yml                 | 6 ++++--
 tasks/debian/letsencrypt/cert.yml | 4 ++--
 tasks/debian/letsencrypt/main.yml | 8 +++++---
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 2537463..b74c6d7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -62,6 +62,7 @@ defaults_certs:
     verbosity: 'v'
     certs: {}  # see 'default_le_certbot_cert' below
     renew: false  # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise
+    email:
 
   ca:
     path:
@@ -87,8 +88,9 @@ CERT_CONFIG: "{{ defaults_certs | combine(certs, recursive=true) }}"
 
 default_le_certbot_cert:
   domains: []
-  state: 'present'
-  email:
+  key_size: "{{ CERT_CONFIG.letsencrypt.key_size | default(CERT_CONFIG.cert.key_size, true) }}"
+  state: "{{ CERT_CONFIG.letsencrypt.state | default('present', true) }}"
+  email: "{{ CERT_CONFIG.letsencrypt.email }}"
 
 # letsencrypt example:
 #certs:
diff --git a/tasks/debian/letsencrypt/cert.yml b/tasks/debian/letsencrypt/cert.yml
index df2f723..1aef711 100644
--- a/tasks/debian/letsencrypt/cert.yml
+++ b/tasks/debian/letsencrypt/cert.yml
@@ -23,7 +23,7 @@
     msg: "certbot certonly --non-interactive --agree-tos --no-redirect{% if debug or testing %} --staging{% endif %}
     --{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }}
     -{{ CERT_CONFIG.letsencrypt.verbosity }}
-    --rsa-key-size {{ le_cert.key_size | default(CERT_CONFIG.cert.key_size, true) }}
+    --rsa-key-size {{ le_cert.key_size }}
     --config-dir {{ CERT_CONFIG.letsencrypt.path }}
     {% for domain in le_cert.domains %}{% if domain | valid_hostname %}--domain {{ domain }} {% endif %}{% endfor %}
     {% if le_cert.email is not none %}--email {{ le_cert.email }} {% else %}--email {{ CERT_CONFIG.cert.email }} {% endif %}"
@@ -33,7 +33,7 @@
   ansible.builtin.command: "certbot certonly --non-interactive --agree-tos --no-redirect{% if debug or testing %} --staging{% endif %}
     --{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }}
     -{{ CERT_CONFIG.letsencrypt.verbosity }}
-    --rsa-key-size {{ le_cert.key_size | default(CERT_CONFIG.cert.key_size, true) }}
+    --rsa-key-size {{ le_cert.key_size }}
     --config-dir {{ CERT_CONFIG.letsencrypt.path }}
     {% for domain in le_cert.domains %}{% if domain | valid_hostname %}--domain {{ domain }} {% endif %}{% endfor %}
     {% if le_cert.email is not none %}--email {{ le_cert.email }} {% else %}--email {{ CERT_CONFIG.cert.email }} {% endif %}"
diff --git a/tasks/debian/letsencrypt/main.yml b/tasks/debian/letsencrypt/main.yml
index 09ce63b..bb43ae3 100644
--- a/tasks/debian/letsencrypt/main.yml
+++ b/tasks/debian/letsencrypt/main.yml
@@ -4,8 +4,8 @@
   ansible.builtin.assert:
     that:
       - CERT_CONFIG.letsencrypt.certs | length > 0
-      - CERT_CONFIG.letsencrypt.service | default(none, true) is not none
-      - CERT_CONFIG.letsencrypt.email | default(none, true) is not none or CERT_CONFIG.letsencrypt.certs|check_email
+      - CERT_CONFIG.letsencrypt.service | default(false, true)
+      - CERT_CONFIG.letsencrypt.email | default(false, true) or CERT_CONFIG.letsencrypt.certs | check_email
       - "CERT_CONFIG.letsencrypt.service in ['apache', 'nginx']"
 
 - name: Certificates | Debian | LetsEncrypt Certbot | Configure for Apache2
@@ -16,11 +16,12 @@
   ansible.builtin.import_tasks: nginx.yml
   when: CERT_CONFIG.letsencrypt.service == 'nginx'
 
-- name: Certificates | Debian | LetsEncrypt Certbot | Pulling existing certs
+- name: Certificates | Debian | LetsEncrypt Certbot | Pulling existing certs (this can take some time)
   ansible.builtin.command: "certbot certificates --config-dir {{ CERT_CONFIG.letsencrypt.path }}{% if debug or testing %} --staging{% endif %}"
   register: existing_certs_raw
   changed_when: false
   check_mode: false
+  timeout: 120
 
 - name: Certificates | Debian | LetsEncrypt Certbot | Existing certificates
   ansible.builtin.debug:
@@ -95,6 +96,7 @@
     enabled: yes
     state: started
 
+# Renew all previously obtained certificates that are near expiry
 - name: Certificates | Debian | LetsEncrypt Certbot | Running renewal
   ansible.builtin.command: "certbot renew --force-renewal{% if debug or testing %} --staging{% endif %}"
   when: CERT_CONFIG.letsencrypt.renew