role does not try to expand with new certificate if there are new subdomains added in a second run
talon-vonneudeck opened this issue · 3 comments
If the playbook runs the first time successful with letsencrypt_cert_domains: example.com it will skip the task Attempt to get the certificate using the webroot authenticator when running a second time with letsencrypt_cert_domains: ['example.com', 'sub.example.com', 'anothersub.example.com'] because /etc/letsencrypt/live/{{ letsencrypt_cert_domains[0] }} finds /etc/letsencrypt/live/example.com and the task ignores the newly added subdomains.
If the command created by the task /usr/local/share/letsencrypt/env/bin/letsencrypt --agree-tos --text -d example.com -d sub.example.com -d anothersub.example.com --email webmaster@example.com -a webroot --webroot-path /var/www/ certonly is run manually letsencrypt realises the difference and offers to expand and replace the existing certificate with a new certificate.
Thanks for filing this report. The key point here is that it offers to expand it, interactively, which isn't sometihng that'll work with Ansible. We probably need to go dig up the command line flag to expand without asking.
yes, it is a little tricky.
if i knew an easy answer i would just have made a pull request. unfortunately i do not.
we would need to figure out if there is a non-interactive way to test if the existing certificates are valid for all domains provided and use that for a when.