Letsencrypt role doesn't add new domains later on for already deployed servers
Opened this issue · 2 comments
Letsencrypt currently only adds new domain names in initial deployment. This hasn't been a problem so far because we usually use new servers for everything.
Today I needed to deploy new site into shared production server and couldn't add new domains to letsencrypt even though I used:
letsencrypt_domains:
- old-domain.com
- www.old-domain.com
- new-domain.com
- www.new-domain.com
This happens because the ansible will add the certs only in initial deploy:
- name: Run initial certificate request only if port 80 is free
command: "{{ letsencrypt_command }}"
when: port_80.stdout.find('nginx') == -1
What we should do is this:
vars:
# Define a command for servers which are already running
letsencrypt_webroot_command: "{{ letsencrypt_src }}/letsencrypt/letsencrypt-auto certonly --webroot --agree-tos --text -n --expand --email {{ letsencrypt_email }} {% for d in letsencrypt_domains %}-d {{ d }} {% endfor %}"
tasks:
- name: Run initial certificate request only if port 80 is free
command: "{{ letsencrypt_webroot_command }}"
when: port_80.stdout.find('nginx') != -1
This should also check the output of:
$ "{{ letsencrypt_src }}/letsencrypt/letsencrypt-auto certificates"
And only run the webroot command if all of the domains are not already in the list so we don't waste valuable request limits from letsencrypt.
Our Letsencrypt role is outdated, please work on certbot role instead. Anyway I think the same issues hold true with that one too.
This is quite small fix, I would fix it in both simultaneously because we still use the "outdated" letsencrypt module on few sites.