Merge pull request #23 from Matt-Yorkley/update_certs

Allow updating existing certs using --extra-vars "certbot_force_update=true
coopdevs · Oct 18, 2019 · 8525161 · 8525161
2 parents a0110db + 57ae914
commit 8525161
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -68,7 +68,13 @@ Create a custom role including the `certbot_nginx` role that generates the certi
     loop_var: domain_name
 ```
 
-> You need to declare the `loop_control` to map the `item` var of the `with_item` loop with the `loop_var` value as `domain_name`. See the [`loop_controll` doc](https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html?highlight=loop_control#loop-control)
+> You need to declare the `loop_control` to map the `item` var of the `with_item` loop with the `loop_var` value as `domain_name`. See the [`loop_control` doc](https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html?highlight=loop_control#loop-control)
+
+Updating Existing Certificates
+-------------------------------
+
+If the details for your site have changed since the certificate was created, you can update it by defining `certbot_force_update: true` or passing `--extra-vars "certbot_force_update=true"` via the commandline.
+
 
 Let's Encrypt Staging Environment
 ---------------------------------

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
diff --git a/tasks/certificate.yml b/tasks/certificate.yml
@@ -4,12 +4,23 @@
     path: "/etc/letsencrypt/live/{{ certbot_nginx_cert_name | default(domain_name, true) }}/cert.pem"
   register: letsencrypt_cert
 
-- name: Generate new certificate if one doesn't exist
+- name: "Generate new certificate if one doesn't exist"
   shell: >
-    "certbot certonly --nginx --email '{{ letsencrypt_email }}'
+    certbot certonly --nginx --email '{{ letsencrypt_email }}'
     --agree-tos -d '{{ domain_name }}'
     {% if certbot_nginx_cert_name is defined %}
     --cert-name '{{ certbot_nginx_cert_name }}'
     {% endif %}
-    {% if letsencrypt_staging %} --staging {% endif %}"
+    {% if letsencrypt_staging %} --staging {% endif %}
   when: not letsencrypt_cert.stat.exists
+
+- name: Force generation of a new certificate
+  shell: >
+    certbot certonly --force-renewal --nginx --email '{{ letsencrypt_email }}'
+    --agree-tos -d '{{ domain_name }}'
+    {% if certbot_nginx_cert_name is defined %}
+    --cert-name '{{ certbot_nginx_cert_name }}'
+    {% endif %}
+    {% if letsencrypt_staging %} --staging {% endif %}
+  when: letsencrypt_cert.stat.exists and certbot_force_update is defined
+  notify: reload nginx