ansible-playbooks/roles/ca/tasks/gen_acme.yml

- name: define some acme parameters
  set_fact:
    acme_staging: "{{ (ca_options | d({}) | combine(item)).acme_staging | d(false) }}"
    acme_upgrade_int_ca: "{{ cert_info is defined and ((cert_info.ocsp_uri is not defined) or (cert_info.ocsp_uri == None)) }}"


- name: determine if acme cert generation will be forced
  set_fact:
    acme_forced: "{{ acme_upgrade_int_ca or (always_update_acme is defined) }}"


- name: slurp account key from ca
  slurp:
    src: "{{ ca_dir ~ '/acme-' ~ ('staging' if acme_staging == true else 'main') ~ '.' ~ ca_key_ext }}"
  register: acme_account_key
  delegate_to: "{{ services.ca.hostname }}"


- name: define args for acme certificate generation
  set_fact:
    acme_common_args:
      account_key_content: "{{ acme_account_key.content | b64decode }}"
      account_key_passphrase: "{{ ca_acme_account_key_password }}"
      acme_directory: "{%- if (acme_staging == false) or (acme_staging == None) -%}{{ ca_acme_endpoint | d('https://acme-v02.api.letsencrypt.org/directory') }}\
                       {%- else -%}{{ ca_acme_staging_endpoint | d('https://acme-staging-v02.api.letsencrypt.org/directory') }}\
                       {%- endif -%}"
      acme_version: "{{ ca_acme_version | d(2) }}"
    acme_extra_args:
      challenge: dns-01
      csr_content: "{{ csr.csr }}"
      fullchain_dest: "{{ cert_path if ((ca_options | d({}) | combine(item)).concat_inter | d(true) == true) else omit }}"
      dest: "{{ cert_path if ((ca_options | d({}) | combine(item)).concat_inter | d(true) == false) else omit }}"
      modify_account: no
      remaining_days: 45
      force: "{{ acme_forced }}"
      terms_agreed: yes


- name: generate acme challenge request
  community.crypto.acme_certificate:
  args: "{{ acme_common_args | combine(acme_extra_args) }}"
  register: challenge
  changed_when: no


- block:
  - name: unset challenge_records
    set_fact:
      challenge_records: "{{ [] }}"


  - name: fill challenge records
    set_fact:
      challenge_records: "{{ challenge_records + [{
        'name': item2.key | regex_search('(.*).' ~ (tld | regex_escape()), '\\1') | first,
        'type': 'TXT',
        'value': item2.value[0]
      }] }}"
    loop: "{{ challenge['challenge_data_dns'] | dict2items }}"
    loop_control:
      loop_var: item2


  - include_tasks: gen_acme_include.yml


  - block:
      - name: revoke cert if it already exists
        community.crypto.acme_certificate_revoke:
          certificate: "{{ cert_path }}"
          revoke_reason: 4
        args: "{{ acme_common_args }}"
        when: (cert_exists is defined) and cert_exists.stat.exists and not acme_upgrade_int_ca

    rescue:
      - debug:
          msg: failed to revoke certificate, ignoring


  - name: finalize acme challenge request
    community.crypto.acme_certificate:
      data: "{{ challenge }}"
    args: "{{ acme_common_args | combine(acme_extra_args) }}"
    notify: "{{ ca_options.notify | d(omit) }}"

  when: (challenge.cert_days is not defined) or (challenge.cert_days < 45) or acme_forced
init 2 years ago			`- name: define some acme parameters`
			`set_fact:`
			`acme_staging: "{{ (ca_options \| d({}) \| combine(item)).acme_staging \| d(false) }}"`
			`acme_upgrade_int_ca: "{{ cert_info is defined and ((cert_info.ocsp_uri is not defined) or (cert_info.ocsp_uri == None)) }}"`


			`- name: determine if acme cert generation will be forced`
			`set_fact:`
			`acme_forced: "{{ acme_upgrade_int_ca or (always_update_acme is defined) }}"`


			`- name: slurp account key from ca`
			`slurp:`
			`src: "{{ ca_dir ~ '/acme-' ~ ('staging' if acme_staging == true else 'main') ~ '.' ~ ca_key_ext }}"`
			`register: acme_account_key`
			`delegate_to: "{{ services.ca.hostname }}"`


			`- name: define args for acme certificate generation`
			`set_fact:`
			`acme_common_args:`
			`account_key_content: "{{ acme_account_key.content \| b64decode }}"`
			`account_key_passphrase: "{{ ca_acme_account_key_password }}"`
			`acme_directory: "{%- if (acme_staging == false) or (acme_staging == None) -%}{{ ca_acme_endpoint \| d('https://acme-v02.api.letsencrypt.org/directory') }}\`
			`{%- else -%}{{ ca_acme_staging_endpoint \| d('https://acme-staging-v02.api.letsencrypt.org/directory') }}\`
			`{%- endif -%}"`
			`acme_version: "{{ ca_acme_version \| d(2) }}"`
			`acme_extra_args:`
			`challenge: dns-01`
			`csr_content: "{{ csr.csr }}"`
			`fullchain_dest: "{{ cert_path if ((ca_options \| d({}) \| combine(item)).concat_inter \| d(true) == true) else omit }}"`
			`dest: "{{ cert_path if ((ca_options \| d({}) \| combine(item)).concat_inter \| d(true) == false) else omit }}"`
			`modify_account: no`
			`remaining_days: 45`
			`force: "{{ acme_forced }}"`
			`terms_agreed: yes`


			`- name: generate acme challenge request`
			`community.crypto.acme_certificate:`
			`args: "{{ acme_common_args \| combine(acme_extra_args) }}"`
			`register: challenge`
			`changed_when: no`


			`- block:`
			`- name: unset challenge_records`
			`set_fact:`
			`challenge_records: "{{ [] }}"`


			`- name: fill challenge records`
			`set_fact:`
			`challenge_records: "{{ challenge_records + [{`
			`'name': item2.key \| regex_search('(.*).' ~ (tld \| regex_escape()), '\\1') \| first,`
			`'type': 'TXT',`
			`'value': item2.value[0]`
			`}] }}"`
			`loop: "{{ challenge['challenge_data_dns'] \| dict2items }}"`
			`loop_control:`
			`loop_var: item2`


			`- include_tasks: gen_acme_include.yml`


			`- block:`
			`- name: revoke cert if it already exists`
			`community.crypto.acme_certificate_revoke:`
			`certificate: "{{ cert_path }}"`
			`revoke_reason: 4`
			`args: "{{ acme_common_args }}"`
			`when: (cert_exists is defined) and cert_exists.stat.exists and not acme_upgrade_int_ca`

			`rescue:`
			`- debug:`
			`msg: failed to revoke certificate, ignoring`


			`- name: finalize acme challenge request`
			`community.crypto.acme_certificate:`
			`data: "{{ challenge }}"`
			`args: "{{ acme_common_args \| combine(acme_extra_args) }}"`
			`notify: "{{ ca_options.notify \| d(omit) }}"`

			`when: (challenge.cert_days is not defined) or (challenge.cert_days < 45) or acme_forced`