Fail to detect a new domain has been added

[MonsieurV]

Description

The role is currently not able to detect that a domain has been added for a certificate. Thus if we add a new domain to our list, nothing happens (generation is skipped).

What I would expect: the domain list change is detected and Certbot is run again (for e.g. for a renewal including the added domains).

Could we add a way to test for any change in the domain list and issue again the certificate when the list changed?

How to reproduce

First run the role with a domain list containing one to N items:

certbot_certs:
  - domains:
    - example1.com
    - example2.com

(Let the configuration being applied)

Then re-run the role after adding one to N domains:

certbot_certs:
  - domains:
    - example1.com
    - example2.com
    - example3.com
    - example4.com

(Here the certification will be skipped, resulting on example3.com and example4.com not being part of the certificate)

Implementation

This is due to the condition detecting that a certificate exists: it only checks we have a certificate of the name of the first domain.

ansible-role-certbot/tasks/create-cert-standalone.yml

Line 2 in d3f98e4

- name: Check if certificate already exists.

This condition should be able to detect whether current existing certificate (if any) covers the same domains as the one provided by the role variables.

[JMLX42]

Same issue here.

[mmcnl]

As a work-around, when dealing with a change in the domain list, I found that manually executing rm -rf /etc/letsencrypt on the server and then re-applying the ansible certbot role seems to allow a new cert to be generated successfully.

[madhermit]

Another workaround:

certbot_certs:
  - domains:
    - example1.com
  - domains:
    - example2.com

This will cause each domain to be checked on its own

[mikebell]

I've just run into this as well can confirm the workaround from @madhermit works on Ubuntu 18.04

[apphancer]

I can confirm that @madhermit's workaround works, but would be good to have this solved

[jclendenan]

Same issue here. Any thoughts on a fix?

Md5 sum of domains dict stored somewhere we can check?

[stale]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[MonsieurV]

There is still a solution proposed for this issue with #50.

[stale]

This issue is no longer marked for closure.

[stale]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[stale]

This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.

[Kampfmoehre]

The workaround did not work for me because adding a second domain will fetch a new certificate instead of adding the domain to the existing cert. I would have to make an extra nginx config for the (sub)-domain to point to the extra cert.