ansible-collection-core/roles/freeipa/tasks/certs.yml

---
- name: "FreeIPA Certificates | PATCH | Install latest certbot"
  ansible.builtin.dnf:
    name: certbot
    state: latest
    update_cache: true

- name: "FreeIPA Certificates | AUDIT | Check for existing certificate expiry"
  community.crypto.x509_certificate_info:
    path: "/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem"
  register: freeipa_certs_existing_cert
  ignore_errors: true

- name: "FreeIPA Certificates | AUDIT | Calculate days until expiry"
  ansible.builtin.set_fact:
    freeipa_certs_days_until_expiry: "{{ ((freeipa_certs_existing_cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - now()).days }}"
  when: freeipa_certs_existing_cert.not_after is defined

- name: "FreeIPA Certificates | AUDIT | Print days until expiry"
  ansible.builtin.debug:
    msg: "{{ freeipa_certs_days_until_expiry }}"
  when: freeipa_certs_existing_cert.not_after is defined

- name: "FreeIPA Certificates | PATCH | Request a new or renewed certificate"
  when: (freeipa_certs_existing_cert.failed) or (freeipa_certs_days_until_expiry | int < 30)
  block:
    - name: "FreeIPA Certificates | PATCH | Download Let's Encrypt Root"
      ansible.builtin.get_url:
        url: "https://letsencrypt.org/certs/{{ item }}.pem"
        dest: /root/{{ item }}.pem
        owner: root
        group: root
        mode: "0600"
      with_items:
        - isrgrootx1
        - isrg-root-x2

    - name: "FreeIPA Certificates | PATCH | Download Let's Encrypt Intermediates"
      ansible.builtin.get_url:
        url: "https://letsencrypt.org/certs/2024/{{ item }}.pem"
        dest: "/root/{{ item }}.pem"
        owner: root
        group: root
        mode: "0600"
      with_items:
        - e7-cross
        - e8-cross
        - r12
        - r13

    - name: "FreeIPA Certificates | AUDIT | Check httpd"
      ansible.builtin.systemd_service:
        name: httpd
      register: freeipa_certs_httpd_status

    - name: "FreeIPA Certificates | PATCH | Stop httpd"
      ansible.builtin.systemd_service:
        name: httpd
        state: stopped
      when: freeipa_certs_httpd_status.status.ActiveState == "active"

    - name: "FreeIPA Certificates | PATCH | Add http service to firewall (in case freeipa service is not yet configured)"
      ansible.posix.firewalld:
        service: http
        state: enabled

    - name: "FreeIPA Certificates | PATCH | Request new certificate"
      ansible.builtin.command:
        cmd: certbot certonly --standalone --preferred-challenges http --agree-tos -n -d {{ inventory_hostname }} --register-unsafely-without-email
      when: freeipa_certs_existing_cert.failed

    - name: "FreeIPA Certificates | PATCH | Renew existing certificate"
      ansible.builtin.command:
        cmd: certbot renew
      when: not freeipa_certs_existing_cert.failed

    - name: "FreeIPA Certificates | PATCH | Remove http service from firewall"
      ansible.posix.firewalld:
        service: http
        state: disabled

    - name: "FreeIPA Certificates | PATCH | Start httpd"
      ansible.builtin.systemd_service:
        name: httpd
        state: started
      when: freeipa_certs_httpd_status.status.ActiveState == "active"

- name: "FreeIPA Certificates | PATCH | Create PKCS#12 encoded certificate"
  community.crypto.openssl_pkcs12:
    action: export
    path: /root/server.p12
    friendly_name: "{{ inventory_hostname }}"
    privatekey_path: "/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem"
    certificate_path: "/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem"
    other_certificates: "/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem"
    other_certificates_parse_all: true
    owner: root
    group: root
    mode: "0600"
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`---`
			`- name: "FreeIPA Certificates \| PATCH \| Install latest certbot"`
			`ansible.builtin.dnf:`
			`name: certbot`
			`state: latest`
			`update_cache: true`

			`- name: "FreeIPA Certificates \| AUDIT \| Check for existing certificate expiry"`
			`community.crypto.x509_certificate_info:`
			`path: "/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem"`
			`register: freeipa_certs_existing_cert`
			`ignore_errors: true`

			`- name: "FreeIPA Certificates \| AUDIT \| Calculate days until expiry"`
			`ansible.builtin.set_fact:`
			`freeipa_certs_days_until_expiry: "{{ ((freeipa_certs_existing_cert.not_after \| to_datetime('%Y%m%d%H%M%SZ')) - now()).days }}"`
			`when: freeipa_certs_existing_cert.not_after is defined`

			`- name: "FreeIPA Certificates \| AUDIT \| Print days until expiry"`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`ansible.builtin.debug:`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`msg: "{{ freeipa_certs_days_until_expiry }}"`
			`when: freeipa_certs_existing_cert.not_after is defined`

			`- name: "FreeIPA Certificates \| PATCH \| Request a new or renewed certificate"`
			`when: (freeipa_certs_existing_cert.failed) or (freeipa_certs_days_until_expiry \| int < 30)`
			`block:`
			`- name: "FreeIPA Certificates \| PATCH \| Download Let's Encrypt Root"`
			`ansible.builtin.get_url:`
			`url: "https://letsencrypt.org/certs/{{ item }}.pem"`
			`dest: /root/{{ item }}.pem`
			`owner: root`
			`group: root`
			`mode: "0600"`
			`with_items:`
			`- isrgrootx1`
			`- isrg-root-x2`

			`- name: "FreeIPA Certificates \| PATCH \| Download Let's Encrypt Intermediates"`
			`ansible.builtin.get_url:`
			`url: "https://letsencrypt.org/certs/2024/{{ item }}.pem"`
			`dest: "/root/{{ item }}.pem"`
			`owner: root`
			`group: root`
			`mode: "0600"`
			`with_items:`
			`- e7-cross`
			`- e8-cross`
			`- r12`
			`- r13`

			`- name: "FreeIPA Certificates \| AUDIT \| Check httpd"`
			`ansible.builtin.systemd_service:`
			`name: httpd`
			`register: freeipa_certs_httpd_status`

			`- name: "FreeIPA Certificates \| PATCH \| Stop httpd"`
			`ansible.builtin.systemd_service:`
			`name: httpd`
			`state: stopped`
			`when: freeipa_certs_httpd_status.status.ActiveState == "active"`

			`- name: "FreeIPA Certificates \| PATCH \| Add http service to firewall (in case freeipa service is not yet configured)"`
			`ansible.posix.firewalld:`
			`service: http`
			`state: enabled`

			`- name: "FreeIPA Certificates \| PATCH \| Request new certificate"`
			`ansible.builtin.command:`
			`cmd: certbot certonly --standalone --preferred-challenges http --agree-tos -n -d {{ inventory_hostname }} --register-unsafely-without-email`
			`when: freeipa_certs_existing_cert.failed`

			`- name: "FreeIPA Certificates \| PATCH \| Renew existing certificate"`
			`ansible.builtin.command:`
			`cmd: certbot renew`
			`when: not freeipa_certs_existing_cert.failed`

			`- name: "FreeIPA Certificates \| PATCH \| Remove http service from firewall"`
			`ansible.posix.firewalld:`
			`service: http`
			`state: disabled`

			`- name: "FreeIPA Certificates \| PATCH \| Start httpd"`
			`ansible.builtin.systemd_service:`
			`name: httpd`
			`state: started`
			`when: freeipa_certs_httpd_status.status.ActiveState == "active"`

			`- name: "FreeIPA Certificates \| PATCH \| Create PKCS#12 encoded certificate"`
			`community.crypto.openssl_pkcs12:`
			`action: export`
			`path: /root/server.p12`
			`friendly_name: "{{ inventory_hostname }}"`
			`privatekey_path: "/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem"`
			`certificate_path: "/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem"`
			`other_certificates: "/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem"`
			`other_certificates_parse_all: true`
			`owner: root`
			`group: root`
			`mode: "0600"`