Ansible playbook certificate renewal testing

I am using ansible playbook to generate lets encrypt certificate. The certificate is properly generated using staging mode.

Below are the ansible playbook steps:

TASK [Generate a Let's Encrypt account key] ***********************************************************************************************
changed: []

TASK [Generate Let's Encrypt private key] *************************************************************************************************
changed: []

TASK [Generate Let's Encrypt CSR] *********************************************************************************************************
changed: []

TASK [Begin Let's Encrypt challenges] *****************************************************************************************************
changed: []

TASK [Create .well-known/acme-challenge directory] ****************************************************************************************
ok: []

TASK [Implement http-01 challenge files] **************************************************************************************************
changed: [] => (item={'key': '', 'value': {'http-01': {'resource': '.well-known/acme-challenge/-hdQ4UKMI7oKyJZbO74n34wKW6HqsDfBRxKcHqKsTuA', 'resource_value': '-hdQ4UKMI7oKyJZbO74n34wKW6HqsDfBRxKcHqKsTuA.uqbHjf8YMC2sGlcnMFRRZiMEdM7L_M4sxndwaIX05tI'}, 'dns-01': {'resource': '_acme-challenge', 'resource_value': 'asJ54_0MKXyAmTgd-lrTajEwndwlyKTaN17bK8J3LcU', 'record': ''}, 'tls-alpn-01': {'resource': '', 'resource_original': '', 'resource_value': 'asJ54/0MKXyAmTgd+lrTajEwndwlyKTaN17bK8J3LcU='}}})

TASK [Complete Let's Encrypt challenges] **************************************************************************************************
changed: []

Now i want to test the renewal procedure. If i run the playbook again then ansible SKIPPED the TASK [Implement http-01 challenge files] step. No challenge file is created and no certificate is also generated. If i delete the csr, key and crt from /etc/letsencrypt path then it works and new cert is generated.

Is it because that the certificate is still valid and no renewal is required, so it skipped the TASK [Implement http-01 challenge files] task ?

I want to make sure that after expiration days new certificate will be created. is it possible to generated some cert will limited expiry time, so i can test that playbook will generate new cert or not ? i cannot find any --dry--run feature in ansible.

Reading the Ansible module docs, it looks like you'll probably want to use a combination of force and deactivate_authzs.

Make sure to only use force when using the staging server.


I used the force:true and new certificate files are generated , when playing the playbook.

does it mean, that it will also work when certificate will be expired ?

If the certificate expires in less than 30 days, it will be renewed even if you do not force it (usually, I don't know about ansible).

If you force a renewal, you only get 5 runs per week.

1 Like

Yes, it should work; Staging and production LE systems are supposed to be very similar.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.