Ansible filter plugins which checks the age (remaining valid time) of a certificate, or if a certificate exists.
Create a subfolder filter_plugins in your Playbook directory. Place the .py script in filter_plugins.
In your Playbook, specify this filter on the certificate filename, and supply the minimum number of days the cert must be valid.
- name: Cert is valid
debug:
msg: "{{ ('/path/to/signed.crt')|check_cert_age(15) }}
This will print 0 if the cert is valid for the number days, and 1 otherwise.
- name: Renew cert
shell: ...
when: ('/path/to/signed.crt')|check_cert_age(15) == "1"
This will execute the Play when the cert is about to expire.
In your Playbook, specify this filter on the certificate filename in order to find out if the certificate already exists. There is no easy way to loop over many domains/certificates and make Ansible not fail the loop if the certificate does not (yet) exists.
This can be handled for a single cert, by using the stat module. But in a loop this requires moving the entire code block into a separate file, and looping over the domains/certs by including the files. As of now, Ansible can't loop over code blocks with more than one tasks.
- name: Cert exists
msg: "Certificate file exists: {{ item }}"
with_dict: "{{ websites }}"
loop_control:
loop_var: website
label: "{{ website.key }}"
when:
- (website.key + '/signed.crt')|cert_exists() == "1"