6 files changed, 46 insertions, 2 deletions

diff --git a/roles/x509/acmetool/cert/defaults/main.yml b/roles/x509/acmetool/cert/finalize/defaults/main.yml
index ab0afaa3..ab0afaa3 100644
--- a/roles/x509/acmetool/cert/defaults/main.yml
+++ b/roles/x509/acmetool/cert/finalize/defaults/main.yml
diff --git a/roles/x509/acmetool/cert/handlers/main.yml b/roles/x509/acmetool/cert/finalize/handlers/main.yml
index a7fc43ed..a7fc43ed 100644
--- a/roles/x509/acmetool/cert/handlers/main.yml
+++ b/roles/x509/acmetool/cert/finalize/handlers/main.yml
diff --git a/roles/x509/acmetool/cert/tasks/main.yml b/roles/x509/acmetool/cert/finalize/tasks/main.yml
index 09980dad..91bf5157 100644
--- a/roles/x509/acmetool/cert/tasks/main.yml
+++ b/roles/x509/acmetool/cert/finalize/tasks/main.yml
@@ -3,8 +3,8 @@
   vars:
     acmetool_cert_satisfy:
       satisfy:
-        names: "{{ acmetool_cert_hostnames | default([acmetool_cert_name]) }}"
+        names: "{{ acmetool_cert_hostnames }}"
   copy:
     content: "{{ acmetool_cert_config | default({}) | combine(acmetool_cert_satisfy) | to_nice_yaml }}"
-    dest: "/var/lib/acme/desired/{{ acmetool_cert_name }}"
+    dest: "/var/lib/acme/desired/{{ acmetool_cert_name | default(acmetool_cert_hostnames[0]) }}"
   notify: reconcile acmetool
diff --git a/roles/x509/acmetool/cert/meta/main.yml b/roles/x509/acmetool/cert/meta/main.yml
new file mode 100644
index 00000000..8e6ac88d
--- /dev/null
+++ b/roles/x509/acmetool/cert/meta/main.yml
@@ -0,0 +1,3 @@
+dependencies:
+  - role: x509/acmetool/cert/prepare
+  - role: x509/acmetool/cert/finalize
diff --git a/roles/x509/acmetool/cert/filter_plugins/acme_certs.py b/roles/x509/acmetool/cert/prepare/filter_plugins/acme_certs.py
index 179f71e9..179f71e9 100644
--- a/roles/x509/acmetool/cert/filter_plugins/acme_certs.py
+++ b/roles/x509/acmetool/cert/prepare/filter_plugins/acme_certs.py
diff --git a/roles/x509/acmetool/cert/prepare/tasks/main.yml b/roles/x509/acmetool/cert/prepare/tasks/main.yml
new file mode 100644
index 00000000..1f7dc724
--- /dev/null
+++ b/roles/x509/acmetool/cert/prepare/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+- name: check if acme certs already exist
+  loop: "{{ acmetool_cert_hostnames }}"
+  loop_control:
+    loop_var: acme_hostname
+  stat:
+    path: "/var/lib/acme/live/{{ acme_hostname }}"
+  register: acme_cert_stat
+
+- name: set acmecert_missing_hostnames variable
+  set_fact:
+    acmecert_missing_hostnames: "{{ acme_cert_stat.results | acme_cert_nonexistent(acmetool_cert_hostnames) }}"
+
+- name: link nonexistent hostnames to self-signed interim cert
+  when: acmecert_missing_hostnames | length > 0
+  block:
+  - name: get id of existing selfsigned interim certificate
+    command: cat /var/lib/acme/.selfsigned-interim-cert
+    changed_when: false
+    check_mode: false
+    register: selfsigned_interim_cert_id
+
+  - name: set selfsigned_interim_cert_id variable
+    set_fact:
+      selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}"
+
+  - name: link to snakeoil cert for nonexistent hostnames
+    loop: "{{ acmecert_missing_hostnames }}"
+    loop_control:
+      loop_var: acme_missing_hostname
+    file:
+      src: "../certs/{{ selfsigned_interim_cert_id }}"
+      dest: "/var/lib/acme/live/{{ acme_missing_hostname }}"
+      state: link
+
+- name: export paths to certificate files
+  set_fact:
+    x509_certificate_path_key: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/privkey"
+    x509_certificate_path_fullchain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/fullchain"
+    x509_certificate_path_cert: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/cert"
+    x509_certificate_path_chain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/chain"