- name: provision ssl host private key
  openssl_privatekey:
    path: "{{ item.server.ssl_certificate_key }}"

- name: generate certificate signing request
  command: >
    openssl req
      -new
      -sha256
      -nodes
      -key {{ item.server.ssl_certificate_key }}
      -out {{ item.letsencrypt.ssl_csr | default(item.server.ssl_certificate~".csr") }}
      -subj "/C={{ item.letsencrypt.ssl_country | default(letsencrypt_ssl_country)
      }}/ST={{ item.letsencrypt.ssl_state | default(letsencrypt_ssl_state)
      }}/L{{ item.letsencrypt.ssl_loc | default(letsencrypt_ssl_loc)
      }}/O={{ item.letsencrypt.ssl_org | default(letsencrypt_ssl_org)
      }}/CN={{ item.letsencrypt.ssl_cn | default(item.server.server_name)
      }}/emailAddress={{ item.letsencrypt.ssl_email | default(letsencrypt_ssl_email) }}"

- name: get challenge(s) from letsencrypt server
  letsencrypt:
    account_key: "{{ letsencrypt_account_key }}"
    csr: "{{ item.letsencrypt.ssl_csr | default(item.server.ssl_certificate~'.csr') }}"
    dest: "{{ item.server.ssl_certificate }}"
    acme_directory: "{{ letsencrypt_acme_dir | default(omit) }}"
  register: letsencrypt_challenge

- name: store challenge(s) in local dir
  include: store_challenge.yaml
  when: letsencrypt_challenge|changed

- pause:
    prompt: "LETSENCRYPT REMOTE VERIFICATION REQUIRED!. Perform any action to
    make server reachable from outside, then press ENTER to start
    verification"
  when: letsencrypt_challenge|changed and letsencrypt_pause|bool

- name: get signed certificate(s) from letsencrypt server
  letsencrypt:
    account_key: "{{ letsencrypt_account_key }}"
    csr: "{{ item.letsencrypt.ssl_csr | default(item.server.ssl_certificate~'.csr') }}"
    dest: "{{ item.server.ssl_certificate }}"
    acme_directory: "{{ letsencrypt_acme_dir | default(omit) }}"
    data: "{{ letsencrypt_challenge }}"
  notify: restart nginx