---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later

## SET UP ACCOUNT KEYS ########################################################################
- block:
  - name: Generate account keys
    openssl_privatekey:
      path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
      type: "{{ item.type }}"
      size: "{{ item.size | default(omit) }}"
      curve: "{{ item.curve | default(omit) }}"
      force: true
    loop: "{{ account_keys }}"

  vars:
    account_keys:
      - name: account-ec256
        type: ECC
        curve: secp256r1
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
- name: Obtain cert 1
  include_tasks: obtain-cert.yml
  vars:
    certgen_title: Certificate 1 for renewal check
    certificate_name: cert-1
    key_type: rsa
    rsa_bits: "{{ default_rsa_key_size }}"
    subject_alt_name: "DNS:example.com"
    subject_alt_name_critical: false
    account_key: account-ec256
    challenge: http-01
    modify_account: true
    deactivate_authzs: false
    force: true
    remaining_days: "{{ omit }}"
    terms_agreed: true
    account_email: "example@example.org"
## OBTAIN CERTIFICATE INFOS ###################################################################
- name: Dump OpenSSL x509 info
  command:
    cmd: openssl x509 -in {{ remote_tmp_dir }}/cert-1.pem -noout -text
- name: Obtain certificate information
  x509_certificate_info:
    path: "{{ remote_tmp_dir }}/cert-1.pem"
  register: cert_1_info
- name: Read certificate
  slurp:
    src: '{{ remote_tmp_dir }}/cert-1.pem'
  register: slurp_cert_1
- name: Obtain certificate information (1/11)
  acme_certificate_renewal_info:
    select_crypto_backend: "{{ select_crypto_backend }}"
    certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: false
  register: cert_1_renewal_1
- name: Obtain certificate information (2/11)
  acme_certificate_renewal_info:
    select_crypto_backend: "{{ select_crypto_backend }}"
    certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: false
    remaining_days: 1000
    remaining_percentage: 0.5
  register: cert_1_renewal_2
- name: Obtain certificate information (3/11)
  acme_certificate_renewal_info:
    select_crypto_backend: "{{ select_crypto_backend }}"
    certificate_content: "{{ slurp_cert_1.content | b64decode }}"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: false
    now: +1800d
  register: cert_1_renewal_3
- name: Obtain certificate information (4/11)
  acme_certificate_renewal_info:
    select_crypto_backend: "{{ select_crypto_backend }}"
    certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: false
    now: +1800d
    remaining_days: 30
    remaining_percentage: 0.1
  register: cert_1_renewal_4
- name: Obtain certificate information (5/11)
  acme_certificate_renewal_info:
    select_crypto_backend: "{{ select_crypto_backend }}"
    certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: false
    now: +1800d
    remaining_days: 30
    remaining_percentage: 0.01
  register: cert_1_renewal_5
- name: Obtain certificate information (6/11)
  acme_certificate_renewal_info:
    select_crypto_backend: "{{ select_crypto_backend }}"
    certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: false
    now: +1800d
    remaining_days: 10
    remaining_percentage: 0.03
  register: cert_1_renewal_6
- name: Obtain certificate information (7/11)
  acme_certificate_renewal_info:
    select_crypto_backend: "{{ select_crypto_backend }}"
    certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: false
    now: +1830d
  register: cert_1_renewal_7
- name: Obtain certificate information (8/11)
  acme_certificate_renewal_info:
    select_crypto_backend: "{{ select_crypto_backend }}"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: false
    now: +1830d
  register: cert_1_renewal_8
- name: Obtain certificate information (9/11)
  acme_certificate_renewal_info:
    select_crypto_backend: "{{ select_crypto_backend }}"
    certificate_path: "{{ remote_tmp_dir }}/cert-does-not-exist.pem"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: false
  register: cert_1_renewal_9
- name: Create broken file
  copy:
    dest: "{{ remote_tmp_dir }}/cert-is-broken.pem"
    content: |
      --- THIS IS NOT A CERT ---
- name: Obtain certificate information (10/11)
  acme_certificate_renewal_info:
    treat_parsing_error_as_non_existing: false
    select_crypto_backend: "{{ select_crypto_backend }}"
    certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: false
  register: cert_1_renewal_10
  ignore_errors: true
- name: Obtain certificate information (11/11)
  acme_certificate_renewal_info:
    treat_parsing_error_as_non_existing: true
    select_crypto_backend: "{{ select_crypto_backend }}"
    certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem"
    acme_version: 2
    acme_directory: https://{{ acme_host }}:14000/dir
    validate_certs: false
  register: cert_1_renewal_11