https://github.com/andreasscherbaum/ansible_check_cert_age

Ansible filter which checks the age (remaining valid time) of a certificate
https://github.com/andreasscherbaum/ansible_check_cert_age

ansible ansible-filters lets-encrypt letsencrypt letsencrypt-certificates python

Last synced: 8 months ago
JSON representation

Ansible filter which checks the age (remaining valid time) of a certificate

• Host: GitHub
• URL: https://github.com/andreasscherbaum/ansible_check_cert_age
• Owner: andreasscherbaum
• License: gpl-3.0
• Created: 2019-02-23T17:01:05.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2020-03-10T11:22:43.000Z (over 6 years ago)
• Last Synced: 2025-06-09T04:41:37.168Z (about 1 year ago)
• Topics: ansible, ansible-filters, lets-encrypt, letsencrypt, letsencrypt-certificates, python
• Language: Python
• Size: 14.6 KB
• Stars: 0
• Watchers: 2
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# ansible_check_cert_age

Ansible filter plugins which checks the age (remaining valid time) of a certificate, or if a certificate exists.

# Installation

Create a subfolder _filter_plugins_ in your Playbook directory. Place the .py script in _filter_plugins_.

# cert_age.py

## Usage

In your Playbook, specify this filter on the certificate filename, and supply the minimum number of days the cert must be valid.

### Example 1:

```

- name: Cert is valid

  debug:

    msg: "{{ ('/path/to/signed.crt')|check_cert_age(15) }}

```

This will print _0_ if the cert is valid for the number days, and _1_ otherwise.

### Example 2:

```

- name: Renew cert

  shell: ...

  when: ('/path/to/signed.crt')|check_cert_age(15) == "1"

```

This will execute the Play when the cert is about to expire.

# cert_exists.py

## Usage

In your Playbook, specify this filter on the certificate filename in order to find out if the certificate already exists.

There is no easy way to loop over many domains/certificates and make Ansible not fail the loop if the certificate does not (yet) exists.

This can be handled for a single cert, by using the _stat_ module. But in a loop this requires moving the entire code block into a separate file, and looping over the domains/certs by including the files. As of now, Ansible can't loop over code blocks with more than one tasks.

### Example

```

- name: Cert exists

  msg: "Certificate file exists: {{ item }}"

  with_dict: "{{ websites }}"

  loop_control:

    loop_var: website

    label: "{{ website.key }}"

  when:

    - (website.key + '/signed.crt')|cert_exists() == "1"

```