Certbot does not get certificates for additional domains

[Kenya-West]

vars.yaml

  domains:
    - foo-1.bar.com
    - foo-1-frps.bar.com
    - foo-1-wg.bar.com
    - foo-1-xray.bar.com
    - foo-1-xui.bar.com # this domain already exists, others are not configured yet

  certbot_create_extra_args: "--expand --redirect"
  certbot_create_if_missing: true
  certbot_auto_renew: true
  certbot_auto_renew_user: "{{ standard_user }}"
  certbot_auto_renew_weekday: 3
  certbot_auto_renew_hour: 6
  certbot_auto_renew_minute: 20
  certbot_auto_renew_options: "--quiet"
  certbot_certs:
    - domains: "{{ domains }}"

playbook.yaml

roles:
  - role: geerlingguy.certbot
    tags: certbot
    become: true
    become_user: root

Certbot output:

Details

user@PC:~/ansible-my$ ansible-playbook -i ./inventory/staging.ini ./install_web_features.yaml --limit=vpn_xui_first[0]

PLAY [Install web features - currently includes certbot only] ******************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************
ok: [instance-01]

TASK [geerlingguy.certbot : Load a variable file based on the OS type, or a default if not found.] *****************************************
ok: [instance-01] => (item=/home/user/.ansible/roles/geerlingguy.certbot/vars/default.yml)

TASK [geerlingguy.certbot : Ensure dnf-plugins are installed on Rocky/AlmaLinux.] **********************************************************
skipping: [instance-01]

TASK [geerlingguy.certbot : Enable DNF module for Rocky/AlmaLinux.] ************************************************************************
skipping: [instance-01]

TASK [geerlingguy.certbot : Install Certbot.] **********************************************************************************************
ok: [instance-01]

TASK [geerlingguy.certbot : Set Certbot script variable.] **********************************************************************************
ok: [instance-01]

TASK [geerlingguy.certbot : Ensure snapd is installed.] ************************************************************************************
skipping: [instance-01]

TASK [geerlingguy.certbot : Ensure snapd is enabled.] **************************************************************************************
skipping: [instance-01]

TASK [geerlingguy.certbot : Enable classic snap support.] **********************************************************************************
skipping: [instance-01]

TASK [geerlingguy.certbot : Update snap after install.] ************************************************************************************
skipping: [instance-01]

TASK [geerlingguy.certbot : Install certbot via snap.] *************************************************************************************
skipping: [instance-01]

TASK [geerlingguy.certbot : Symlink certbot into place.] ***********************************************************************************
skipping: [instance-01]

TASK [geerlingguy.certbot : Set Certbot script variable.] **********************************************************************************
skipping: [instance-01]

TASK [geerlingguy.certbot : Clone Certbot into configured directory.] **********************************************************************
skipping: [instance-01]

TASK [geerlingguy.certbot : Set Certbot script variable.] **********************************************************************************
skipping: [instance-01]

TASK [geerlingguy.certbot : Ensure certbot-auto is executable.] ****************************************************************************
skipping: [instance-01]

TASK [geerlingguy.certbot : include_tasks] *************************************************************************************************
included: /home/user/.ansible/roles/geerlingguy.certbot/tasks/create-cert-standalone.yml for instance-01 => (item={'domains': ['foo-1.bar.com', 'foo-1-frps.bar.com', 'foo-1-wg.bar.com', 'foo-1-xray.bar.com', 'foo-1-xui.bar.com']})

TASK [geerlingguy.certbot : Check if certificate already exists.] **************************************************************************
ok: [instance-01]

TASK [geerlingguy.certbot : Ensure pre and post hook folders exist.] ***********************************************************************
ok: [instance-01] => (item=pre)
ok: [instance-01] => (item=post)

TASK [geerlingguy.certbot : Create pre hook to stop services.] *****************************************************************************
ok: [instance-01]

TASK [geerlingguy.certbot : Create post hook to start services.] ***************************************************************************
ok: [instance-01]

TASK [geerlingguy.certbot : Generate new certificate if one doesn't exist.] ****************************************************************
changed: [instance-01]

TASK [geerlingguy.certbot : include_tasks] *************************************************************************************************
skipping: [instance-01] => (item={'domains': ['foo-1.bar.com', 'foo-1-frps.bar.com', 'foo-1-wg.bar.com', 'foo-1-xray.bar.com', 'foo-1-xui.bar.com']}) 
skipping: [instance-01]

TASK [geerlingguy.certbot : Add cron job for certbot renewal (if configured).] *************************************************************
ok: [instance-01]

PLAY RECAP *********************************************************************************************************************************
instance-01             : ok=11   changed=1    unreachable=0    failed=0    skipped=13   rescued=0    ignored=0   

Only the already existing domain is present:

 $user: ~ ❯ sudo tree /etc/letsencrypt/live/
/etc/letsencrypt/live/
├── README
└── foo-1-xui.bar.com
    ├── README
    ├── cert.pem -> ../../archive/foo-1-xui.bar.com/cert3.pem
    ├── chain.pem -> ../../archive/foo-1-xui.bar.com/chain3.pem
    ├── fullchain.pem -> ../../archive/foo-1-xui.bar.com/fullchain3.pem
    └── privkey.pem -> ../../archive/foo-1-xui.bar.com/privkey3.pem

1 directory, 6 files

Destination host is Ubuntu 22.04

ansible --version output:

ansible [core 2.16.3]
  config file = /home/user/ansible-my/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.12.3 (main, Sep 11 2024, 14:17:37) [GCC 13.2.0] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

[kinoute]

Did you find a solution? I have the same problem. Two subdomains, only one gets the certificates.

[havvg]

I have the same scenario, however I figured this out so far:

I used the same variable structure, as you did. From my understanding, it just checks whether the certificate exists and does not validate, whether it's actually issued for the list of domains.

  domains:
    - foo-1.bar.com
    - foo-1-frps.bar.com
    - foo-1-wg.bar.com
    - foo-1-xray.bar.com
    - foo-1-xui.bar.com # this domain already exists, others are not configured yet

  certbot_certs:
    - domains: "{{ domains }}"

What I did to work around this issue is splitting up the certificates:

  domains_cert1:
    - foo-1-xui.bar.com # this domain already exists, others are not configured yet
  domains_cert2:
    - foo-1.bar.com
    - foo-1-frps.bar.com
    - foo-1-wg.bar.com
    - foo-1-xray.bar.com

  certbot_certs:
    - domains: "{{ domains_cert1 }}"
    - domains: "{{ domains_cert2 }}"

Now you got two certificates for different domains. That's what I was looking for in the first place, noticing the same issue you encountered when extending the original domains variable.

While this may not solve your issue, I hope it helps.

[havvg]

A different approach, which resembles my use-case.
I want a certificate for every domain, separately.

  vars:
    domains:
      - foo-1.bar.com
      - foo-1-frps.bar.com
      - foo-1-wg.bar.com
      - foo-1-xray.bar.com
      - foo-1-xui.bar.com

  tasks:
    - name: Define certificate list
      loop: "{{ domains }}"
      set_fact:
        certificates: "{{ certificates | default([]) + [{ 'domains': [item] }] }}"

    - name: Generate Let's Encrypt SSL Certificates
      include_role:
        name: geerlingguy.certbot
      vars:
        certbot_certs: "{{ certificates }}"
        # …

[Kenya-West]

Did you find a solution? I have the same problem. Two subdomains, only one gets the certificates.

Sorry for late response @kinoute. Had quite tough time these weeks. Now, I am back online.

Answering your question... I just gave up and setup cronjob by myself:

post_tasks: # After the geerlingguy/ansible-role-certbot role execution
    - name: Add cron job for certbot renew
      become: true
      become_user: root
      ansible.builtin.cron:
        name: "Certbot renew"
        minute: "{{ certbot_auto_renew_minute }}"
        hour: "{{ certbot_auto_renew_hour }}"
        weekday: "{{ certbot_auto_renew_weekday }}"
        job: "{{ dest_project_fullpath }}/scripts/update.sh"

update.sh.j2

#!/bin/bash

echo "Starting update.sh script"
# you can add --pre-hook, --deploy-hook and --post-hook containing/pointing to shell scripts files in the command below
certbot certonly --expand --redirect --standalone --agree-tos --email {{ emails.domain }} -d {{ domains | join(',') }} --non-interactive
echo "Completed update.sh script"

and that's it. Works good.

[pat-s]

The issue is upstream related and explained here.

tl;dr: use distinct calls with only one -d for each command, otherwise the command will exit once it recognized an already existing domain.

[pat-s]

As this repo has not much activity, I went ahead and created a fork which includes a fix for processing multiple domains: devxy/ansible/certbot.

Primarily for own use right now but also happy to take contributions and publish to Ansible Galaxy.