- include_tasks: common_cert.yml

- name: "sign certificate for {{ certname }}"
  register: selfsignedsign
  openssl_certificate:
    path: "{{ cert.certpath }}"
    privatekey_path: "{{ cert.keypath }}"
    csr_path: "{{ cert.csrpath }}"
    provider: selfsigned
    selfsigned_not_after: "{{ cert_backend.not_after }}"

- name: "generate concatinated versions (chain) for {{ certname }}"
  shell: "umask 0137; cat {{ cert.certpath }} > {{ cert.chainpath }}"
  args:
    creates: "{{ cert.chainpath }}"

- name: "set permission for concatinated versions (chain) for {{ certname }}"
  file:
    path: "{{ cert.chainpath }}"
    mode: 0644
    owner: root
    group: ssl-cert

- name: "generate concatinated versions (full) for {{ certname }}"
  shell: "umask 0137; cat {{ cert.chainpath }} {{ cert.keypath }} > {{ cert.fullpath }}"
  args:
    creates: "{{ cert.fullpath }}"

- name: "set permissions for concatinated versions (full) for {{ certname }}"
  file:
    path: "{{ cert.fullpath }}"
    mode: 0640
    owner: root
    group: ssl-cert

- set_fact:
    certchanged: "{{ selfsignedsign is changed }}"
- name: handle postflight
  include: common_post.yml