---
- name: Certbot - Check the cert exists
  ansible.builtin.stat:
    path: "/etc/letsencrypt/live/{{ item.hostname }}/cert.pem"
  register: cert_stat

- name: Certbot - Get the SANs from the certificate file
  community.crypto.x509_certificate_info:
    path: "/etc/letsencrypt/live/{{ item.hostname }}/cert.pem"
  register: cert_info
  when: cert_stat.stat.exists

- name: Certbot - Calculate the SAN list
  ansible.builtin.set_fact:
    cert_sans: "{{ ['DNS:'] | product(item.sans | default([item.hostname])) | map('join') | list }}"

- name: Certbot - Request a certificate  # noqa no-changed-when ignore-errors
  ansible.builtin.command: "certbot certonly -n --expand --agree-tos {{ certbot_plugin_arguments[item.plugin | default('default')] }} -d '{{ item.hostname }}' {% for san in item.sans | default([]) %} -d '{{ san }}' {% endfor %} -m {{ certbot_certs_email }}"  # noqa no-change-when
  ignore_errors: true
  when: not cert_stat.stat.exists or cert_sans | difference(cert_info.subject_alt_name) | list | length > 0