UCL-MIRSG · ruaridhg · Dec 4, 2024 · Nov 28, 2024 · Nov 28, 2024 · Dec 2, 2024
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
@@ -45,21 +45,59 @@
     mode: "0700"
   when: nginx_use_ssl
 
-- name: Copy server certificates to nginx
+- name: Get current SSL certificate info
+  community.crypto.x509_certificate_info:
+    path: "{{ nginx_ssl_cert_file }}"
+  register: current_cert_info
+  ignore_errors: true # Handle case where file doesn't exist
+  when: nginx_use_ssl
+
+- name: Get cached SSL certificate info
+  community.crypto.x509_certificate_info:
+    path: "{{ nginx_server_cert_cache }}"
+  register: cached_cert_info
+  when: nginx_use_ssl
+
+- name: Copy server certificates from cache (if it has a later expiry) to nginx
   ansible.builtin.copy:
     remote_src: true
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
     owner: "{{ nginx_owner }}"
     group: "{{ nginx_group }}"
     mode: "0600"
+    backup: true # Preserve overwritten certificates and keys for rollback
   with_items:
     - src: "{{ nginx_server_cert_cache }}"
       dest: "{{ nginx_ssl_cert_file }}"
     - src: "{{ nginx_server_key_cache }}"
       dest: "{{ nginx_ssl_key_file }}"
   notify: Reload nginx
-  when: nginx_use_ssl
+  when:
+    - nginx_use_ssl
+    - current_cert_info.failed or (cached_cert_info.cert.not_after | to_datetime
+      > current_cert_info.cert.not_after | to_datetime)
+
+- name:
+    Copy server certificates from nginx (if it has a later expiry) back to cache
+  ansible.builtin.copy:
+    remote_src: true
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ nginx_owner }}"
+    group: "{{ nginx_group }}"
+    mode: "0600"
+    backup: true # Preserve overwritten certificates and keys for rollback
+  with_items:
+    - src: "{{ nginx_ssl_cert_file }}"
+      dest: "{{ nginx_server_cert_cache }}"
+    - src: "{{ nginx_ssl_key_file }}"
+      dest: "{{ nginx_server_key_cache }}"
+  notify: Reload nginx
+  when:
+    - nginx_use_ssl
+    - (cached_cert_info.cert.not_after | to_datetime <
+      current_cert_info.cert.not_after | to_datetime)
 
 - name:
     Generate Diffie-Hellman (DH) parameters. Number of {{