Handle Let's Encrypt maintenance errors gracefully

- Extend certbundle task to ignore 'The service is down for maintenance or had an internal error' as a fatal failure. - Add debug/warning output when this error occurs, so playbook does not stop but logs the issue. - Ensure changed_when does not mark run as changed if only maintenance error was hit. Ref: https://chatgpt.com/share/68af4e15-24cc-800f-b1dd-6a5f2380e35a
2025-08-30 15:28:12 +02:00 · 2025-08-27 20:28:25 +02:00
parent de159db918
commit f62d09d8f1
1 changed files with 9 additions and 1 deletions
--- a/roles/srv-tls-core/tasks/flavors/san.yml
+++ b/roles/srv-tls-core/tasks/flavors/san.yml
@@ -23,7 +23,15 @@
      changed_when: "'Certificate not yet due for renewal' not in certbundle_result.stdout"
      failed_when: >
        certbundle_result.rc != 0
-        and 'too many certificates' not in certbundle_result.stderr
+        and 'too many certificates' not in (certbundle_result.stderr | lower | default(''))
+        and 'the service is down for maintenance or had an internal error' not in (certbundle_result.stderr | lower | default(''))
+
+    - name: Warn if LetsEncrypt was down
+      when: "'the service is down for maintenance or had an internal error' in (certbundle_result.stderr | lower | default(''))"
+      debug:
+        msg: >
+          WARNING: Let's Encrypt responded with "service down for maintenance / internal error".
+          Certificate request skipped; please retry later.

    - name: run the san tasks once
      set_fact: