- block:
    - name: Install certbundle
      include_role:
        name: pkgmgr-install
      vars:
        package_name: certbundle

    - name: Generate SAN certificate with certbundle
      command: >-
        certbundle
        --domains "{{ current_play_domains_all | join(',') }}"
        --certbot-email "{{ users.administrator.email }}"
        --certbot-acme-challenge-method "{{ CERTBOT_ACME_CHALLENGE_METHOD }}"
        --chunk-size 100
        {% if CERTBOT_ACME_CHALLENGE_METHOD != 'webroot' %}
        --certbot-credentials-file "{{ CERTBOT_CREDENTIALS_FILE }}"
        --certbot-dns-propagation-seconds "{{ CERTBOT_DNS_PROPAGATION_WAIT_SECONDS }}"
        {% else %}
        --letsencrypt-webroot-path "{{ LETSENCRYPT_WEBROOT_PATH }}"
        {% endif %}
        {{ '--mode-test' if MODE_TEST | bool else '' }}
      register: certbundle_result
      changed_when: "'Certificate not yet due for renewal' not in certbundle_result.stdout"
      failed_when: >
        certbundle_result.rc != 0
        and 'too many certificates' not in certbundle_result.stderr

    - name: run the san tasks once
      set_fact:
        run_once_san_certs: true
  when: run_once_san_certs is not defined