Question regarding usage with Ansible

[thokari]

This post mentions using Ansible together with JSON mode. But afaik Ansible can't talk to stdin like that, let alone in an asynchronous way. The problem I see is that the DNS TXT record creation (which Ansible has many modules for) needs to happen after the call to certbot, but while certbot is still running.
Is it maybe simply possible to execute the certbot command in multiple steps, i.e. first generate the token to stdout. Then run the validatation in a second step, after the DNS update has been made, and waited for?

[dancvrcek]

Hi thokari. A great feedback, thanks. We have briefly discussed it and we should be able to introduce separate steps.

Our thinking is that as part of the JSON, we'd return a sessionID. Adding this to cmd line parameters, you'd be able to resume, once you update DNS. Potentially multiple times, if the DNS verification fails.

[thokari]

That sounds nice. I am thinking that using two steps, one could automate it using Ansible like this:

- shell: certbot -d example.com <more args>
  register: result
  set_fact:
      certbot_out_json: "{{ result.stdout | from_json }}"

- your_cloudprovider:
      dns:
          domain: _certbot-challenge.example.com
          type: txt
          value: "{{ certbot_out_json.token }}"

- shell: dig -t txt _certbot-challenge.example.com
  retry: 5
  delay: 60

- shell: certbot --resume --session-id {{ certbot_out_json.session_id }} <more args>

[dancvrcek]

We have now submitted a small pull request to certbot to make it work. certbot/certbot#4322

fingers crossed it will get to the main branch.