feat: add certificate download for temporary environments

community.crypto.acme_certificate does use the existing certificate file
to check for the validity in order to decide whether a certificate needs
renewal.

As this file isn't kept if running the playbook on a non persistent
environment such as a containerized ci runner this leads to a
certificate renewal on each playbook execution which might hit the limit
of 5 certs per seven days as configured on letsencrypt depending on the
configured schedule.

By downloading the certificate from the webserver beforehand to the
certificate file this check should work as expected again

roles/acme/defaults/main.yml

@@ -22,3 +22,6 @@ acme_s3_config_region: eu-west-1
 acme_s3_install_prerequisites: true
 acme_local_validation_path: /var/www/html
 acme_azure_purge_state: absent
+
+### certificate download for non-persistent environments
+acme_download_cert: false

roles/acme/tasks/download_cert.yml

@@ -0,0 +1,13 @@
+---
+- name: Fetch current certificate from https server
+  ansible.community.crypto.get_certificate:
+    host: "{{ acme_cert_download_host | default(acme_domain.subject_alt_name[0]) }}"
+    port: "{{ acme_cert_download_port | default('443') }}"
+    server_name: "{{ acme_cert_san_name | default(acme_domain.subject_alt_name[0]) }}"
+  register: certificate
+
+- name: Write fetched certificate to file
+  ansible.builtin.copy:
+    content: "{{ certificate.cert }}"
+    dest: "{{ acme_cert_path }}"
+    mode: "0644"

roles/acme/tasks/main.yml

@@ -2,6 +2,11 @@
 - name: Preconditions
   ansible.builtin.include_tasks: preconditions.yml
 
+- name: Download Certificate from https
+  ansible.builtin.include_tasks: download_cert.yml
+  when:
+    - acme_download_cert
+
 - name: Run key generation
   ansible.builtin.include_tasks: create-keys.yml