NETWAYS · widhalmt · Mar 10, 2026
diff --git a/roles/beats/tasks/beats-security.yml b/roles/beats/tasks/beats-security.yml
@@ -18,11 +18,13 @@
   when: beats_cert_expiration_date.skipped is not defined and not beats_cert_expiration_date.valid_at.check_period
 
 - name: Print the beats certificate renew message
-  ansible.builtin.debug:
-    msg: |
-      Your beats certificate will expire before {{ beats_cert_expiration_buffer }}.
-      Ansible will renew it.
   when: beats_cert_expiration_date.skipped is not defined and not beats_cert_expiration_date.valid_at.check_period
+  block:
+    - name: Print the beats certificate renew message
+      ansible.builtin.debug:
+        msg: |
+          Your beats certificate will expire before {{ beats_cert_expiration_buffer }}.
+          Ansible will renew it.
 
 - name: Backup beats certs then remove
   when: "'renew_beats_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or beats_cert_will_expire_soon | bool"

diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml
@@ -1,24 +1,24 @@
 ---

 - name: Ensure ca exists
  ansible.builtin.stat:
    path: "{{ elasticstack_ca_dir }}/elastic-stack-ca.p12"
  register: elasticstack_ca_exists
  when: inventory_hostname == elasticstack_ca_host

 - name: Get CA informations
  cert_info:
    path: "{{ elasticstack_ca_dir }}/elastic-stack-ca.p12"
    passphrase: "{{ elasticstack_ca_pass | default(omit, true) }}"
  register: elasticstack_ca_infos
  when: inventory_hostname == elasticstack_ca_host and elasticstack_ca_exists.stat.exists | bool

 - name: Set the ca expiration date in days
  ansible.builtin.set_fact:
    elasticstack_ca_expiration_days: "{{ ((elasticstack_ca_infos.not_valid_after | to_datetime()) - (ansible_date_time.date | to_datetime('%Y-%m-%d'))).days }}"
  when: inventory_hostname == elasticstack_ca_host and elasticstack_ca_infos.skipped is not defined

 - name: Set ca will expire soon to true
  ansible.builtin.set_fact:
    elasticstack_ca_will_expire_soon: true
  when: >
@@ -27,14 +27,16 @@
     elasticstack_ca_expiration_days | int <= elasticstack_ca_expiration_buffer | int
 
 - name: Print the ca renew message
-  ansible.builtin.debug:
-    msg: |
-      Your ca will expire in {{ elasticstack_ca_expiration_days }} days.
-      Ansible will renew it and all elastic stack certificates
   when: >
     inventory_hostname == elasticstack_ca_host and
     elasticstack_ca_expiration_days is defined and
     elasticstack_ca_expiration_days | int <= elasticstack_ca_expiration_buffer | int
+  block:
+    - name: Print the ca renew message
+      ansible.builtin.debug:
+        msg: |
+          Your ca will expire in {{ elasticstack_ca_expiration_days }} days.
+          Ansible will renew it and all elastic stack certificates
 
 - name: Stop Logstash
   ansible.builtin.service:
@@ -120,11 +122,13 @@
   when: elasticsearch_cert_expiration_days is defined and elasticsearch_cert_expiration_days | int <= elasticsearch_cert_expiration_buffer | int
 
 - name: Print the elasticsearch certificate renew message
-  ansible.builtin.debug:
-    msg: |
-      Your elasticsearch certificate will expire in {{ elasticsearch_cert_expiration_days }} days.
-      Ansible will renew it.
   when: elasticsearch_cert_expiration_days is defined and elasticsearch_cert_expiration_days | int <= elasticsearch_cert_expiration_buffer | int
+  block:
+    - name: Print the elasticsearch certificate renew message
+      ansible.builtin.debug:
+        msg: |
+          Your elasticsearch certificate will expire in {{ elasticsearch_cert_expiration_days }} days.
+          Ansible will renew it.
 
 - name: Backup elasticsearch certs on node then remove
   when: "'renew_es_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or elasticsearch_cert_will_expire_soon | bool"
@@ -408,7 +412,7 @@
  retries: 5
  delay: 10

 - name: Fetch Elastic password # noqa: risky-shell-pipe
  ansible.builtin.shell: >
    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
    grep "PASSWORD elastic" {{ elasticstack_initial_passwords }} |

diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml
@@ -23,11 +23,13 @@
   when: kibana_cert_expiration_days is defined and kibana_cert_expiration_days | int <= kibana_cert_expiration_buffer | int
 
 - name: Print the kibana certificate renew message
-  ansible.builtin.debug:
-    msg: |
-      Your kibana certificate will expire in {{ kibana_cert_expiration_days }} days.
-      Ansible will renew it.
   when: kibana_cert_expiration_days is defined and kibana_cert_expiration_days | int <= kibana_cert_expiration_buffer | int
+  block:
+    - name: Print the kibana certificate renew message
+      ansible.builtin.debug:
+        msg: |
+          Your kibana certificate will expire in {{ kibana_cert_expiration_days }} days.
+          Ansible will renew it.
 
 - name: Backup kibana certs then remove
   when: "'renew_kibana_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or kibana_cert_will_expire_soon | bool"

diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml
@@ -23,11 +23,13 @@
   when: logstash_cert_expiration_days is defined and logstash_cert_expiration_days | int <= logstash_cert_expiration_buffer | int
 
 - name: Print the logstash certificate renew message
-  ansible.builtin.debug:
-    msg: |
-      Your logstash certificate will expire in {{ logstash_cert_expiration_days }} days.
-      Ansible will renew it.
   when: logstash_cert_expiration_days is defined and logstash_cert_expiration_days | int <= logstash_cert_expiration_buffer | int
+  block:
+    - name: Print the logstash certificate renew message
+      ansible.builtin.debug:
+        msg: |
+          Your logstash certificate will expire in {{ logstash_cert_expiration_days }} days.
+          Ansible will renew it.
 
 - name: Backup logstash certs then remove
   when: "'renew_logstash_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags"
@@ -42,7 +44,7 @@
      register: logstash_check_cert_path

    - name: Move cert directory on logstash
      ansible.builtin.copy:
        src: "{{ logstash_certs_dir }}"
        dest: "{{ logstash_certs_dir }}_{{ ansible_date_time.iso8601_micro }}"
        mode: preserve