sshd_cert: Renew cert if it's close to expire

roles/sshd_cert/tasks/main.yml

@@ -23,6 +23,20 @@
   delegate_to: localhost
   register: sshd_cert_status
 
+- name: Get certificate info
+  ansible.builtin.command:
+    argv:
+      - ssh-keygen
+      - -L
+      - -f
+      - "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub"
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  when: sshd_cert_status.stat.exists
+  delegate_to: localhost
+  register: sshd_cert_info
+
 - name: Sign certificate
   ansible.builtin.command:
     argv:
@@ -41,7 +55,11 @@
       - "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub"
   when: >
     not sshd_cert_status.stat.exists or
-    sshd_cert_status.stat.mtime | int < sshd_cert_pubkey.stat.mtime | int
+    sshd_cert_status.stat.mtime | int < sshd_cert_pubkey.stat.mtime | int or
+    (
+      sshd_cert_info.stdout_lines | select('match', '^[ ]*Valid: ') |
+      first | split() | last | to_datetime('%Y-%m-%dT%H:%M:%S')
+    ).strftime('%s') | int < ansible_date_time.epoch | int + 2592000
   delegate_to: localhost
 
 - name: Install certificate