Testing successful on EasyDNS.

defaults/main.yml

@@ -2,7 +2,7 @@
 acme_path: /var/acme
 acme_system_user: acme
 acme_system_group: acme
-nginx_config_dhparam: "{{ acme_path }}/dhparams.pem"
+nginx_config_dhparam: "/etc/ssl/dhparams.pem"
 nginx_user: nginx
 
 lego_environment:

tasks/dhparams.yml

@@ -18,5 +18,5 @@
 # https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_dhparam_module.html
 - name: Generate Diffie-Hellman parameters with the default size (4096 bits)
   community.crypto.openssl_dhparam:
-    path: "{{ acme_path }}/dhparams.pem"
+    path: "/etc/ssl/dhparams.pem"
   tags: dhparams

tasks/lego.yml

@@ -7,46 +7,40 @@
     path: "{{ lego_path }}/certificates/{{ acme_domain.domain }}.crt"
   register: lego_cert
   delegate_to: localhost
-  tags: lego
 
 - name: Instruct lego to register an account and order a new certificate if one doesn't already exist.
   set_fact:
     lego_command:  "{{ 'renew' if lego_cert.stat.exists else 'run'}}"
   delegate_to: localhost
-  tags: lego
 
-- name: Order acme certificates without waiting for propogation of TXT record to all authoritative name servers.
+- name: Order acme certificates, waiting for propogation of TXT record to all authoritative name servers.
   ansible.builtin.command: 
     cmd: >
-        lego --path {{ lego_path }} --dns {{ acme_domain.provider }} --domains {{ acme_domain.domain }} --email {{ acme_email }} --dns.disable-cp --accept-tos {{ lego_command }}
+        lego --path {{ lego_path }} --dns {{ acme_domain.provider }} --domains {{ acme_domain.domain }} --email {{ acme_email }} --accept-tos {{ lego_command }}
   register: lego_result
   delegate_to: localhost
   changed_when: False
   ignore_errors: true
-  tags: lego
   environment: "{{ lego_environment }}"
   
 - name: Print lego output with dns.disable-cp
   ansible.builtin.debug:
     var: lego_result
   delegate_to: localhost
-  tags: lego
 
-  # --dns.disable-cp: disables the need to wait the propagation of the TXT record to all authoritative name servers.
-  # I haven't yet figured out why it only works sporadically with or without this option.
-- name: Retry the last command if necessary, but wait for propogation of TXT record to all authoritative name servers.
+# --dns.disable-cp: disables the need to wait the propagation of the TXT record to all authoritative name servers.
+# I haven't yet figured out why it only works sporadically with or without this option.
+- name: Retry the last command if necessary, but don't wait for propogation of TXT record to all authoritative name servers.
   ansible.builtin.command: 
     cmd: >
-        lego --path {{ lego_path }} --dns {{ acme_domain.provider }} --domains {{ acme_domain.domain }} --email {{ acme_email }} --accept-tos {{ lego_command }}
+        lego --path {{ lego_path }} --dns {{ acme_domain.provider }} --domains {{ acme_domain.domain }} --email {{ acme_email }} --dns.disable-cp --accept-tos {{ lego_command }}
   when: lego_result.failed
   register: lego_result
   delegate_to: localhost
   changed_when: False
-  tags: lego
   environment: "{{ lego_environment }}"
   
 - name: Print lego output without dns.disable-cp
   ansible.builtin.debug:
     var: lego_result
   delegate_to: localhost
-  tags: lego

tasks/main.yml

@@ -17,6 +17,7 @@
     file: lego.yml
     apply:
       become: false
+      tags: lego
   loop: "{{ acme_domains }}"
   loop_control:
     loop_var: acme_domain
@@ -31,9 +32,9 @@
   loop_control:
     loop_var: acme_domain
   tags: nginx
-  when: os_family != 'RedHat'
+  when: ansible_os_family != 'RedHat'
 
-- name: Loop through the domain list (again) to copy certs and configure nginx for each ACME domain
+- name: (RedHat) Loop through the domain list (again) to copy certs and configure nginx for each ACME domain
   include_tasks:
     file: certificates-RedHat.yml
     apply:
@@ -42,7 +43,7 @@
   loop_control:
     loop_var: acme_domain
   tags: nginx
-  when: os_family == 'RedHat'
+  when: ansible_os_family == 'RedHat'
 
 - import_tasks: dhparams.yml
   become: true