Renew TLS certificates for pgBackRest fails at first run #19
Description
When the TLS certificates are updated (CA, server and agent certificates), the role fails the first time with:
TASK [hachyderm.general.pgbackrest : Check configuration] ************************************************************************************************************************************
fatal: [***REDACTED***]: FAILED! => {"changed": false, "cmd": ["pgbackrest", "--config", "/etc/pgbackrest-server/pgbackrest.conf", "check"], "delta": "0:00:00.037397", "end": "2026-03-05 06:55:37.754837", "msg": "non-zero return code", "rc": 95, "start": "2026-03-05 06:55:37.717440", "stderr": "", "stderr_lines": [], "stdout": "2026-03-05 06:55:37.735 P00 WARN: unable to check pg1: [CryptoError] unable to verify certificate presented by '***REDACTED***:8433 (***REDACTED***)': [19] self-signed certificate in certificate chain\n2026-03-05 06:55:37.753 P00 ERROR: [095]: unable to verify certificate presented by '***REDACTED***:8433 (***REDACTED***)': [19] self-signed certificate in certificate chain", "stdout_lines": ["2026-03-05 06:55:37.735 P00 WARN: unable to check pg1: [CryptoError] unable to verify certificate presented by '***REDACTED***:8433 (***REDACTED***)': [19] self-signed certificate in certificate chain", "2026-03-05 06:55:37.753 P00 ERROR: [095]: unable to verify certificate presented by '***REDACTED***:8433 (***REDACTED***)': [19] self-signed certificate in certificate chain"]}
After the failure, the "Restart agent" handler is triggered on the host presenting the failing certificate:
RUNNING HANDLER [hachyderm.general.pgbackrest : Restart agent] *******************************************************************************************************************************
changed: [***REDACTED***]
We may need to flush handlers before checking the configuration.