diff --git a/tasks/renew-cert.yaml b/tasks/renew-cert.yaml
index ce6692e639531d99492ad1d8e906ff04b7300db1..bb703ea5a3ad3ec437bd38ec248921d35b30cd6f 100644
--- a/tasks/renew-cert.yaml
+++ b/tasks/renew-cert.yaml
@@ -9,17 +9,21 @@
   ansible.builtin.setup:
     gather_subset:
       - date_time
+  tags:
+    - always
 
 - name: Get account key file stat
   ansible.builtin.stat:
     path: &account_key_src account.key
   register: account_key_stat
+  tags:
+    - always
 
 - name: Generate account key
   community.crypto.openssl_privatekey:
     # yamllint disable rule:line-length
     force: |-
-      {{ (ansible_date_time.epoch|int - account_key_stat.stat.mtime|int)/(60*60*24*365) >= 4 }}
+      {{ account_key_stat.stat.exists and (ansible_date_time.epoch|int - account_key_stat.stat.mtime|int)/(60*60*24*365) >= 4 }}
     # yamllint enable rule:line-length
     mode: 0o0600
     path: *account_key_src
@@ -57,7 +61,7 @@
   community.crypto.openssl_privatekey:
     # yamllint disable rule:line-length
     force: |-
-      {{ (ansible_date_time.epoch|int - host_key_stat.stat.mtime|int)/(60*60*24*365) >= 4 }}
+      {{  host_key_stat.stat.exists and (ansible_date_time.epoch|int - host_key_stat.stat.mtime|int)/(60*60*24*365) >= 4 }}
     # yamllint enable rule:line-length
     mode: &mode 0o0600
     path: *key_src
@@ -175,7 +179,7 @@
       community.crypto.openssl_dhparam:
         # yamllint disable rule:line-length
         force: |-
-          {{ (ansible_date_time.epoch|int - dhparams_stat.stat.mtime|int)/(60*60*24*7) >= 4 }}
+          {{ dhparams_stat.stat.exists and (ansible_date_time.epoch|int - dhparams_stat.stat.mtime|int)/(60*60*24*7) >= 4 }}
         # yamllint enable rule:line-length
         mode: 0o0644
         path: *dhparams