Force recreate dhparams if older than 4 weeks.

tasks/renew-cert.yaml

@@ -134,13 +134,23 @@
   notify: '{{ handlers|default([]) }}'
 
 - name: Generate Diffie-Hellman parameters on {{ host }}
+  tags:
+    - dhparams
   delegate_to: *delegate_to
+  block:
+    - name: Get dhparams file stat
+      ansible.builtin.stat:
+        path: &dhparams /var/ssl/dhparams
+      register: dhparams_stat
+
+    - name: Generate Diffie-Hellman parameters on {{ host }}
       community.crypto.openssl_dhparam:
-    force: true
+        # yamllint disable rule:line-length
+        force: |-
+          {{ (ansible_date_time.epoch|int - dhparams_stat.stat.mtime|int)/(60*60*24*7) >= 0 }}
+        # yamllint enable rule:line-length
         mode: 0o0644
-    path: /var/ssl/dhparams
+        path: *dhparams
         size: 4096
         state: present
       notify: '{{ handlers|default([]) }}'
-  tags:
-    - dhparams