diff --git a/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml b/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
index c441f8b629..7ea6aaa175 100644
--- a/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
+++ b/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
@@ -1,20 +1,33 @@
-- name: Install acme.sh client
-  git:
-    repo: https://github.com/acmesh-official/acme.sh
-    dest: /opt/acme.sh
-    # Pinned due to https://github.com/acmesh-official/acme.sh/issues/4416
-    version: 3.0.5
-  register: clone_acmesh_result
-  until: clone_acmesh_result is not failed
-  retries: 3
-  delay: 2
+- name: Check status of acme.sh script
+  stat:
+    path: /opt/acme.sh/acme.sh
+    get_checksum: true
+    checksum_algorithm: sha256
+  register: acme_sh_stat
 
-# Temporary https://github.com/acmesh-official/acme.sh/issues/4659 fix
-# until we can upgrade to 3.0.6 or later
-- name: Patch for issue 4659
-  shell: |
-    git -C /opt/acme.sh cherry-pick 4c30250
-    git -C /opt/acme.sh cherry-pick 327e2fb
+- name: Install acme.sh if not already up to date
+  when: not acme_sh_stat.stat.exists or acme_sh_stat.stat.checksum != "5c298a2bd5f90635aef8d013b02b25f34027ad0cb2cef2bdca68f3d13b931216"
+  block:
+    # We only want to update the clone and checkout if things are not already
+    # in place or at the expected versions. This avoids unnecessary daily
+    # git operations and makes us more resilient to full disks.
+    - name: Install acme.sh client
+      git:
+        repo: https://github.com/acmesh-official/acme.sh
+        dest: /opt/acme.sh
+        # Pinned due to https://github.com/acmesh-official/acme.sh/issues/4416
+        version: 3.0.5
+      register: clone_acmesh_result
+      until: clone_acmesh_result is not failed
+      retries: 3
+      delay: 2
+
+    # Temporary https://github.com/acmesh-official/acme.sh/issues/4659 fix
+    # until we can upgrade to 3.0.6 or later
+    - name: Patch for issue 4659
+      shell: |
+        git -C /opt/acme.sh cherry-pick 4c30250
+        git -C /opt/acme.sh cherry-pick 327e2fb
 
 - name: Install letsencrypt group
   group:
@@ -24,6 +37,9 @@
 
 - name: Install driver script
   copy:
+    # Because this is a fily copy and not git operations with multiple states
+    # Ansible should successfully determine that the file doesn't need to be
+    # copied after the initial copy unless the file changes.
     src: driver.sh
     dest: /opt/acme.sh/driver.sh
     mode: 0755