Fixes #757

2021-11-23 18:12:31 -08:00 · 2021-11-23 18:12:31 -08:00 · d83ca96d2a
commit d83ca96d2a
parent a067b3acad
3 changed files with 1 additions and 48 deletions
--- a/systemd/README.md
+++ b/systemd/README.md
@ -2,4 +2,4 @@
 For documentation on `step-ca.service`, see [Running `step-ca` As A Daemon](https://smallstep.com/docs/step-ca/certificate-authority-server-production#running-step-ca-as-a-daemon).
-For documentation on `cert-renewer@.*`, see [Automating Certificate Renewal](https://smallstep.com/docs/step-ca/certificate-authority-server-production#automate-x509-certificate-lifecycle-management)
+See also: There is a systemd certificate renewal timer, in the [`systemd` directory of `smallstep/cli`](https://github.com/smallstep/cli/tree/master/systemd).
--- a/systemd/cert-renewer@.service
+++ b/systemd/cert-renewer@.service
@ -1,29 +0,0 @@
 [Unit]
 Description=Certificate renewer for %I
 After=network-online.target
 Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
 StartLimitIntervalSec=0
 [Service]
 Type=oneshot
 User=root
 Environment=STEPPATH=/etc/step-ca \
            CERT_LOCATION=/etc/step/certs/%i.crt \
            KEY_LOCATION=/etc/step/certs/%i.key
 ; ExecCondition checks if the certificate is ready for renewal,
 ; based on the exit status of the command.
 ; (In systemd <242, you can use ExecStartPre= here.)
 ExecCondition=/usr/bin/step certificate needs-renewal ${CERT_LOCATION}
 ; ExecStart renews the certificate, if ExecStartPre was successful.
 ExecStart=/usr/bin/step ca renew --force ${CERT_LOCATION} ${KEY_LOCATION}
 ; Try to reload or restart the systemd service that relies on this cert-renewer
 ; If the relying service doesn't exist, forge ahead.
 ; (In systemd <229, use `reload-or-try-restart` instead of `try-reload-or-restart`)
 ExecStartPost=/usr/bin/env sh -c "! systemctl --quiet is-enabled %i.service || systemctl try-reload-or-restart %i"
 [Install]
 WantedBy=multi-user.target
--- a/systemd/cert-renewer@.timer
+++ b/systemd/cert-renewer@.timer
@ -1,18 +0,0 @@
 [Unit]
 Description=Certificate renewal timer for %I
 Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
 [Timer]
 Persistent=true
 ; Run the timer unit every 5 minutes.
 OnCalendar=*:1/5
 ; Always run the timer on time.
 AccuracySec=1us
 ; Add jitter to prevent a "thundering hurd" of simultaneous certificate renewals.
 RandomizedDelaySec=5m
 [Install]
 WantedBy=timers.target
`@ -2,4 +2,4 @@`

	For documentation on `step-ca.service`, see [Running `step-ca` As A Daemon](https://smallstep.com/docs/step-ca/certificate-authority-server-production#running-step-ca-as-a-daemon).	For documentation on `step-ca.service`, see [Running `step-ca` As A Daemon](https://smallstep.com/docs/step-ca/certificate-authority-server-production#running-step-ca-as-a-daemon).

	For documentation on `cert-renewer@.*`, see [Automating Certificate Renewal](https://smallstep.com/docs/step-ca/certificate-authority-server-production#automate-x509-certificate-lifecycle-management)	See also: There is a systemd certificate renewal timer, in the [`systemd` directory of `smallstep/cli`](https://github.com/smallstep/cli/tree/master/systemd).