From 3e5b90b6fac1e33a0bf6db24ec9a2af87dec234f Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Mon, 19 Jul 2021 08:34:22 -0500
Subject: [PATCH] systemd cert renewer can now use 'step certificate
 needs-renewal'

---
 systemd/cert-renewer@.service | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/systemd/cert-renewer@.service b/systemd/cert-renewer@.service
index f38951b5..7c4c4e3c 100644
--- a/systemd/cert-renewer@.service
+++ b/systemd/cert-renewer@.service
@@ -15,11 +15,7 @@ Environment=STEPPATH=/etc/step-ca \
 ; ExecStartPre checks if the certificate is ready for renewal,
 ; based on the exit status of the command.
 ; (In systemd 243 and above, you can use ExecCondition= here.)
-ExecStartPre=/usr/bin/env bash -c \
-  'step certificate inspect $CERT_LOCATION --format json --roots "$STEPPATH/certs/root_ca.crt" | \
-  jq -e "(((.validity.start | fromdate) + \
-          ((.validity.end | fromdate) - (.validity.start | fromdate)) * 0.66) \
-           - now) <= 0" > /dev/null'
+ExecStartPre=/usr/bin/step certificate needs-renewal $CERT_LOCATION --roots $STEPPATH/certs/root_ca.crt
 
 ; ExecStart renews the certificate, if ExecStartPre was successful.
 ExecStart=/usr/bin/step ca renew --force $CERT_LOCATION $KEY_LOCATION