Merge pull request #653 from smallstep/needs-renewal

systemd cert renewer can now use 'step certificate needs-renewal'
This commit is contained in:
Carl Tashian 2021-07-20 09:38:52 -05:00 committed by GitHub
commit 28acc1b7d2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -15,11 +15,7 @@ Environment=STEPPATH=/etc/step-ca \
; ExecStartPre checks if the certificate is ready for renewal, ; ExecStartPre checks if the certificate is ready for renewal,
; based on the exit status of the command. ; based on the exit status of the command.
; (In systemd 243 and above, you can use ExecCondition= here.) ; (In systemd 243 and above, you can use ExecCondition= here.)
ExecStartPre=/usr/bin/env bash -c \ ExecStartPre=/usr/bin/step certificate needs-renewal $CERT_LOCATION --roots $STEPPATH/certs/root_ca.crt
'step certificate inspect $CERT_LOCATION --format json --roots "$STEPPATH/certs/root_ca.crt" | \
jq -e "(((.validity.start | fromdate) + \
((.validity.end | fromdate) - (.validity.start | fromdate)) * 0.66) \
- now) <= 0" > /dev/null'
; ExecStart renews the certificate, if ExecStartPre was successful. ; ExecStart renews the certificate, if ExecStartPre was successful.
ExecStart=/usr/bin/step ca renew --force $CERT_LOCATION $KEY_LOCATION ExecStart=/usr/bin/step ca renew --force $CERT_LOCATION $KEY_LOCATION