2021-01-28 01:29:29 +00:00
|
|
|
[Unit]
|
|
|
|
Description=Certificate renewer for %I
|
|
|
|
After=network-online.target
|
|
|
|
Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
|
|
|
|
StartLimitIntervalSec=0
|
|
|
|
|
|
|
|
[Service]
|
|
|
|
Type=oneshot
|
|
|
|
User=root
|
|
|
|
|
|
|
|
Environment=STEPPATH=/etc/step-ca \
|
|
|
|
CERT_LOCATION=/etc/step/certs/%i.crt \
|
|
|
|
KEY_LOCATION=/etc/step/certs/%i.key
|
|
|
|
|
|
|
|
; ExecStartPre checks if the certificate is ready for renewal,
|
|
|
|
; based on the exit status of the command.
|
|
|
|
; (In systemd 243 and above, you can use ExecCondition= here.)
|
2021-03-17 00:08:20 +00:00
|
|
|
ExecStartPre=/usr/bin/env bash -c \
|
2021-01-28 01:29:29 +00:00
|
|
|
'step certificate inspect $CERT_LOCATION --format json --roots "$STEPPATH/certs/root_ca.crt" | \
|
|
|
|
jq -e "(((.validity.start | fromdate) + \
|
|
|
|
((.validity.end | fromdate) - (.validity.start | fromdate)) * 0.66) \
|
|
|
|
- now) <= 0" > /dev/null'
|
|
|
|
|
|
|
|
; ExecStart renews the certificate, if ExecStartPre was successful.
|
|
|
|
ExecStart=/usr/bin/step ca renew --force $CERT_LOCATION $KEY_LOCATION
|
|
|
|
|
|
|
|
; Try to reload or restart the systemd service that relies on this cert-renewer
|
2021-03-17 00:08:20 +00:00
|
|
|
; If the relying service doesn't exist, forge ahead.
|
2021-05-03 23:18:56 +00:00
|
|
|
ExecStartPost=/usr/bin/env bash -c "if ! systemctl --quiet is-enabled %i.service ; then exit 0; fi; systemctl try-reload-or-restart %i"
|
2021-01-28 01:29:29 +00:00
|
|
|
|
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|