Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement a post-renewal hook script
Sometimes, after a certificate is renewed, you may want to do something
with the new certificate. For example, you may want to restart a web
server or reload a configuration file.
This change allows for a renewal script to be created by specifying
commands in the `step_acme_cert_post_renewal_commands` variable.
An example of this is for provisioning a certificate for UniFi's
Controller. The following configuration will update unifi's jks and
restart the service after the certificate is renewed:
```yaml
step_acme_cert_post_renewal_commands:
- openssl pkcs12 -export -in "${CERT_FILE}" -inkey "${KEY_FILE}" -out /etc/ssl/cert.p12 -name unifi -password pass:aircontrolenterprise
- keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/cert.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi
- systemctl restart unifi
```
`systemctl try-reload-or-restart {{step_acme_cert_renewal_reload_services}}`
has been removed from the `ExecStart` command in the systemd unit file,
and is appended to the end of this post-renewal hook script. In the
example above, I am using `systemctl restart unifi` as the last command,
because I have experienced issues with `systemctl try-reload-or-restart`
for this specific service. For a 'more normal' service, the following
should work:
```yaml
step_acme_cert_post_renewal_commands:
- do_something ${CERT_FILE} ${KEY_FILE}
step_acme_cert_renewal_reload_services:
- some_service
```
The variables ${STEP_CLI}, ${CERT_FILE}, and ${KEY_FILE} are all exported
in the script by default, and are available for use in the commands.
This change is backwards compatible, and will not break existing
configurations.
Signed-off-by: Tom Whitwell <[email protected]>- Loading branch information
