-
Notifications
You must be signed in to change notification settings - Fork 24
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement a post-renewal hook script
Sometimes, after a certificate is renewed, you may want to do something with the new certificate. For example, you may want to change the ownership of the certificate or key files, use these files for some other cryptographic purpose (eg. creating a `.p12` file) or some other action. This change allows for a renewal script to be created by specifying commands with the `step_acme_cert_post_renewal_commands` variable. An example of this is for provisioning a certificate for UniFi's Controller. The following configuration will update unifi's jks and restart the service after the certificate is renewed: ```yaml step_acme_cert_post_renewal_commands: - openssl pkcs12 -export -in "${CERT_FILE}" -inkey "${KEY_FILE}" -out /etc/ssl/cert.p12 -name unifi -password pass:aircontrolenterprise - keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/cert.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi - systemctl restart unifi ``` In the example above, I am using `systemctl restart unifi` as the last command, because I have experienced issues with `systemctl try-reload-or-restart` for this specific service. For a more 'normal' service, the following should work: ```yaml step_acme_cert_post_renewal_commands: - do_something ${CERT_FILE} ${KEY_FILE} step_acme_cert_renewal_reload_services: - some_service ``` The variables `${STEP_CLI}`, `${CERT_FILE}`, and `${KEY_FILE}` are all exported in the script by default, and are available for use in the commands. `systemctl try-reload-or-restart {{step_acme_cert_renewal_reload_services}}` has been removed from the `ExecStart` command in the systemd unit file, and is appended to the end of this post-renewal hook script. If no `step_acme_cert_renewal_reload_services` or `step_acme_cert_post_renewal_commands` are provided, the post-renew-hook script is not created. This change is backwards compatible, and will not break existing configurations. Signed-off-by: Tom Whitwell <[email protected]>
- Loading branch information
Showing
6 changed files
with
50 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
#!{{ step_acme_cert_post_renewal_shell }} | ||
####### added by ansible: maxhoesel.smallstep.step_acme_cert - changes will be overwritten ####### | ||
set -eu | ||
export STEP_CLI="{{ step_cli_executable_absolute.stdout }}" | ||
export CERT_FILE="{{ step_acme_cert_certfile_full.path }}" | ||
export KEY_FILE="{{ step_acme_cert_keyfile_full.path }}" | ||
{% for command in step_acme_cert_post_renewal_commands -%} | ||
{{ command }} | ||
{% endfor -%} | ||
{% if step_acme_cert_renewal_reload_services -%} | ||
systemctl try-reload-or-restart {{ step_acme_cert_renewal_reload_services | join(' ') }} | ||
{% endif -%} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters