You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Originally posted by kotfu February 4, 2025
I use bacula to backup all the virtual machines in my home lab. I've had TLS running with all the bacula services for years, using a CA created by hand using openssl. I'm now migrating to step ca so I can more easily automate renewals. My bacula config uses 3 different certificates, with various combinations of these certificates used by 3 different bacula daemons.
I'm using a cron job to run a script to renew my certificates. The script uses step ca renew to attempt renewal of each of the 3 certificates. I need logic in my script to decide which daemons to restart depending on which of the certificates have been renewed. Because of the particulars of this use case, I would like to avoid using --exec so I don't have to restart these daemons multiple times.
With all that context, here's my question/idea. I want step ca renew to return a shell exit code of 0 if the certificate is renewed, a shell exit code of 1 if it isn't, and a shell exit code of 2 of there is a command line argument parsing problem. Right now, step ca renew returns an exit code of 0 whether the cert was renewed or not. As a result, I can only think of two ways to tell whether step ca renew has successfully renewed the certificate:
Hash the cert file before I run step ca renew, and hash it again after, if the hash isn't the same, then the cert has been renewed
Capture stderr and parse the message generated by step ca renew to figure out if it thinks it has written a new certificate
Both of them are possible, but a little janky. If step ca renew returned a different exit code on renewal or non-renewal, then you could write something like:
which is really convenient. It also let's me do this in a script:
step ca renew --force file.crt file.key 2>/dev/null
if [ "$?"-eq 0 ];then# do my fancy logic to figure out if this or other certs have been renewed and restart appropriate daemonsfi
The text was updated successfully, but these errors were encountered:
Discussed in #2157
Originally posted by kotfu February 4, 2025
I use bacula to backup all the virtual machines in my home lab. I've had TLS running with all the bacula services for years, using a CA created by hand using
openssl. I'm now migrating to step ca so I can more easily automate renewals. My bacula config uses 3 different certificates, with various combinations of these certificates used by 3 different bacula daemons.I'm using a cron job to run a script to renew my certificates. The script uses
step ca renewto attempt renewal of each of the 3 certificates. I need logic in my script to decide which daemons to restart depending on which of the certificates have been renewed. Because of the particulars of this use case, I would like to avoid using--execso I don't have to restart these daemons multiple times.With all that context, here's my question/idea. I want
step ca renewto return a shell exit code of 0 if the certificate is renewed, a shell exit code of 1 if it isn't, and a shell exit code of 2 of there is a command line argument parsing problem. Right now,step ca renewreturns an exit code of 0 whether the cert was renewed or not. As a result, I can only think of two ways to tell whetherstep ca renewhas successfully renewed the certificate:step ca renew, and hash it again after, if the hash isn't the same, then the cert has been renewedstep ca renewto figure out if it thinks it has written a new certificateBoth of them are possible, but a little janky. If
step ca renewreturned a different exit code on renewal or non-renewal, then you could write something like:which is really convenient. It also let's me do this in a script:
The text was updated successfully, but these errors were encountered: