'step ca renew' shell exit codes #2158
Description
Discussed in #2157
Originally posted by kotfu February 4, 2025
I use bacula to backup all the virtual machines in my home lab. I've had TLS running with all the bacula services for years, using a CA created by hand using openssl. I'm now migrating to step ca so I can more easily automate renewals. My bacula config uses 3 different certificates, with various combinations of these certificates used by 3 different bacula daemons.
I'm using a cron job to run a script to renew my certificates. The script uses step ca renew to attempt renewal of each of the 3 certificates. I need logic in my script to decide which daemons to restart depending on which of the certificates have been renewed. Because of the particulars of this use case, I would like to avoid using --exec so I don't have to restart these daemons multiple times.
With all that context, here's my question/idea. I want step ca renew to return a shell exit code of 0 if the certificate is renewed, a shell exit code of 1 if it isn't, and a shell exit code of 2 of there is a command line argument parsing problem. Right now, step ca renew returns an exit code of 0 whether the cert was renewed or not. As a result, I can only think of two ways to tell whether step ca renew has successfully renewed the certificate:
- Hash the cert file before I run
step ca renew, and hash it again after, if the hash isn't the same, then the cert has been renewed - Capture stderr and parse the message generated by
step ca renewto figure out if it thinks it has written a new certificate
Both of them are possible, but a little janky. If step ca renew returned a different exit code on renewal or non-renewal, then you could write something like:
$ step ca renew --force file.crt file.key && logger -t step-ca renewing file.crt
which is really convenient. It also let's me do this in a script:
step ca renew --force file.crt file.key 2>/dev/null
if [ "$?" -eq 0 ]; then
# do my fancy logic to figure out if this or other certs have been renewed and restart appropriate daemons
fi