From 22ef324534cee45f3b231b32347155ca818377d0 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Wed, 21 Jul 2021 11:49:10 -0500
Subject: [PATCH] Fix needs-renewal condition and switch to using ExecCondition

---
 systemd/cert-renewer@.service | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/systemd/cert-renewer@.service b/systemd/cert-renewer@.service
index 7c4c4e3c..5b56f5fc 100644
--- a/systemd/cert-renewer@.service
+++ b/systemd/cert-renewer@.service
@@ -12,10 +12,10 @@ Environment=STEPPATH=/etc/step-ca \
             CERT_LOCATION=/etc/step/certs/%i.crt \
             KEY_LOCATION=/etc/step/certs/%i.key
 
-; ExecStartPre checks if the certificate is ready for renewal,
+; ExecCondition checks if the certificate is ready for renewal,
 ; based on the exit status of the command.
-; (In systemd 243 and above, you can use ExecCondition= here.)
-ExecStartPre=/usr/bin/step certificate needs-renewal $CERT_LOCATION --roots $STEPPATH/certs/root_ca.crt
+; (In systemd 242 or below, you can use ExecStartPre= here.)
+ExecCondition=/usr/bin/step certificate needs-renewal $CERT_LOCATION
 
 ; ExecStart renews the certificate, if ExecStartPre was successful.
 ExecStart=/usr/bin/step ca renew --force $CERT_LOCATION $KEY_LOCATION