From d83ca96d2a37f3846280c739637b994cb7cfb8c6 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Tue, 23 Nov 2021 18:12:31 -0800
Subject: [PATCH] Fixes #757

---
 systemd/README.md             |  2 +-
 systemd/cert-renewer@.service | 29 -----------------------------
 systemd/cert-renewer@.timer   | 18 ------------------
 3 files changed, 1 insertion(+), 48 deletions(-)
 delete mode 100644 systemd/cert-renewer@.service
 delete mode 100644 systemd/cert-renewer@.timer

diff --git a/systemd/README.md b/systemd/README.md
index 97aa18dd..9ae6e76a 100644
--- a/systemd/README.md
+++ b/systemd/README.md
@@ -2,4 +2,4 @@
 
 For documentation on `step-ca.service`, see [Running `step-ca` As A Daemon](https://smallstep.com/docs/step-ca/certificate-authority-server-production#running-step-ca-as-a-daemon).
 
-For documentation on `cert-renewer@.*`, see [Automating Certificate Renewal](https://smallstep.com/docs/step-ca/certificate-authority-server-production#automate-x509-certificate-lifecycle-management)
+See also: There is a systemd certificate renewal timer, in the [`systemd` directory of `smallstep/cli`](https://github.com/smallstep/cli/tree/master/systemd).
diff --git a/systemd/cert-renewer@.service b/systemd/cert-renewer@.service
deleted file mode 100644
index 2a70d1f9..00000000
--- a/systemd/cert-renewer@.service
+++ /dev/null
@@ -1,29 +0,0 @@
-[Unit]
-Description=Certificate renewer for %I
-After=network-online.target
-Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
-StartLimitIntervalSec=0
-
-[Service]
-Type=oneshot
-User=root
-
-Environment=STEPPATH=/etc/step-ca \
-            CERT_LOCATION=/etc/step/certs/%i.crt \
-            KEY_LOCATION=/etc/step/certs/%i.key
-
-; ExecCondition checks if the certificate is ready for renewal,
-; based on the exit status of the command.
-; (In systemd <242, you can use ExecStartPre= here.)
-ExecCondition=/usr/bin/step certificate needs-renewal ${CERT_LOCATION}
-
-; ExecStart renews the certificate, if ExecStartPre was successful.
-ExecStart=/usr/bin/step ca renew --force ${CERT_LOCATION} ${KEY_LOCATION}
-
-; Try to reload or restart the systemd service that relies on this cert-renewer
-; If the relying service doesn't exist, forge ahead.
-; (In systemd <229, use `reload-or-try-restart` instead of `try-reload-or-restart`)
-ExecStartPost=/usr/bin/env sh -c "! systemctl --quiet is-enabled %i.service || systemctl try-reload-or-restart %i"
-
-[Install]
-WantedBy=multi-user.target
diff --git a/systemd/cert-renewer@.timer b/systemd/cert-renewer@.timer
deleted file mode 100644
index 806f3407..00000000
--- a/systemd/cert-renewer@.timer
+++ /dev/null
@@ -1,18 +0,0 @@
-[Unit]
-Description=Certificate renewal timer for %I
-Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
-
-[Timer]
-Persistent=true
-
-; Run the timer unit every 5 minutes.
-OnCalendar=*:1/5
-
-; Always run the timer on time.
-AccuracySec=1us
-
-; Add jitter to prevent a "thundering hurd" of simultaneous certificate renewals.
-RandomizedDelaySec=5m
-
-[Install]
-WantedBy=timers.target