certplane-agent is a one-shot binary. Each run invocation does the minimum work needed to keep certificates current, then exits. Schedule it with a systemd timer (or any scheduler).
CLI
| Command | Purpose |
|---|---|
certplane-agent -c <config> enroll | One-time enrollment. See Agent enrollment. |
certplane-agent -c <config> run | Renew the identity certificate if needed, then renew every service certificate that is in its renew_before window. |
certplane-agent -c <config> check | Validate config and on-disk files without contacting any server. |
-c / --config is required.
What run does
For full detail see How it works. In short, every invocation:
- Acquires
<state_dir>/agent.lock. - Fails fast if
identity.certis missing — you mustenrollfirst. - Renews the identity certificate if it expires within
identity.renew_before(default8h). - For each entry under
certificates[]:- Generates the service key at
keyif missing, reuses it otherwise. - Skips the entry if the existing certificate matches the key and is not within
renew_beforeof expiry. - Otherwise builds a CSR, requests a new bundle from the broker, validates the bundle against the local key and configured DNS names, writes
cert/chain/fullchain, and runsreload_command(subject toreload_timeout, default30s).
- Generates the service key at
systemd unit + timer
Thecertplane_agent Ansible role installs both. By hand:
/etc/systemd/system/certplane-agent.service
/etc/systemd/system/certplane-agent.timer
RandomizedDelaySec spreads load across a fleet — a desirable property when many agents would otherwise renew at the same time.
When does the agent actually call the broker?
Only when a certificate is within itsrenew_before window or missing. On a healthy fleet with renew_before: 720h (30 days) and a 90-day Let’s Encrypt certificate, each host calls the broker roughly once every 60 days. Other timer firings parse the local certificate, see it is not yet due, log certificate skipped, not in renewal window, and exit.
Reload hooks
If a certificate entry setsreload_command, the agent runs it after a successful install — for example systemctl reload nginx. The command runs as the agent’s user (typically certplane), so it usually needs a sudoers rule to reload a system service. See Reload commands.
Logs
The agent logs tostderr by default (configurable under logging). The systemd unit captures that into the journal:
agent run startedservice key generated/service key reusedcertificate skipped, not in renewal windowrequesting certificatecertificate installedreload started/reload completed/reload failedagent run completed
Verifying installed certificates
dns_names. If you ever see a mismatch, the agent refuses to install the bundle.