Dustin C. Hatch
f0cb63b38a
Delaying the _ssh-host-cert-sign@.service_ units starting until after the clock is synchronized ends up causing _sshd.service_ to start way before the host certififcates are available. This prevents the SSH daemon from using the host certificates until it is explicitly reloaded, so clients will not be able to verify the server's authenticity automatically on first boot. To ensure that clients (read: Ansible) will be able to connect to the server when it first boots without any manual interaction, we need to delay the _sshd.service_ unit starting until the certificate files are present. I think this can actually happen to any server, not just a Raspberry Pi, but it definitely always happens on Pis. I may eventually apply this change to the `ssh-host-cert-sign@.service` template unit file in the _sshca-cli-systemd_ package, if it turns out to be a more common problem.