No description
| .gitignore | ||
| certman.sh | ||
| example.env | ||
| LICENSE | ||
| README.md | ||
Certwarden Certificate Management
A bash script for managing SSL/TLS certificates through the Certwarden API. This tool provides both automated and interactive interfaces for downloading, installing, and managing certificates on your system.
Features
- Download and verify certificates and private keys from Certwarden server
- Automatic installation with proper permissions and ownership
- Certificate and key pair validation
- Service reload after certificate updates
- Certificate expiration monitoring
- Interactive menu-driven interface
- Silent mode for automated operations
- Force update option for certificate renewals
- Proper error handling and logging
- Support for multiple certificates
- Secure temporary file handling
Prerequisites
The script requires the following dependencies:
curl: For API interactionsjq: For JSON processingopenssl: For certificate operations
Installation
- Clone this repository:
git clone <repository-url>
cd certman
- Create a
.envfile with your configuration:
# Server Configuration
CERTWARDEN_SERVER="certwarden.dmz.skyfritt.net:443"
# Certificate Paths
CERT_PATH="/etc/forgejo"
KEY_PATH="/etc/forgejo"
TEMP_PATH="/tmp/certman"
# Service Configuration
SERVICE_NAME="forgejo"
CERT_OWNER="git"
CERT_GROUP="git"
CERT_PERMISSIONS="644"
KEY_PERMISSIONS="600"
# Certificate Configurations (JSON format)
# Add as many or few domains as you need (but remember to add or delete the JSON comma!)
CERTIFICATES='[
{
"domain": "example-one.com",
"cert_api_key": "your_cert_api_key",
"key_api_key": "your_key_api_key"
},
{
"domain": "example-two.com",
"cert_api_key": "your_cert_api_key",
"key_api_key": "your_key_api_key"
}
]'
Usage
Interactive Mode
Run the script without any arguments:
./certman.sh
This will present a menu with the following options:
- Process all certificates
- List installed certificates
- Check certificate expiration
- Force update all certificates
- Exit
Automated Mode
Run the script with the --silent flag for automated operations:
./certman.sh --silent
Force Update
Use the --force flag to force certificate updates regardless of current status:
./certman.sh --force
Flags can be combined:
./certman.sh --silent --force
Fullchain PEM
Use the --fullchain-pem flag to combine certificate and private key into a single PEM file:
./certman.sh --fullchain-pem
### Cron Configuration
Add these lines to your crontab for automated certificate management:
```cron
@reboot sleep 15 && /path/to/certman.sh --silent
5 4 * * 2 /path/to/certman.sh --silent
Environment Variables
| Variable | Description | Required |
|---|---|---|
| CERTWARDEN_SERVER | Certwarden API server hostname and port | Yes |
| CERT_PATH | Directory for certificate storage | Yes |
| KEY_PATH | Directory for private key storage | Yes |
| TEMP_PATH | Temporary directory for downloads | Yes |
| FULLCHAIN_PEM | Optional: Combine cert and key into single PEM file | No |
| SERVICE_NAME | Service to reload after certificate updates | Yes |
| CERT_OWNER | User owner for certificate files | Yes |
| CERT_GROUP | Group owner for certificate files | Yes |
| CERT_PERMISSIONS | Certificate file permissions | Yes |
| KEY_PERMISSIONS | Private key file permissions | Yes |
| CERTIFICATES | JSON array of certificate configurations | Yes |
Security Considerations
- Store the script and
.envfile in a secure location with restricted permissions - Use appropriate permissions for certificate and key files
- Keep API keys secure and rotate them periodically
- Run the script as a user with appropriate privileges
- Temporary files are automatically cleaned up using secure practices
- Certificate and key pairs are validated before installation