certman/README.md

# Certwarden Certificate Management

A bash script for managing SSL/TLS certificates through the Certwarden API. This tool provides both automated and interactive interfaces for downloading, installing, and managing certificates on your system.

## Features

- Download and verify certificates and private keys from Certwarden server
- Automatic installation with proper permissions and ownership
- Certificate expiration monitoring
- Interactive menu-driven interface
- Force update option for certificate renewals
- Support for multiple certificates

## Prerequisites

The script requires the following dependencies:
- `curl`: For API interactions
- `jq`: For JSON processing
- `openssl`: For certificate operations

## Installation

1. Clone this repository into `/opt/certman/`:
```bash
git clone https://forge.dmz.skyfritt.net/Skyfritt/certman.git --depth=1 /opt/certman && cd certman
```

2. Rename `example.env` to `.env` and modify as needed:
```bash
# Server Configuration
CERTWARDEN_SERVER="certwarden.dmz.skyfritt.net:443"

# Certificate Paths
CERT_PATH="/etc/certs"
KEY_PATH="/etc/certs"
TEMP_PATH="/tmp/certman"
FULLCHAIN_PEM="true"

# Service Configuration
SERVICE_NAME="nginx"
CERT_OWNER="www-data"
CERT_GROUP="www-data"
CERT_PERMISSIONS="644"
KEY_PERMISSIONS="600"

# Certificate Configurations (JSON format)
# Add as many or few domains as you need (but remember to add or delete the JSON comma!)
CERTIFICATES='[
  {
    "domain": "example-one.com",
    "cert_api_key": "your_cert_api_key",
    "key_api_key": "your_key_api_key"
  }
]'
```

## Usage

### Interactive Mode
Run the script without any arguments
```bash
./certman.sh
```

### Cron Configuration
Add these lines to your crontab for automated certificate management:
```cron
@reboot sleep 15 && /path/to/certman.sh --silent
2 2 * * 7 /opt/certman/certman.sh --silent
```

### Silent Mode
Run the script with the `--silent` flag for a silent certificate check. It will use the options set in the `.env` file.
```bash
./certman.sh --silent
```

### Force Update
Use the `--force` flag to force certificate updates regardless of current status:
```bash
./certman.sh --force
```

### Disable fetching fullchain PEM
Use the `--disable-pem` to only fetch the .key and .crt:
```bash
./certman.sh --disable-pem
```

## Environment Variables

| Variable | Description | Required |
|----------|-------------|----------|
| CERTWARDEN_SERVER | Certwarden API server hostname and port | Yes |
| CERT_PATH | Directory for certificate storage | Yes |
| KEY_PATH | Directory for private key storage | Yes |
| TEMP_PATH | Temporary directory for downloads | Yes |
| FULLCHAIN_PEM | Enabled by default | No |
| SERVICE_NAME | Service to reload after certificate updates | Yes |
| CERT_OWNER | User owner for certificate files | Yes |
| CERT_GROUP | Group owner for certificate files | Yes |
| CERT_PERMISSIONS | Certificate file permissions | Yes |
| KEY_PERMISSIONS | Private key file permissions | Yes |
| CERTIFICATES | JSON array of certificate configurations | Yes |