Cleaned up before merge

README.md

@@ -6,15 +6,10 @@ A bash script for managing SSL/TLS certificates through the Certwarden API. This
 
 - Download and verify certificates and private keys from Certwarden server
 - Automatic installation with proper permissions and ownership
-- Certificate and key pair validation
-- Service reload after certificate updates
 - Certificate expiration monitoring
 - Interactive menu-driven interface
-- Silent mode for automated operations
 - Force update option for certificate renewals
-- Proper error handling and logging
 - Support for multiple certificates
-- Secure temporary file handling
 
 ## Prerequisites
 
@@ -25,26 +20,26 @@ The script requires the following dependencies:
 
 ## Installation
 
-1. Clone this repository:
+1. Clone this repository into `/opt/certman/`:
 ```bash
-git clone <repository-url>
+git clone https://forge.dmz.skyfritt.net/Skyfritt/certman.git --depth=1 /opt/certman && cd certman
-cd certman
 ```
 
-2. Create a `.env` file with your configuration:
+2. Rename `example.env` to `.env` and modify as needed:
 ```bash
 # Server Configuration
 CERTWARDEN_SERVER="certwarden.dmz.skyfritt.net:443"
 
 # Certificate Paths
-CERT_PATH="/etc/forgejo"
+CERT_PATH="/etc/certs"
-KEY_PATH="/etc/forgejo"
+KEY_PATH="/etc/certs"
 TEMP_PATH="/tmp/certman"
+FULLCHAIN_PEM="true"
 
 # Service Configuration
-SERVICE_NAME="forgejo"
+SERVICE_NAME="nginx"
-CERT_OWNER="git"
+CERT_OWNER="www-data"
-CERT_GROUP="git"
+CERT_GROUP="www-data"
 CERT_PERMISSIONS="644"
 KEY_PERMISSIONS="600"
 
@@ -55,11 +50,6 @@ CERTIFICATES='[
     "domain": "example-one.com",
     "cert_api_key": "your_cert_api_key",
     "key_api_key": "your_key_api_key"
-  },
-  {
-    "domain": "example-two.com",
-    "cert_api_key": "your_cert_api_key",
-    "key_api_key": "your_key_api_key"
   }
 ]'
 ```
@@ -67,20 +57,20 @@ CERTIFICATES='[
 ## Usage
 
 ### Interactive Mode
-Run the script without any arguments:
+Run the script without any arguments
 ```bash
 ./certman.sh
 ```
 
-This will present a menu with the following options:
+### Cron Configuration
-1. Process all certificates
+Add these lines to your crontab for automated certificate management:
-2. List installed certificates
+```cron
-3. Check certificate expiration
+@reboot sleep 15 && /path/to/certman.sh --silent
-4. Force update all certificates
+2 2 * * 7 /opt/certman/certman.sh --silent
-5. Exit
+```
 
-### Automated Mode
+### Silent Mode
-Run the script with the `--silent` flag for automated operations:
+Run the script with the `--silent` flag for a silent certificate check. It will use the options set in the `.env` file.
 ```bash
 ./certman.sh --silent
 ```
@@ -91,21 +81,10 @@ Use the `--force` flag to force certificate updates regardless of current status
 ./certman.sh --force
 ```
 
-Flags can be combined:
+### Disable fetching fullchain PEM
+Use the `--disable-pem` to only fetch the .key and .crt:
 ```bash
-./certman.sh --silent --force
+./certman.sh --disable-pem
-```
-
-### Fullchain PEM
-Use the `--fullchain-pem` flag to combine certificate and private key into a single PEM file:
-```bash
-./certman.sh --fullchain-pem
-
-### Cron Configuration
-Add these lines to your crontab for automated certificate management:
-```cron
-@reboot sleep 15 && /path/to/certman.sh --silent
-5 4 * * 2 /path/to/certman.sh --silent
 ```
 
 ## Environment Variables
@@ -116,19 +95,10 @@ Add these lines to your crontab for automated certificate management:
 | CERT_PATH | Directory for certificate storage | Yes |
 | KEY_PATH | Directory for private key storage | Yes |
 | TEMP_PATH | Temporary directory for downloads | Yes |
-| FULLCHAIN_PEM | Optional: Combine cert and key into single PEM file | No |
+| FULLCHAIN_PEM | Enabled by default | No |
 | SERVICE_NAME | Service to reload after certificate updates | Yes |
 | CERT_OWNER | User owner for certificate files | Yes |
 | CERT_GROUP | Group owner for certificate files | Yes |
 | CERT_PERMISSIONS | Certificate file permissions | Yes |
 | KEY_PERMISSIONS | Private key file permissions | Yes |
 | CERTIFICATES | JSON array of certificate configurations | Yes |
-
-## Security Considerations
-
-- Store the script and `.env` file in a secure location with restricted permissions
-- Use appropriate permissions for certificate and key files
-- Keep API keys secure and rotate them periodically
-- Run the script as a user with appropriate privileges
-- Temporary files are automatically cleaned up using secure practices
-- Certificate and key pairs are validated before installation

certman.sh

@@ -26,7 +26,7 @@ load_env || exit 1
 
 AUTO_MODE="false"
 FORCE_UPDATE="false"
-FULLCHAIN_PEM="${FULLCHAIN_PEM:-false}"
+FULLCHAIN_PEM="${FULLCHAIN_PEM:-true}"
 
 while [[ $# -gt 0 ]]; do
     case $1 in
@@ -38,8 +38,8 @@ while [[ $# -gt 0 ]]; do
             FORCE_UPDATE="true"
             shift
             ;;
-        --fullchain-pem)
+        --disable-pem)
-            FULLCHAIN_PEM="true"
+            FULLCHAIN_PEM="false"
             shift
             ;;
         *)

example.env

@@ -1,19 +1,19 @@
 CERTWARDEN_SERVER="certwarden.dmz.skyfritt.net:443"
 
 # Certificate Paths
-CERT_PATH="/etc/forgejo"
+CERT_PATH="/etc/certs"
-KEY_PATH="/etc/forgejo"
+KEY_PATH="/etc/certs"
 TEMP_PATH="/tmp/certman"
-# FULLCHAIN_PEM=true
 
 # Service Configuration
-SERVICE_NAME="forgejo"
+SERVICE_NAME="nginx"
-CERT_OWNER="git"
+CERT_OWNER="www-data"
-CERT_GROUP="git"
+CERT_GROUP="www-data"
 CERT_PERMISSIONS="644"
 KEY_PERMISSIONS="600"
 
 # Certificate Configurations (JSON format)
+# Add as many or few domains as you need (but remember to add or delete the JSON comma!)
 CERTIFICATES='[
   {
     "domain": "example.com",
@@ -21,6 +21,3 @@ CERTIFICATES='[
     "key_api_key": "your_key_api_key"
   }
 ]'
-
-# Optional: Auto mode configuration
-AUTO_MODE="false"