From 819826f7fe221d458b9a8fbebb42e2c1508242d7 Mon Sep 17 00:00:00 2001 From: Ruben Date: Mon, 3 Mar 2025 13:30:15 +0100 Subject: [PATCH] Add --force flag --- README.md | 60 +++++++++++++++++++++++++++++++++--------------------- certman.sh | 13 +++++++++--- 2 files changed, 47 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 7e6b024..34b6412 100644 --- a/README.md +++ b/README.md @@ -10,9 +10,11 @@ A bash script for managing SSL/TLS certificates through the Certwarden API. This - Service reload after certificate updates - Certificate expiration monitoring - Interactive menu-driven interface -- Automated mode support through environment configuration +- Silent mode for automated operations +- Force update option for certificate renewals - Proper error handling and logging - Support for multiple certificates +- Secure temporary file handling ## Prerequisites @@ -59,27 +61,8 @@ CERTIFICATES='[ "key_api_key": "your_key_api_key" } ]' - -# Optional: Auto mode configuration -AUTO_MODE="false" ``` -### Environment Variables Explained - -| Variable | Description | Required | -|----------|-------------|----------| -| CERTWARDEN_SERVER | Certwarden API server hostname and port | Yes | -| CERT_PATH | Directory for certificate storage | Yes | -| KEY_PATH | Directory for private key storage | Yes | -| TEMP_PATH | Temporary directory for downloads | Yes | -| SERVICE_NAME | Service to reload after certificate updates | Yes | -| CERT_OWNER | User owner for certificate files | Yes | -| CERT_GROUP | Group owner for certificate files | Yes | -| CERT_PERMISSIONS | Certificate file permissions | Yes | -| KEY_PERMISSIONS | Private key file permissions | Yes | -| CERTIFICATES | JSON array of certificate configurations | Yes | -| AUTO_MODE | Enable automated operation | No | - ## Usage ### Interactive Mode @@ -95,18 +78,49 @@ This will present a menu with the following options: 4. Exit ### Automated Mode -Set `AUTO_MODE="true"` in the `.env` file and run the script. This is suitable for cron jobs. +Run the script with the `--silent` flag for automated operations: +```bash +./certman.sh --silent +``` + +### Force Update +Use the `--force` flag to force certificate updates regardless of current status: +```bash +./certman.sh --force +``` + +Flags can be combined: +```bash +./certman.sh --silent --force +``` ### Cron Configuration Add these lines to your crontab for automated certificate management: ```cron -@reboot sleep 15 && /path/to/certman.sh -5 4 * * 2 /path/to/certman.sh +@reboot sleep 15 && /path/to/certman.sh --silent +5 4 * * 2 /path/to/certman.sh --silent ``` +## Environment Variables + +| Variable | Description | Required | +|----------|-------------|----------| +| CERTWARDEN_SERVER | Certwarden API server hostname and port | Yes | +| CERT_PATH | Directory for certificate storage | Yes | +| KEY_PATH | Directory for private key storage | Yes | +| TEMP_PATH | Temporary directory for downloads | Yes | +| SERVICE_NAME | Service to reload after certificate updates | Yes | +| CERT_OWNER | User owner for certificate files | Yes | +| CERT_GROUP | Group owner for certificate files | Yes | +| CERT_PERMISSIONS | Certificate file permissions | Yes | +| KEY_PERMISSIONS | Private key file permissions | Yes | +| CERTIFICATES | JSON array of certificate configurations | Yes | + ## Security Considerations - Store the script and `.env` file in a secure location with restricted permissions - Use appropriate permissions for certificate and key files - Keep API keys secure and rotate them periodically - Run the script as a user with appropriate privileges +- Temporary files are automatically cleaned up using secure practices +- Certificate and key pairs are validated before installation diff --git a/certman.sh b/certman.sh index 3e123d4..8236671 100644 --- a/certman.sh +++ b/certman.sh @@ -11,12 +11,17 @@ else fi AUTO_MODE="false" +FORCE_UPDATE="false" while [[ $# -gt 0 ]]; do case $1 in --silent) AUTO_MODE="true" shift ;; + --force) + FORCE_UPDATE="true" + shift + ;; *) shift ;; @@ -66,14 +71,14 @@ download_and_verify_cert() { echo -e "${BLUE}Processing certificate for $domain${NC}" # Download certificate - if ! curl -fL -o "$temp_cert" -H "X-API-Key: $cert_api_key" \ + if ! curl -s -fL -o "$temp_cert" -H "X-API-Key: $cert_api_key" \ "https://$CERTWARDEN_SERVER/certwarden/api/v1/download/certificates/$domain"; then echo -e "${RED}Failed to download certificate for $domain${NC}" return 1 fi # Download private key - if ! curl -fL -o "$temp_key" -H "X-API-Key: $key_api_key" \ + if ! curl -s -fL -o "$temp_key" -H "X-API-Key: $key_api_key" \ "https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatekeys/$domain"; then echo -e "${RED}Failed to download private key for $domain${NC}" return 1 @@ -111,7 +116,9 @@ install_certificate() { local needs_reload=0 # Check if certificate needs updating - if [ -f "$final_cert" ]; then + if [ "$FORCE_UPDATE" = "true" ]; then + needs_reload=1 + elif [ -f "$final_cert" ]; then if ! cmp -s "$final_cert" "$temp_cert"; then needs_reload=1 fi