Add --force flag
This commit is contained in:
parent
8eb11e6524
commit
819826f7fe
2 changed files with 47 additions and 26 deletions
60
README.md
60
README.md
|
|
@ -10,9 +10,11 @@ A bash script for managing SSL/TLS certificates through the Certwarden API. This
|
||||||
- Service reload after certificate updates
|
- Service reload after certificate updates
|
||||||
- Certificate expiration monitoring
|
- Certificate expiration monitoring
|
||||||
- Interactive menu-driven interface
|
- Interactive menu-driven interface
|
||||||
- Automated mode support through environment configuration
|
- Silent mode for automated operations
|
||||||
|
- Force update option for certificate renewals
|
||||||
- Proper error handling and logging
|
- Proper error handling and logging
|
||||||
- Support for multiple certificates
|
- Support for multiple certificates
|
||||||
|
- Secure temporary file handling
|
||||||
|
|
||||||
## Prerequisites
|
## Prerequisites
|
||||||
|
|
||||||
|
|
@ -59,27 +61,8 @@ CERTIFICATES='[
|
||||||
"key_api_key": "your_key_api_key"
|
"key_api_key": "your_key_api_key"
|
||||||
}
|
}
|
||||||
]'
|
]'
|
||||||
|
|
||||||
# Optional: Auto mode configuration
|
|
||||||
AUTO_MODE="false"
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### Environment Variables Explained
|
|
||||||
|
|
||||||
| Variable | Description | Required |
|
|
||||||
|----------|-------------|----------|
|
|
||||||
| CERTWARDEN_SERVER | Certwarden API server hostname and port | Yes |
|
|
||||||
| CERT_PATH | Directory for certificate storage | Yes |
|
|
||||||
| KEY_PATH | Directory for private key storage | Yes |
|
|
||||||
| TEMP_PATH | Temporary directory for downloads | Yes |
|
|
||||||
| SERVICE_NAME | Service to reload after certificate updates | Yes |
|
|
||||||
| CERT_OWNER | User owner for certificate files | Yes |
|
|
||||||
| CERT_GROUP | Group owner for certificate files | Yes |
|
|
||||||
| CERT_PERMISSIONS | Certificate file permissions | Yes |
|
|
||||||
| KEY_PERMISSIONS | Private key file permissions | Yes |
|
|
||||||
| CERTIFICATES | JSON array of certificate configurations | Yes |
|
|
||||||
| AUTO_MODE | Enable automated operation | No |
|
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
### Interactive Mode
|
### Interactive Mode
|
||||||
|
|
@ -95,18 +78,49 @@ This will present a menu with the following options:
|
||||||
4. Exit
|
4. Exit
|
||||||
|
|
||||||
### Automated Mode
|
### Automated Mode
|
||||||
Set `AUTO_MODE="true"` in the `.env` file and run the script. This is suitable for cron jobs.
|
Run the script with the `--silent` flag for automated operations:
|
||||||
|
```bash
|
||||||
|
./certman.sh --silent
|
||||||
|
```
|
||||||
|
|
||||||
|
### Force Update
|
||||||
|
Use the `--force` flag to force certificate updates regardless of current status:
|
||||||
|
```bash
|
||||||
|
./certman.sh --force
|
||||||
|
```
|
||||||
|
|
||||||
|
Flags can be combined:
|
||||||
|
```bash
|
||||||
|
./certman.sh --silent --force
|
||||||
|
```
|
||||||
|
|
||||||
### Cron Configuration
|
### Cron Configuration
|
||||||
Add these lines to your crontab for automated certificate management:
|
Add these lines to your crontab for automated certificate management:
|
||||||
```cron
|
```cron
|
||||||
@reboot sleep 15 && /path/to/certman.sh
|
@reboot sleep 15 && /path/to/certman.sh --silent
|
||||||
5 4 * * 2 /path/to/certman.sh
|
5 4 * * 2 /path/to/certman.sh --silent
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Environment Variables
|
||||||
|
|
||||||
|
| Variable | Description | Required |
|
||||||
|
|----------|-------------|----------|
|
||||||
|
| CERTWARDEN_SERVER | Certwarden API server hostname and port | Yes |
|
||||||
|
| CERT_PATH | Directory for certificate storage | Yes |
|
||||||
|
| KEY_PATH | Directory for private key storage | Yes |
|
||||||
|
| TEMP_PATH | Temporary directory for downloads | Yes |
|
||||||
|
| SERVICE_NAME | Service to reload after certificate updates | Yes |
|
||||||
|
| CERT_OWNER | User owner for certificate files | Yes |
|
||||||
|
| CERT_GROUP | Group owner for certificate files | Yes |
|
||||||
|
| CERT_PERMISSIONS | Certificate file permissions | Yes |
|
||||||
|
| KEY_PERMISSIONS | Private key file permissions | Yes |
|
||||||
|
| CERTIFICATES | JSON array of certificate configurations | Yes |
|
||||||
|
|
||||||
## Security Considerations
|
## Security Considerations
|
||||||
|
|
||||||
- Store the script and `.env` file in a secure location with restricted permissions
|
- Store the script and `.env` file in a secure location with restricted permissions
|
||||||
- Use appropriate permissions for certificate and key files
|
- Use appropriate permissions for certificate and key files
|
||||||
- Keep API keys secure and rotate them periodically
|
- Keep API keys secure and rotate them periodically
|
||||||
- Run the script as a user with appropriate privileges
|
- Run the script as a user with appropriate privileges
|
||||||
|
- Temporary files are automatically cleaned up using secure practices
|
||||||
|
- Certificate and key pairs are validated before installation
|
||||||
|
|
|
||||||
13
certman.sh
13
certman.sh
|
|
@ -11,12 +11,17 @@ else
|
||||||
fi
|
fi
|
||||||
|
|
||||||
AUTO_MODE="false"
|
AUTO_MODE="false"
|
||||||
|
FORCE_UPDATE="false"
|
||||||
while [[ $# -gt 0 ]]; do
|
while [[ $# -gt 0 ]]; do
|
||||||
case $1 in
|
case $1 in
|
||||||
--silent)
|
--silent)
|
||||||
AUTO_MODE="true"
|
AUTO_MODE="true"
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
|
--force)
|
||||||
|
FORCE_UPDATE="true"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
|
|
@ -66,14 +71,14 @@ download_and_verify_cert() {
|
||||||
echo -e "${BLUE}Processing certificate for $domain${NC}"
|
echo -e "${BLUE}Processing certificate for $domain${NC}"
|
||||||
|
|
||||||
# Download certificate
|
# Download certificate
|
||||||
if ! curl -fL -o "$temp_cert" -H "X-API-Key: $cert_api_key" \
|
if ! curl -s -fL -o "$temp_cert" -H "X-API-Key: $cert_api_key" \
|
||||||
"https://$CERTWARDEN_SERVER/certwarden/api/v1/download/certificates/$domain"; then
|
"https://$CERTWARDEN_SERVER/certwarden/api/v1/download/certificates/$domain"; then
|
||||||
echo -e "${RED}Failed to download certificate for $domain${NC}"
|
echo -e "${RED}Failed to download certificate for $domain${NC}"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Download private key
|
# Download private key
|
||||||
if ! curl -fL -o "$temp_key" -H "X-API-Key: $key_api_key" \
|
if ! curl -s -fL -o "$temp_key" -H "X-API-Key: $key_api_key" \
|
||||||
"https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatekeys/$domain"; then
|
"https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatekeys/$domain"; then
|
||||||
echo -e "${RED}Failed to download private key for $domain${NC}"
|
echo -e "${RED}Failed to download private key for $domain${NC}"
|
||||||
return 1
|
return 1
|
||||||
|
|
@ -111,7 +116,9 @@ install_certificate() {
|
||||||
local needs_reload=0
|
local needs_reload=0
|
||||||
|
|
||||||
# Check if certificate needs updating
|
# Check if certificate needs updating
|
||||||
if [ -f "$final_cert" ]; then
|
if [ "$FORCE_UPDATE" = "true" ]; then
|
||||||
|
needs_reload=1
|
||||||
|
elif [ -f "$final_cert" ]; then
|
||||||
if ! cmp -s "$final_cert" "$temp_cert"; then
|
if ! cmp -s "$final_cert" "$temp_cert"; then
|
||||||
needs_reload=1
|
needs_reload=1
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue