Skyfritt/certman
4
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Fetch PEM from certwarden API

Browse source
This commit is contained in:
Ruben Solvang 2025-05-07 10:56:26 +02:00
parent 1895042b55
commit bde2444b17
1 changed files with 26 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
certman.sh
View file

@ -87,8 +87,8 @@ download_and_verify_cert() {
local key_api_key=$3
local temp_cert="$TEMP_DIR/$domain.crt"
local temp_key="$TEMP_DIR/$domain.key"
local temp_cert_pem="$TEMP_DIR/$domain.cert.pem"
local temp_key_pem="$TEMP_DIR/$domain.key.pem"
local temp_pem="$TEMP_DIR/$domain.pem"
echo -e "${BLUE}Processing certificate for $domain${NC}"
@ -106,18 +106,19 @@ download_and_verify_cert() {
return 1
fi
# Download fullchain PEM file
if ! curl -s -fL -o "$temp_pem" -H "X-API-Key: $cert_api_key.$key_api_key" \
"https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatecertchains/$domain"; then
echo -e "${RED}Failed to download fullchain PEM file for $domain${NC}"
return 1
fi
# Verify files are not empty
if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ]; then
if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ] || [ ! -s "$temp_pem" ]; then
echo -e "${RED}Downloaded files are empty for $domain${NC}"
return 1
fi
# Create PEM files if requested
if [ "$FULLCHAIN_PEM" = "true" ]; then
cat "$temp_cert" > "$temp_cert_pem"
cat "$temp_key" > "$temp_key_pem"
fi
# Validate certificate and key match
local cert_fingerprint
cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey |
@ -126,12 +127,21 @@ download_and_verify_cert() {
local key_fingerprint
key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null |
openssl dgst -sha256)
local pem_fingerprint
pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
openssl pkey -pubin -outform DER 2>/dev/null |
openssl dgst -sha256)
if [ "$cert_fingerprint" != "$key_fingerprint" ]; then
echo -e "${RED}Certificate and key do not match for $domain${NC}"
return 1
fi
if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then
echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
return 1
fi
return 0
}
@ -139,19 +149,17 @@ install_certificate() {
local domain=$1
local final_cert="$CERT_PATH/$domain.crt"
local final_key="$KEY_PATH/$domain.key"
local final_cert_pem="$CERT_PATH/$domain.cert.pem"
local final_key_pem="$KEY_PATH/$domain.key.pem"
local final_pem="$KEY_PATH/$domain.pem"
local temp_cert="$TEMP_DIR/$domain.crt"
local temp_key="$TEMP_DIR/$domain.key"
local temp_cert_pem="$TEMP_DIR/$domain.cert.pem"
local temp_key_pem="$TEMP_DIR/$domain.key.pem"
local temp_pem="$TEMP_DIR/$domain.pem"
local needs_reload=0
# Check if certificate needs updating
if [ "$FORCE_UPDATE" = "true" ]; then
needs_reload=1
elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_cert_pem" ]; then
if ! cmp -s "$final_cert_pem" "$temp_cert_pem"; then
elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ]; then
if ! cmp -s "$final_pem" "$temp_cert_pem"; then
needs_reload=1
fi
elif [ -f "$final_cert" ]; then
@ -165,11 +173,11 @@ install_certificate() {
# Install new certificate and key
if [ $needs_reload -eq 1 ]; then
if [ "$FULLCHAIN_PEM" = "true" ]; then
if ! cp -f "$temp_cert_pem" "$final_cert_pem" || ! cp -f "$temp_key_pem" "$final_key_pem"; then
echo -e "${RED}Failed to install PEM files for $domain${NC}"
if ! cp -f "$temp_pem" "$final_pem"; then
echo -e "${RED}Failed to install PEM file for $domain${NC}"
return 1
fi
local files=("$final_cert_pem" "$final_key_pem")
local files=("$final_pem")
else
if ! cp -f "$temp_cert" "$final_cert" || ! cp -f "$temp_key" "$final_key"; then
echo -e "${RED}Failed to install certificate files for $domain${NC}"