diff --git a/certman.sh b/certman.sh
index 3a41137..d13f460 100755
--- a/certman.sh
+++ b/certman.sh
@@ -87,8 +87,8 @@ download_and_verify_cert() {
local key_api_key=$3
local temp_cert="$TEMP_DIR/$domain.crt"
local temp_key="$TEMP_DIR/$domain.key"
- local temp_cert_pem="$TEMP_DIR/$domain.cert.pem"
- local temp_key_pem="$TEMP_DIR/$domain.key.pem"
+ local temp_pem="$TEMP_DIR/$domain.pem"
+
echo -e "${BLUE}Processing certificate for $domain${NC}"
@@ -106,18 +106,19 @@ download_and_verify_cert() {
return 1
fi
+ # Download fullchain PEM file
+ if ! curl -s -fL -o "$temp_pem" -H "X-API-Key: $cert_api_key.$key_api_key" \
+ "https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatecertchains/$domain"; then
+ echo -e "${RED}Failed to download fullchain PEM file for $domain${NC}"
+ return 1
+ fi
+
# Verify files are not empty
- if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ]; then
+ if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ] || [ ! -s "$temp_pem" ]; then
echo -e "${RED}Downloaded files are empty for $domain${NC}"
return 1
fi
- # Create PEM files if requested
- if [ "$FULLCHAIN_PEM" = "true" ]; then
- cat "$temp_cert" > "$temp_cert_pem"
- cat "$temp_key" > "$temp_key_pem"
- fi
-
# Validate certificate and key match
local cert_fingerprint
cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey |
@@ -126,12 +127,21 @@ download_and_verify_cert() {
local key_fingerprint
key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null |
openssl dgst -sha256)
+ local pem_fingerprint
+ pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
+ openssl pkey -pubin -outform DER 2>/dev/null |
+ openssl dgst -sha256)
if [ "$cert_fingerprint" != "$key_fingerprint" ]; then
echo -e "${RED}Certificate and key do not match for $domain${NC}"
return 1
fi
+ if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then
+ echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
+ return 1
+ fi
+
return 0
}
@@ -139,19 +149,17 @@ install_certificate() {
local domain=$1
local final_cert="$CERT_PATH/$domain.crt"
local final_key="$KEY_PATH/$domain.key"
- local final_cert_pem="$CERT_PATH/$domain.cert.pem"
- local final_key_pem="$KEY_PATH/$domain.key.pem"
+ local final_pem="$KEY_PATH/$domain.pem"
local temp_cert="$TEMP_DIR/$domain.crt"
local temp_key="$TEMP_DIR/$domain.key"
- local temp_cert_pem="$TEMP_DIR/$domain.cert.pem"
- local temp_key_pem="$TEMP_DIR/$domain.key.pem"
+ local temp_pem="$TEMP_DIR/$domain.pem"
local needs_reload=0
# Check if certificate needs updating
if [ "$FORCE_UPDATE" = "true" ]; then
needs_reload=1
- elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_cert_pem" ]; then
- if ! cmp -s "$final_cert_pem" "$temp_cert_pem"; then
+ elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ]; then
+ if ! cmp -s "$final_pem" "$temp_cert_pem"; then
needs_reload=1
fi
elif [ -f "$final_cert" ]; then
@@ -165,11 +173,11 @@ install_certificate() {
# Install new certificate and key
if [ $needs_reload -eq 1 ]; then
if [ "$FULLCHAIN_PEM" = "true" ]; then
- if ! cp -f "$temp_cert_pem" "$final_cert_pem" || ! cp -f "$temp_key_pem" "$final_key_pem"; then
- echo -e "${RED}Failed to install PEM files for $domain${NC}"
+ if ! cp -f "$temp_pem" "$final_pem"; then
+ echo -e "${RED}Failed to install PEM file for $domain${NC}"
return 1
fi
- local files=("$final_cert_pem" "$final_key_pem")
+ local files=("$final_pem")
else
if ! cp -f "$temp_cert" "$final_cert" || ! cp -f "$temp_key" "$final_key"; then
echo -e "${RED}Failed to install certificate files for $domain${NC}"