From bde2444b172537e62ff2645efda27306c5041397 Mon Sep 17 00:00:00 2001 From: Ruben Date: Wed, 7 May 2025 10:56:26 +0200 Subject: [PATCH] Fetch PEM from certwarden API --- certman.sh | 44 ++++++++++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 18 deletions(-) diff --git a/certman.sh b/certman.sh index 3a41137..d13f460 100755 --- a/certman.sh +++ b/certman.sh @@ -87,8 +87,8 @@ download_and_verify_cert() { local key_api_key=$3 local temp_cert="$TEMP_DIR/$domain.crt" local temp_key="$TEMP_DIR/$domain.key" - local temp_cert_pem="$TEMP_DIR/$domain.cert.pem" - local temp_key_pem="$TEMP_DIR/$domain.key.pem" + local temp_pem="$TEMP_DIR/$domain.pem" + echo -e "${BLUE}Processing certificate for $domain${NC}" @@ -106,18 +106,19 @@ download_and_verify_cert() { return 1 fi + # Download fullchain PEM file + if ! curl -s -fL -o "$temp_pem" -H "X-API-Key: $cert_api_key.$key_api_key" \ + "https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatecertchains/$domain"; then + echo -e "${RED}Failed to download fullchain PEM file for $domain${NC}" + return 1 + fi + # Verify files are not empty - if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ]; then + if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ] || [ ! -s "$temp_pem" ]; then echo -e "${RED}Downloaded files are empty for $domain${NC}" return 1 fi - # Create PEM files if requested - if [ "$FULLCHAIN_PEM" = "true" ]; then - cat "$temp_cert" > "$temp_cert_pem" - cat "$temp_key" > "$temp_key_pem" - fi - # Validate certificate and key match local cert_fingerprint cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey | @@ -126,12 +127,21 @@ download_and_verify_cert() { local key_fingerprint key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null | openssl dgst -sha256) + local pem_fingerprint + pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey | + openssl pkey -pubin -outform DER 2>/dev/null | + openssl dgst -sha256) if [ "$cert_fingerprint" != "$key_fingerprint" ]; then echo -e "${RED}Certificate and key do not match for $domain${NC}" return 1 fi + if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then + echo -e "${RED}Certificate and PEM file do not match for $domain${NC}" + return 1 + fi + return 0 } @@ -139,19 +149,17 @@ install_certificate() { local domain=$1 local final_cert="$CERT_PATH/$domain.crt" local final_key="$KEY_PATH/$domain.key" - local final_cert_pem="$CERT_PATH/$domain.cert.pem" - local final_key_pem="$KEY_PATH/$domain.key.pem" + local final_pem="$KEY_PATH/$domain.pem" local temp_cert="$TEMP_DIR/$domain.crt" local temp_key="$TEMP_DIR/$domain.key" - local temp_cert_pem="$TEMP_DIR/$domain.cert.pem" - local temp_key_pem="$TEMP_DIR/$domain.key.pem" + local temp_pem="$TEMP_DIR/$domain.pem" local needs_reload=0 # Check if certificate needs updating if [ "$FORCE_UPDATE" = "true" ]; then needs_reload=1 - elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_cert_pem" ]; then - if ! cmp -s "$final_cert_pem" "$temp_cert_pem"; then + elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ]; then + if ! cmp -s "$final_pem" "$temp_cert_pem"; then needs_reload=1 fi elif [ -f "$final_cert" ]; then @@ -165,11 +173,11 @@ install_certificate() { # Install new certificate and key if [ $needs_reload -eq 1 ]; then if [ "$FULLCHAIN_PEM" = "true" ]; then - if ! cp -f "$temp_cert_pem" "$final_cert_pem" || ! cp -f "$temp_key_pem" "$final_key_pem"; then - echo -e "${RED}Failed to install PEM files for $domain${NC}" + if ! cp -f "$temp_pem" "$final_pem"; then + echo -e "${RED}Failed to install PEM file for $domain${NC}" return 1 fi - local files=("$final_cert_pem" "$final_key_pem") + local files=("$final_pem") else if ! cp -f "$temp_cert" "$final_cert" || ! cp -f "$temp_key" "$final_key"; then echo -e "${RED}Failed to install certificate files for $domain${NC}"