From e526c98d37dc3aa4aed9702e40550c1d731e97b2 Mon Sep 17 00:00:00 2001 From: Ruben Date: Tue, 8 Apr 2025 14:59:21 +0200 Subject: [PATCH] Add fullchain PEM support and improve permissions handling The changes add support for combining certificates and private keys into a single PEM file, while also refactoring the permissions handling logic to be more robust and consistent. --- README.md | 6 ++++++ certman.sh | 37 +++++++++++++++++++++++++++++++------ 2 files changed, 37 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 8d1e137..d6d4fba 100644 --- a/README.md +++ b/README.md @@ -96,6 +96,11 @@ Flags can be combined: ./certman.sh --silent --force ``` +### Fullchain PEM +Use the `--fullchain-pem` flag to combine certificate and private key into a single PEM file: +```bash +./certman.sh --fullchain-pem + ### Cron Configuration Add these lines to your crontab for automated certificate management: ```cron @@ -111,6 +116,7 @@ Add these lines to your crontab for automated certificate management: | CERT_PATH | Directory for certificate storage | Yes | | KEY_PATH | Directory for private key storage | Yes | | TEMP_PATH | Temporary directory for downloads | Yes | +| FULLCHAIN_PEM | Optional: Combine cert and key into single PEM file | No | | SERVICE_NAME | Service to reload after certificate updates | Yes | | CERT_OWNER | User owner for certificate files | Yes | | CERT_GROUP | Group owner for certificate files | Yes | diff --git a/certman.sh b/certman.sh index 10287a1..41442fb 100755 --- a/certman.sh +++ b/certman.sh @@ -26,6 +26,8 @@ load_env || exit 1 AUTO_MODE="false" FORCE_UPDATE="false" +FULLCHAIN_PEM="${FULLCHAIN_PEM:-false}" + while [[ $# -gt 0 ]]; do case $1 in --silent) @@ -36,6 +38,10 @@ while [[ $# -gt 0 ]]; do FORCE_UPDATE="true" shift ;; + --fullchain-pem) + FULLCHAIN_PEM="true" + shift + ;; *) shift ;; @@ -81,6 +87,7 @@ download_and_verify_cert() { local key_api_key=$3 local temp_cert="$TEMP_DIR/$domain.crt" local temp_key="$TEMP_DIR/$domain.key" + local temp_fullchain="$TEMP_DIR/$domain.pem" echo -e "${BLUE}Processing certificate for $domain${NC}" @@ -104,6 +111,11 @@ download_and_verify_cert() { return 1 fi + # Create fullchain PEM if requested + if [ "$FULLCHAIN_PEM" = "true" ]; then + cat "$temp_cert" "$temp_key" > "$temp_fullchain" + fi + # Validate certificate and key match local cert_fingerprint cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey | @@ -125,8 +137,10 @@ install_certificate() { local domain=$1 local final_cert="$CERT_PATH/$domain.crt" local final_key="$KEY_PATH/$domain.key" + local final_fullchain="$CERT_PATH/$domain.pem" local temp_cert="$TEMP_DIR/$domain.crt" local temp_key="$TEMP_DIR/$domain.key" + local temp_fullchain="$TEMP_DIR/$domain.pem" local needs_reload=0 # Check if certificate needs updating @@ -147,14 +161,25 @@ install_certificate() { return 1 fi - # Set permissions and ownership - if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_cert" "$final_key" || \ - ! chmod "$CERT_PERMISSIONS" "$final_cert" || \ - ! chmod "$KEY_PERMISSIONS" "$final_key"; then - echo -e "${RED}Failed to set permissions for $domain${NC}" - return 1 + if [ "$FULLCHAIN_PEM" = "true" ]; then + if ! cp -f "$temp_fullchain" "$final_fullchain"; then + echo -e "${RED}Failed to install fullchain PEM for $domain${NC}" + return 1 + fi fi + # Set permissions and ownership + local files=("$final_cert" "$final_key") + [ "$FULLCHAIN_PEM" = "true" ] && files+=("$final_fullchain") + + for file in "${files[@]}"; do + if ! chown "$CERT_OWNER:$CERT_GROUP" "$file" || \ + ! chmod "$CERT_PERMISSIONS" "$file"; then + echo -e "${RED}Failed to set permissions for $file${NC}" + return 1 + fi + done + echo -e "${GREEN}Certificate updated for $domain${NC}" return 0 fi