Remove unused API key validation function

Remove temp path directory creation Make fullchain PEM handling conditional Improve certificate update detection logic
2026-02-20 23:02:45 +01:00 · 2026-02-20 23:02:45 +01:00 · f16871a0fd
commit f16871a0fd
parent 4c68bc5d2a
1 changed files with 24 additions and 23 deletions
--- a/certman.sh
+++ b/certman.sh
@ -71,13 +71,8 @@ check_requirements() {
    done
 }

-validate_api_key() {
-    local api_key=$1
-    [[ $api_key =~ ^[A-Za-z0-9_-]{32,}$ ]]
-}
-
 setup_directories() {
-    local dirs=("$CERT_PATH" "$KEY_PATH" "$TEMP_PATH")
+    local dirs=("$CERT_PATH" "$KEY_PATH")
    for dir in "${dirs[@]}"; do
        if ! mkdir -p "$dir"; then
            echo -e "${RED}Error: Failed to create directory: $dir${NC}"
@ -111,17 +106,23 @@ download_and_verify_cert() {
    fi

    # Download fullchain PEM file
+    if [ "$FULLCHAIN_PEM" = "true" ]; then
        if ! curl -s -fL -o "$temp_pem" -H "X-API-Key: $cert_api_key.$key_api_key" \
            "https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatecertchains/$domain"; then
            echo -e "${RED}Failed to download fullchain PEM file for $domain${NC}"
            return 1
        fi
+    fi

    # Verify files are not empty
-    if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ] || [ ! -s "$temp_pem" ]; then
+    if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ]; then
        echo -e "${RED}Downloaded files are empty for $domain${NC}"
        return 1
    fi
+    if [ "$FULLCHAIN_PEM" = "true" ] && [ ! -s "$temp_pem" ]; then
+        echo -e "${RED}Downloaded PEM file is empty for $domain${NC}"
+        return 1
+    fi

    # Validate certificate and key match
    local cert_fingerprint
@ -131,19 +132,21 @@ download_and_verify_cert() {
    local key_fingerprint
    key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null |
        openssl dgst -sha256)
-    local pem_fingerprint
-    pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
-        openssl pkey -pubin -outform DER 2>/dev/null |
-        openssl dgst -sha256)

    if [ "$cert_fingerprint" != "$key_fingerprint" ]; then
        echo -e "${RED}Certificate and key do not match for $domain${NC}"
        return 1
    fi

-    if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then
-        echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
-        return 1
+    if [ "$FULLCHAIN_PEM" = "true" ]; then
+        local pem_fingerprint
+        pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
+            openssl pkey -pubin -outform DER 2>/dev/null |
+            openssl dgst -sha256)
+        if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then
+            echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
+            return 1
+        fi
    fi

    return 0
@ -162,15 +165,13 @@ install_certificate() {
    # Check if certificate needs updating
    if [ "$FORCE_UPDATE" = "true" ]; then
        needs_reload=1
-    elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ]; then
-        if ! cmp -s "$final_pem" "$temp_pem"; then
-            needs_reload=1
-        fi
-    elif [ -f "$final_cert" ]; then
-        if ! cmp -s "$final_cert" "$temp_cert"; then
-            needs_reload=1
-        fi
-    else
+    elif [ ! -f "$final_cert" ] || [ ! -f "$final_key" ]; then
+        needs_reload=1
+    elif ! cmp -s "$final_cert" "$temp_cert" || ! cmp -s "$final_key" "$temp_key"; then
+        needs_reload=1
+    elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ] && ! cmp -s "$final_pem" "$temp_pem"; then
+        needs_reload=1
+    elif [ "$FULLCHAIN_PEM" = "true" ] && [ ! -f "$final_pem" ]; then
        needs_reload=1
    fi