Compare commits
2 commits
8eb11e6524
...
fcca723a7a
| Author | SHA1 | Date | |
|---|---|---|---|
| fcca723a7a | |||
| 819826f7fe |
3 changed files with 47 additions and 29 deletions
60
README.md
60
README.md
|
|
@ -10,9 +10,11 @@ A bash script for managing SSL/TLS certificates through the Certwarden API. This
|
|||
- Service reload after certificate updates
|
||||
- Certificate expiration monitoring
|
||||
- Interactive menu-driven interface
|
||||
- Automated mode support through environment configuration
|
||||
- Silent mode for automated operations
|
||||
- Force update option for certificate renewals
|
||||
- Proper error handling and logging
|
||||
- Support for multiple certificates
|
||||
- Secure temporary file handling
|
||||
|
||||
## Prerequisites
|
||||
|
||||
|
|
@ -59,27 +61,8 @@ CERTIFICATES='[
|
|||
"key_api_key": "your_key_api_key"
|
||||
}
|
||||
]'
|
||||
|
||||
# Optional: Auto mode configuration
|
||||
AUTO_MODE="false"
|
||||
```
|
||||
|
||||
### Environment Variables Explained
|
||||
|
||||
| Variable | Description | Required |
|
||||
|----------|-------------|----------|
|
||||
| CERTWARDEN_SERVER | Certwarden API server hostname and port | Yes |
|
||||
| CERT_PATH | Directory for certificate storage | Yes |
|
||||
| KEY_PATH | Directory for private key storage | Yes |
|
||||
| TEMP_PATH | Temporary directory for downloads | Yes |
|
||||
| SERVICE_NAME | Service to reload after certificate updates | Yes |
|
||||
| CERT_OWNER | User owner for certificate files | Yes |
|
||||
| CERT_GROUP | Group owner for certificate files | Yes |
|
||||
| CERT_PERMISSIONS | Certificate file permissions | Yes |
|
||||
| KEY_PERMISSIONS | Private key file permissions | Yes |
|
||||
| CERTIFICATES | JSON array of certificate configurations | Yes |
|
||||
| AUTO_MODE | Enable automated operation | No |
|
||||
|
||||
## Usage
|
||||
|
||||
### Interactive Mode
|
||||
|
|
@ -95,18 +78,49 @@ This will present a menu with the following options:
|
|||
4. Exit
|
||||
|
||||
### Automated Mode
|
||||
Set `AUTO_MODE="true"` in the `.env` file and run the script. This is suitable for cron jobs.
|
||||
Run the script with the `--silent` flag for automated operations:
|
||||
```bash
|
||||
./certman.sh --silent
|
||||
```
|
||||
|
||||
### Force Update
|
||||
Use the `--force` flag to force certificate updates regardless of current status:
|
||||
```bash
|
||||
./certman.sh --force
|
||||
```
|
||||
|
||||
Flags can be combined:
|
||||
```bash
|
||||
./certman.sh --silent --force
|
||||
```
|
||||
|
||||
### Cron Configuration
|
||||
Add these lines to your crontab for automated certificate management:
|
||||
```cron
|
||||
@reboot sleep 15 && /path/to/certman.sh
|
||||
5 4 * * 2 /path/to/certman.sh
|
||||
@reboot sleep 15 && /path/to/certman.sh --silent
|
||||
5 4 * * 2 /path/to/certman.sh --silent
|
||||
```
|
||||
|
||||
## Environment Variables
|
||||
|
||||
| Variable | Description | Required |
|
||||
|----------|-------------|----------|
|
||||
| CERTWARDEN_SERVER | Certwarden API server hostname and port | Yes |
|
||||
| CERT_PATH | Directory for certificate storage | Yes |
|
||||
| KEY_PATH | Directory for private key storage | Yes |
|
||||
| TEMP_PATH | Temporary directory for downloads | Yes |
|
||||
| SERVICE_NAME | Service to reload after certificate updates | Yes |
|
||||
| CERT_OWNER | User owner for certificate files | Yes |
|
||||
| CERT_GROUP | Group owner for certificate files | Yes |
|
||||
| CERT_PERMISSIONS | Certificate file permissions | Yes |
|
||||
| KEY_PERMISSIONS | Private key file permissions | Yes |
|
||||
| CERTIFICATES | JSON array of certificate configurations | Yes |
|
||||
|
||||
## Security Considerations
|
||||
|
||||
- Store the script and `.env` file in a secure location with restricted permissions
|
||||
- Use appropriate permissions for certificate and key files
|
||||
- Keep API keys secure and rotate them periodically
|
||||
- Run the script as a user with appropriate privileges
|
||||
- Temporary files are automatically cleaned up using secure practices
|
||||
- Certificate and key pairs are validated before installation
|
||||
|
|
|
|||
13
certman.sh
13
certman.sh
|
|
@ -11,12 +11,17 @@ else
|
|||
fi
|
||||
|
||||
AUTO_MODE="false"
|
||||
FORCE_UPDATE="false"
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case $1 in
|
||||
--silent)
|
||||
AUTO_MODE="true"
|
||||
shift
|
||||
;;
|
||||
--force)
|
||||
FORCE_UPDATE="true"
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
shift
|
||||
;;
|
||||
|
|
@ -66,14 +71,14 @@ download_and_verify_cert() {
|
|||
echo -e "${BLUE}Processing certificate for $domain${NC}"
|
||||
|
||||
# Download certificate
|
||||
if ! curl -fL -o "$temp_cert" -H "X-API-Key: $cert_api_key" \
|
||||
if ! curl -s -fL -o "$temp_cert" -H "X-API-Key: $cert_api_key" \
|
||||
"https://$CERTWARDEN_SERVER/certwarden/api/v1/download/certificates/$domain"; then
|
||||
echo -e "${RED}Failed to download certificate for $domain${NC}"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Download private key
|
||||
if ! curl -fL -o "$temp_key" -H "X-API-Key: $key_api_key" \
|
||||
if ! curl -s -fL -o "$temp_key" -H "X-API-Key: $key_api_key" \
|
||||
"https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatekeys/$domain"; then
|
||||
echo -e "${RED}Failed to download private key for $domain${NC}"
|
||||
return 1
|
||||
|
|
@ -111,7 +116,9 @@ install_certificate() {
|
|||
local needs_reload=0
|
||||
|
||||
# Check if certificate needs updating
|
||||
if [ -f "$final_cert" ]; then
|
||||
if [ "$FORCE_UPDATE" = "true" ]; then
|
||||
needs_reload=1
|
||||
elif [ -f "$final_cert" ]; then
|
||||
if ! cmp -s "$final_cert" "$temp_cert"; then
|
||||
needs_reload=1
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -20,6 +20,3 @@ CERTIFICATES='[
|
|||
"key_api_key": "your_key_api_key"
|
||||
}
|
||||
]'
|
||||
|
||||
# Optional: Auto mode configuration
|
||||
AUTO_MODE="false"
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue