Compare commits
No commits in common. "ab59a58c550dfd0d8a432f6e384151188bb89e2b" and "f16871a0fd96a60f3178378b7d45e52734cac99f" have entirely different histories.
ab59a58c55
...
f16871a0fd
1 changed files with 27 additions and 22 deletions
49
certman.sh
49
certman.sh
|
|
@ -125,17 +125,13 @@ download_and_verify_cert() {
|
|||
fi
|
||||
|
||||
# Validate certificate and key match
|
||||
local cert_fingerprint key_fingerprint
|
||||
local cert_fingerprint
|
||||
cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey |
|
||||
openssl pkey -pubin -outform DER |
|
||||
openssl dgst -sha256) || true
|
||||
key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER |
|
||||
openssl dgst -sha256) || true
|
||||
|
||||
if [ -z "$cert_fingerprint" ] || [ -z "$key_fingerprint" ]; then
|
||||
echo -e "${RED}Failed to extract fingerprints for $domain${NC}"
|
||||
return 1
|
||||
fi
|
||||
openssl pkey -pubin -outform DER 2>/dev/null |
|
||||
openssl dgst -sha256)
|
||||
local key_fingerprint
|
||||
key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null |
|
||||
openssl dgst -sha256)
|
||||
|
||||
if [ "$cert_fingerprint" != "$key_fingerprint" ]; then
|
||||
echo -e "${RED}Certificate and key do not match for $domain${NC}"
|
||||
|
|
@ -145,13 +141,9 @@ download_and_verify_cert() {
|
|||
if [ "$FULLCHAIN_PEM" = "true" ]; then
|
||||
local pem_fingerprint
|
||||
pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
|
||||
openssl pkey -pubin -outform DER |
|
||||
openssl dgst -sha256) || true
|
||||
if [ -z "$pem_fingerprint" ]; then
|
||||
echo -e "${RED}Failed to extract PEM fingerprint for $domain${NC}"
|
||||
return 1
|
||||
fi
|
||||
if [ "$cert_fingerprint" != "$pem_fingerprint" ]; then
|
||||
openssl pkey -pubin -outform DER 2>/dev/null |
|
||||
openssl dgst -sha256)
|
||||
if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then
|
||||
echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
|
||||
return 1
|
||||
fi
|
||||
|
|
@ -185,20 +177,33 @@ install_certificate() {
|
|||
|
||||
# Install new certificate and key
|
||||
if [ $needs_reload -eq 1 ]; then
|
||||
if ! install -m "$CERT_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_cert" "$final_cert"; then
|
||||
echo -e "${RED}Failed to install certificate for $domain${NC}"
|
||||
if ! cp -f "$temp_cert" "$final_cert" || ! cp -f "$temp_key" "$final_key"; then
|
||||
echo -e "${RED}Failed to install certificate files for $domain${NC}"
|
||||
return 1
|
||||
fi
|
||||
if ! install -m "$KEY_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_key" "$final_key"; then
|
||||
echo -e "${RED}Failed to install private key for $domain${NC}"
|
||||
|
||||
# Set permissions and ownership for cert and key separately
|
||||
if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_cert" || \
|
||||
! chmod "$CERT_PERMISSIONS" "$final_cert"; then
|
||||
echo -e "${RED}Failed to set permissions for $final_cert${NC}"
|
||||
return 1
|
||||
fi
|
||||
if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_key" || \
|
||||
! chmod "$KEY_PERMISSIONS" "$final_key"; then
|
||||
echo -e "${RED}Failed to set permissions for $final_key${NC}"
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [ "$FULLCHAIN_PEM" = "true" ]; then
|
||||
if ! install -m "$KEY_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_pem" "$final_pem"; then
|
||||
if ! cp -f "$temp_pem" "$final_pem"; then
|
||||
echo -e "${RED}Failed to install PEM file for $domain${NC}"
|
||||
return 1
|
||||
fi
|
||||
if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_pem" || \
|
||||
! chmod "$KEY_PERMISSIONS" "$final_pem"; then
|
||||
echo -e "${RED}Failed to set permissions for $final_pem${NC}"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
|
||||
echo -e "${GREEN}Certificate updated for $domain${NC}"
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue