Skyfritt/certman
4
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: Skyfritt:f16871a0fd96a60f3178378b7d45e52734cac99f
Branches Tags
Skyfritt:main
Skyfritt:install
Skyfritt:dev
..
compare: Skyfritt:ab59a58c550dfd0d8a432f6e384151188bb89e2b
Branches Tags
Skyfritt:main
Skyfritt:install
Skyfritt:dev

2 commits
f16871a0fd ... ab59a58c55

Author SHA1 Message Date
Ruben
ab59a58c55 Use install for certificate and key file installation 
Replace separate cp and chmod operations with single install commands
for certificate, key, and PEM file installation to ensure proper
permissions and ownership are set in one operation
 2026-02-20 23:07:44 +01:00
Ruben
8d3291e01d Add error handling for fingerprint extraction failures 
Improve certificate and key fingerprint comparison logic

Add validation for PEM file fingerprint extraction
 2026-02-20 23:04:09 +01:00
1 changed files with 22 additions and 27 deletions
Show stats Expand all files Collapse all files

49
certman.sh
View file

@ -125,13 +125,17 @@ download_and_verify_cert() {
fi
# Validate certificate and key match
local cert_fingerprint
local cert_fingerprint key_fingerprint
cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey |
openssl pkey -pubin -outform DER 2>/dev/null |
openssl dgst -sha256)
local key_fingerprint
key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null |
openssl dgst -sha256)
openssl pkey -pubin -outform DER |
openssl dgst -sha256) || true
key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER |
openssl dgst -sha256) || true
if [ -z "$cert_fingerprint" ] || [ -z "$key_fingerprint" ]; then
echo -e "${RED}Failed to extract fingerprints for $domain${NC}"
return 1
fi
if [ "$cert_fingerprint" != "$key_fingerprint" ]; then
echo -e "${RED}Certificate and key do not match for $domain${NC}"
@ -141,9 +145,13 @@ download_and_verify_cert() {
if [ "$FULLCHAIN_PEM" = "true" ]; then
local pem_fingerprint
pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
openssl pkey -pubin -outform DER 2>/dev/null |
openssl dgst -sha256)
if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then
openssl pkey -pubin -outform DER |
openssl dgst -sha256) || true
if [ -z "$pem_fingerprint" ]; then
echo -e "${RED}Failed to extract PEM fingerprint for $domain${NC}"
return 1
fi
if [ "$cert_fingerprint" != "$pem_fingerprint" ]; then
echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
return 1
fi
@ -177,33 +185,20 @@ install_certificate() {
# Install new certificate and key
if [ $needs_reload -eq 1 ]; then
if ! cp -f "$temp_cert" "$final_cert" || ! cp -f "$temp_key" "$final_key"; then
echo -e "${RED}Failed to install certificate files for $domain${NC}"
if ! install -m "$CERT_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_cert" "$final_cert"; then
echo -e "${RED}Failed to install certificate for $domain${NC}"
return 1
fi
# Set permissions and ownership for cert and key separately
if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_cert" || \
! chmod "$CERT_PERMISSIONS" "$final_cert"; then
echo -e "${RED}Failed to set permissions for $final_cert${NC}"
return 1
fi
if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_key" || \
! chmod "$KEY_PERMISSIONS" "$final_key"; then
echo -e "${RED}Failed to set permissions for $final_key${NC}"
if ! install -m "$KEY_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_key" "$final_key"; then
echo -e "${RED}Failed to install private key for $domain${NC}"
return 1
fi
if [ "$FULLCHAIN_PEM" = "true" ]; then
if ! cp -f "$temp_pem" "$final_pem"; then
if ! install -m "$KEY_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_pem" "$final_pem"; then
echo -e "${RED}Failed to install PEM file for $domain${NC}"
return 1
fi
if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_pem" || \
! chmod "$KEY_PERMISSIONS" "$final_pem"; then
echo -e "${RED}Failed to set permissions for $final_pem${NC}"
return 1
fi
fi
echo -e "${GREEN}Certificate updated for $domain${NC}"