Use install for certificate and key file installation

Replace separate cp and chmod operations with single install commands
for certificate, key, and PEM file installation to ensure proper
permissions and ownership are set in one operation

certman.sh

@@ -71,13 +71,8 @@ check_requirements() {
     done
 }
 
-validate_api_key() {
-    local api_key=$1
-    [[ $api_key =~ ^[A-Za-z0-9_-]{32,}$ ]]
-}
-
 setup_directories() {
-    local dirs=("$CERT_PATH" "$KEY_PATH" "$TEMP_PATH")
+    local dirs=("$CERT_PATH" "$KEY_PATH")
     for dir in "${dirs[@]}"; do
         if ! mkdir -p "$dir"; then
             echo -e "${RED}Error: Failed to create directory: $dir${NC}"
@@ -111,40 +106,56 @@ download_and_verify_cert() {
     fi
 
     # Download fullchain PEM file
+    if [ "$FULLCHAIN_PEM" = "true" ]; then
         if ! curl -s -fL -o "$temp_pem" -H "X-API-Key: $cert_api_key.$key_api_key" \
             "https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatecertchains/$domain"; then
             echo -e "${RED}Failed to download fullchain PEM file for $domain${NC}"
             return 1
         fi
+    fi
 
     # Verify files are not empty
-    if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ] || [ ! -s "$temp_pem" ]; then
+    if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ]; then
         echo -e "${RED}Downloaded files are empty for $domain${NC}"
         return 1
     fi
+    if [ "$FULLCHAIN_PEM" = "true" ] && [ ! -s "$temp_pem" ]; then
+        echo -e "${RED}Downloaded PEM file is empty for $domain${NC}"
+        return 1
+    fi
 
     # Validate certificate and key match
-    local cert_fingerprint
+    local cert_fingerprint key_fingerprint
     cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey |
-        openssl pkey -pubin -outform DER 2>/dev/null |
+        openssl pkey -pubin -outform DER |
-        openssl dgst -sha256)
+        openssl dgst -sha256) || true
-    local key_fingerprint
+    key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER |
-    key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null |
+        openssl dgst -sha256) || true
-        openssl dgst -sha256)
+
-    local pem_fingerprint
+    if [ -z "$cert_fingerprint" ] || [ -z "$key_fingerprint" ]; then
-    pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
+        echo -e "${RED}Failed to extract fingerprints for $domain${NC}"
-        openssl pkey -pubin -outform DER 2>/dev/null |
+        return 1
-        openssl dgst -sha256)
+    fi
 
     if [ "$cert_fingerprint" != "$key_fingerprint" ]; then
         echo -e "${RED}Certificate and key do not match for $domain${NC}"
         return 1
     fi
 
-    if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then
+    if [ "$FULLCHAIN_PEM" = "true" ]; then
+        local pem_fingerprint
+        pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
+            openssl pkey -pubin -outform DER |
+            openssl dgst -sha256) || true
+        if [ -z "$pem_fingerprint" ]; then
+            echo -e "${RED}Failed to extract PEM fingerprint for $domain${NC}"
+            return 1
+        fi
+        if [ "$cert_fingerprint" != "$pem_fingerprint" ]; then
             echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
             return 1
         fi
+    fi
 
     return 0
 }
@@ -162,47 +173,32 @@ install_certificate() {
     # Check if certificate needs updating
     if [ "$FORCE_UPDATE" = "true" ]; then
         needs_reload=1
-    elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ]; then
+    elif [ ! -f "$final_cert" ] || [ ! -f "$final_key" ]; then
-        if ! cmp -s "$final_pem" "$temp_pem"; then
         needs_reload=1
-        fi
+    elif ! cmp -s "$final_cert" "$temp_cert" || ! cmp -s "$final_key" "$temp_key"; then
-    elif [ -f "$final_cert" ]; then
-        if ! cmp -s "$final_cert" "$temp_cert"; then
         needs_reload=1
-        fi
+    elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ] && ! cmp -s "$final_pem" "$temp_pem"; then
-    else
+        needs_reload=1
+    elif [ "$FULLCHAIN_PEM" = "true" ] && [ ! -f "$final_pem" ]; then
         needs_reload=1
     fi
 
     # Install new certificate and key
     if [ $needs_reload -eq 1 ]; then
-        if ! cp -f "$temp_cert" "$final_cert" || ! cp -f "$temp_key" "$final_key"; then
+        if ! install -m "$CERT_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_cert" "$final_cert"; then
-            echo -e "${RED}Failed to install certificate files for $domain${NC}"
+            echo -e "${RED}Failed to install certificate for $domain${NC}"
             return 1
         fi
-
+        if ! install -m "$KEY_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_key" "$final_key"; then
-        # Set permissions and ownership for cert and key separately
+            echo -e "${RED}Failed to install private key for $domain${NC}"
-        if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_cert" || \
-           ! chmod "$CERT_PERMISSIONS" "$final_cert"; then
-            echo -e "${RED}Failed to set permissions for $final_cert${NC}"
-            return 1
-        fi
-        if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_key" || \
-           ! chmod "$KEY_PERMISSIONS" "$final_key"; then
-            echo -e "${RED}Failed to set permissions for $final_key${NC}"
             return 1
         fi
 
         if [ "$FULLCHAIN_PEM" = "true" ]; then
-            if ! cp -f "$temp_pem" "$final_pem"; then
+            if ! install -m "$KEY_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_pem" "$final_pem"; then
                 echo -e "${RED}Failed to install PEM file for $domain${NC}"
                 return 1
             fi
-            if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_pem" || \
-               ! chmod "$KEY_PERMISSIONS" "$final_pem"; then
-                echo -e "${RED}Failed to set permissions for $final_pem${NC}"
-                return 1
-            fi
         fi
 
         echo -e "${GREEN}Certificate updated for $domain${NC}"