Skyfritt/certman
4
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: Skyfritt:install
Branches Tags
Skyfritt:main
Skyfritt:install
Skyfritt:dev
...
pull from: Skyfritt:main
Branches Tags
Skyfritt:main
Skyfritt:install
Skyfritt:dev
Sign in to create a new pull request.

3 commits
install ... main

Author SHA1 Message Date
Ruben
ab59a58c55 Use install for certificate and key file installation 
Replace separate cp and chmod operations with single install commands
for certificate, key, and PEM file installation to ensure proper
permissions and ownership are set in one operation
 2026-02-20 23:07:44 +01:00
Ruben
8d3291e01d Add error handling for fingerprint extraction failures 
Improve certificate and key fingerprint comparison logic

Add validation for PEM file fingerprint extraction
 2026-02-20 23:04:09 +01:00
Ruben
f16871a0fd Remove unused API key validation function 
Remove temp path directory creation

Make fullchain PEM handling conditional

Improve certificate update detection logic
 2026-02-20 23:02:45 +01:00
1 changed files with 43 additions and 47 deletions
Show stats Expand all files Collapse all files

90
certman.sh
View file

@ -71,13 +71,8 @@ check_requirements() {
done done
} }
validate_api_key() {
local api_key=$1
[[ $api_key =~ ^[A-Za-z0-9_-]{32,}$ ]]
}
setup_directories() { setup_directories() {
local dirs=("$CERT_PATH" "$KEY_PATH" "$TEMP_PATH") local dirs=("$CERT_PATH" "$KEY_PATH")
for dir in "${dirs[@]}"; do for dir in "${dirs[@]}"; do
if ! mkdir -p "$dir"; then if ! mkdir -p "$dir"; then
echo -e "${RED}Error: Failed to create directory: $dir${NC}" echo -e "${RED}Error: Failed to create directory: $dir${NC}"
@ -111,39 +106,55 @@ download_and_verify_cert() {
fi fi
# Download fullchain PEM file # Download fullchain PEM file
if [ "$FULLCHAIN_PEM" = "true" ]; then
if ! curl -s -fL -o "$temp_pem" -H "X-API-Key: $cert_api_key.$key_api_key" \ if ! curl -s -fL -o "$temp_pem" -H "X-API-Key: $cert_api_key.$key_api_key" \
"https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatecertchains/$domain"; then "https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatecertchains/$domain"; then
echo -e "${RED}Failed to download fullchain PEM file for $domain${NC}" echo -e "${RED}Failed to download fullchain PEM file for $domain${NC}"
return 1 return 1
fi fi
fi
# Verify files are not empty # Verify files are not empty
if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ] || [ ! -s "$temp_pem" ]; then if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ]; then
echo -e "${RED}Downloaded files are empty for $domain${NC}" echo -e "${RED}Downloaded files are empty for $domain${NC}"
return 1 return 1
fi fi
if [ "$FULLCHAIN_PEM" = "true" ] && [ ! -s "$temp_pem" ]; then
echo -e "${RED}Downloaded PEM file is empty for $domain${NC}"
return 1
fi
# Validate certificate and key match # Validate certificate and key match
local cert_fingerprint local cert_fingerprint key_fingerprint
cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey | cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey |
openssl pkey -pubin -outform DER 2>/dev/null | openssl pkey -pubin -outform DER |
openssl dgst -sha256) openssl dgst -sha256) || true
local key_fingerprint key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER |
key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null | openssl dgst -sha256) || true
openssl dgst -sha256)
local pem_fingerprint if [ -z "$cert_fingerprint" ] || [ -z "$key_fingerprint" ]; then
pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey | echo -e "${RED}Failed to extract fingerprints for $domain${NC}"
openssl pkey -pubin -outform DER 2>/dev/null | return 1
openssl dgst -sha256) fi
if [ "$cert_fingerprint" != "$key_fingerprint" ]; then if [ "$cert_fingerprint" != "$key_fingerprint" ]; then
echo -e "${RED}Certificate and key do not match for $domain${NC}" echo -e "${RED}Certificate and key do not match for $domain${NC}"
return 1 return 1
fi fi
if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then if [ "$FULLCHAIN_PEM" = "true" ]; then
echo -e "${RED}Certificate and PEM file do not match for $domain${NC}" local pem_fingerprint
return 1 pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256) || true
if [ -z "$pem_fingerprint" ]; then
echo -e "${RED}Failed to extract PEM fingerprint for $domain${NC}"
return 1
fi
if [ "$cert_fingerprint" != "$pem_fingerprint" ]; then
echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
return 1
fi
fi fi
return 0 return 0
@ -162,47 +173,32 @@ install_certificate() {
# Check if certificate needs updating # Check if certificate needs updating
if [ "$FORCE_UPDATE" = "true" ]; then if [ "$FORCE_UPDATE" = "true" ]; then
needs_reload=1 needs_reload=1
elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ]; then elif [ ! -f "$final_cert" ] || [ ! -f "$final_key" ]; then
if ! cmp -s "$final_pem" "$temp_pem"; then needs_reload=1
needs_reload=1 elif ! cmp -s "$final_cert" "$temp_cert" || ! cmp -s "$final_key" "$temp_key"; then
fi needs_reload=1
elif [ -f "$final_cert" ]; then elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ] && ! cmp -s "$final_pem" "$temp_pem"; then
if ! cmp -s "$final_cert" "$temp_cert"; then needs_reload=1
needs_reload=1 elif [ "$FULLCHAIN_PEM" = "true" ] && [ ! -f "$final_pem" ]; then
fi
else
needs_reload=1 needs_reload=1
fi fi
# Install new certificate and key # Install new certificate and key
if [ $needs_reload -eq 1 ]; then if [ $needs_reload -eq 1 ]; then
if ! cp -f "$temp_cert" "$final_cert" || ! cp -f "$temp_key" "$final_key"; then if ! install -m "$CERT_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_cert" "$final_cert"; then
echo -e "${RED}Failed to install certificate files for $domain${NC}" echo -e "${RED}Failed to install certificate for $domain${NC}"
return 1 return 1
fi fi
if ! install -m "$KEY_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_key" "$final_key"; then
# Set permissions and ownership for cert and key separately echo -e "${RED}Failed to install private key for $domain${NC}"
if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_cert" || \
! chmod "$CERT_PERMISSIONS" "$final_cert"; then
echo -e "${RED}Failed to set permissions for $final_cert${NC}"
return 1
fi
if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_key" || \
! chmod "$KEY_PERMISSIONS" "$final_key"; then
echo -e "${RED}Failed to set permissions for $final_key${NC}"
return 1 return 1
fi fi
if [ "$FULLCHAIN_PEM" = "true" ]; then if [ "$FULLCHAIN_PEM" = "true" ]; then
if ! cp -f "$temp_pem" "$final_pem"; then if ! install -m "$KEY_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_pem" "$final_pem"; then
echo -e "${RED}Failed to install PEM file for $domain${NC}" echo -e "${RED}Failed to install PEM file for $domain${NC}"
return 1 return 1
fi fi
if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_pem" || \
! chmod "$KEY_PERMISSIONS" "$final_pem"; then
echo -e "${RED}Failed to set permissions for $final_pem${NC}"
return 1
fi
fi fi
echo -e "${GREEN}Certificate updated for $domain${NC}" echo -e "${GREEN}Certificate updated for $domain${NC}"