Use install for certificate and key file installation

Replace separate cp and chmod operations with single install commands for certificate, key, and PEM file installation to ensure proper permissions and ownership are set in one operation
Add error handling for fingerprint extraction failures
2026-02-20 23:07:44 +01:00 · 2026-02-20 23:04:09 +01:00 · 2026-02-20 23:02:45 +01:00
1 changed files with 38 additions and 29 deletions
--- a/certman.sh
+++ b/certman.sh
@ -71,13 +71,8 @@ check_requirements() {
    done
 }

-validate_api_key() {
-    local api_key=$1
-    [[ $api_key =~ ^[A-Za-z0-9_-]{32,}$ ]]
-}
-
 setup_directories() {
-    local dirs=("$CERT_PATH" "$KEY_PATH" "$TEMP_PATH")
+    local dirs=("$CERT_PATH" "$KEY_PATH")
    for dir in "${dirs[@]}"; do
        if ! mkdir -p "$dir"; then
            echo -e "${RED}Error: Failed to create directory: $dir${NC}"
@ -111,40 +106,56 @@ download_and_verify_cert() {
    fi

    # Download fullchain PEM file
+    if [ "$FULLCHAIN_PEM" = "true" ]; then
        if ! curl -s -fL -o "$temp_pem" -H "X-API-Key: $cert_api_key.$key_api_key" \
            "https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatecertchains/$domain"; then
            echo -e "${RED}Failed to download fullchain PEM file for $domain${NC}"
            return 1
        fi
+    fi

    # Verify files are not empty
-    if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ] || [ ! -s "$temp_pem" ]; then
+    if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ]; then
        echo -e "${RED}Downloaded files are empty for $domain${NC}"
        return 1
    fi
+    if [ "$FULLCHAIN_PEM" = "true" ] && [ ! -s "$temp_pem" ]; then
+        echo -e "${RED}Downloaded PEM file is empty for $domain${NC}"
+        return 1
+    fi

    # Validate certificate and key match
-    local cert_fingerprint
+    local cert_fingerprint key_fingerprint
    cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey |
-        openssl pkey -pubin -outform DER 2>/dev/null |
-        openssl dgst -sha256)
-    local key_fingerprint
-    key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null |
-        openssl dgst -sha256)
-    local pem_fingerprint
-    pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
-        openssl pkey -pubin -outform DER 2>/dev/null |
-        openssl dgst -sha256)
+        openssl pkey -pubin -outform DER |
+        openssl dgst -sha256) || true
+    key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER |
+        openssl dgst -sha256) || true
+
+    if [ -z "$cert_fingerprint" ] || [ -z "$key_fingerprint" ]; then
+        echo -e "${RED}Failed to extract fingerprints for $domain${NC}"
+        return 1
+    fi

    if [ "$cert_fingerprint" != "$key_fingerprint" ]; then
        echo -e "${RED}Certificate and key do not match for $domain${NC}"
        return 1
    fi

-    if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then
+    if [ "$FULLCHAIN_PEM" = "true" ]; then
+        local pem_fingerprint
+        pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
+            openssl pkey -pubin -outform DER |
+            openssl dgst -sha256) || true
+        if [ -z "$pem_fingerprint" ]; then
+            echo -e "${RED}Failed to extract PEM fingerprint for $domain${NC}"
+            return 1
+        fi
+        if [ "$cert_fingerprint" != "$pem_fingerprint" ]; then
            echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
            return 1
        fi
+    fi

    return 0
 }
@ -162,15 +173,13 @@ install_certificate() {
    # Check if certificate needs updating
    if [ "$FORCE_UPDATE" = "true" ]; then
        needs_reload=1
-    elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ]; then
-        if ! cmp -s "$final_pem" "$temp_pem"; then
+    elif [ ! -f "$final_cert" ] || [ ! -f "$final_key" ]; then
        needs_reload=1
-        fi
-    elif [ -f "$final_cert" ]; then
-        if ! cmp -s "$final_cert" "$temp_cert"; then
+    elif ! cmp -s "$final_cert" "$temp_cert" || ! cmp -s "$final_key" "$temp_key"; then
        needs_reload=1
-        fi
-    else
+    elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ] && ! cmp -s "$final_pem" "$temp_pem"; then
+        needs_reload=1
+    elif [ "$FULLCHAIN_PEM" = "true" ] && [ ! -f "$final_pem" ]; then
        needs_reload=1
    fi