Skyfritt/certman
4
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: Skyfritt:main
Branches Tags
Skyfritt:main
Skyfritt:install
Skyfritt:dev
..
compare: Skyfritt:install
Branches Tags
Skyfritt:main
Skyfritt:install
Skyfritt:dev

1 commit
main ... install

Author SHA1 Message Date
Ruben
44f1cec7ec Use install for certificate file permissions and ownership 
Replace separate cp and chmod/chown operations with single install
commands
for certificate, key, and PEM files to simplify permission handling
 2026-02-20 23:03:09 +01:00
1 changed files with 29 additions and 38 deletions
Show stats Expand all files Collapse all files

67
certman.sh
View file

@ -71,8 +71,13 @@ check_requirements() {
done done
} }
validate_api_key() {
local api_key=$1
[[ $api_key =~ ^[A-Za-z0-9_-]{32,}$ ]]
}
setup_directories() { setup_directories() {
local dirs=("$CERT_PATH" "$KEY_PATH") local dirs=("$CERT_PATH" "$KEY_PATH" "$TEMP_PATH")
for dir in "${dirs[@]}"; do for dir in "${dirs[@]}"; do
if ! mkdir -p "$dir"; then if ! mkdir -p "$dir"; then
echo -e "${RED}Error: Failed to create directory: $dir${NC}" echo -e "${RED}Error: Failed to create directory: $dir${NC}"
@ -106,55 +111,39 @@ download_and_verify_cert() {
fi fi
# Download fullchain PEM file # Download fullchain PEM file
if [ "$FULLCHAIN_PEM" = "true" ]; then
if ! curl -s -fL -o "$temp_pem" -H "X-API-Key: $cert_api_key.$key_api_key" \ if ! curl -s -fL -o "$temp_pem" -H "X-API-Key: $cert_api_key.$key_api_key" \
"https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatecertchains/$domain"; then "https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatecertchains/$domain"; then
echo -e "${RED}Failed to download fullchain PEM file for $domain${NC}" echo -e "${RED}Failed to download fullchain PEM file for $domain${NC}"
return 1 return 1
fi fi
fi
# Verify files are not empty # Verify files are not empty
if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ]; then if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ] || [ ! -s "$temp_pem" ]; then
echo -e "${RED}Downloaded files are empty for $domain${NC}" echo -e "${RED}Downloaded files are empty for $domain${NC}"
return 1 return 1
fi fi
if [ "$FULLCHAIN_PEM" = "true" ] && [ ! -s "$temp_pem" ]; then
echo -e "${RED}Downloaded PEM file is empty for $domain${NC}"
return 1
fi
# Validate certificate and key match # Validate certificate and key match
local cert_fingerprint key_fingerprint local cert_fingerprint
cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey | cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey |
openssl pkey -pubin -outform DER | openssl pkey -pubin -outform DER 2>/dev/null |
openssl dgst -sha256) || true openssl dgst -sha256)
key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER | local key_fingerprint
openssl dgst -sha256) || true key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null |
openssl dgst -sha256)
if [ -z "$cert_fingerprint" ] || [ -z "$key_fingerprint" ]; then local pem_fingerprint
echo -e "${RED}Failed to extract fingerprints for $domain${NC}" pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
return 1 openssl pkey -pubin -outform DER 2>/dev/null |
fi openssl dgst -sha256)
if [ "$cert_fingerprint" != "$key_fingerprint" ]; then if [ "$cert_fingerprint" != "$key_fingerprint" ]; then
echo -e "${RED}Certificate and key do not match for $domain${NC}" echo -e "${RED}Certificate and key do not match for $domain${NC}"
return 1 return 1
fi fi
if [ "$FULLCHAIN_PEM" = "true" ]; then if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then
local pem_fingerprint echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey | return 1
openssl pkey -pubin -outform DER |
openssl dgst -sha256) || true
if [ -z "$pem_fingerprint" ]; then
echo -e "${RED}Failed to extract PEM fingerprint for $domain${NC}"
return 1
fi
if [ "$cert_fingerprint" != "$pem_fingerprint" ]; then
echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
return 1
fi
fi fi
return 0 return 0
@ -173,13 +162,15 @@ install_certificate() {
# Check if certificate needs updating # Check if certificate needs updating
if [ "$FORCE_UPDATE" = "true" ]; then if [ "$FORCE_UPDATE" = "true" ]; then
needs_reload=1 needs_reload=1
elif [ ! -f "$final_cert" ] || [ ! -f "$final_key" ]; then elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ]; then
needs_reload=1 if ! cmp -s "$final_pem" "$temp_pem"; then
elif ! cmp -s "$final_cert" "$temp_cert" || ! cmp -s "$final_key" "$temp_key"; then needs_reload=1
needs_reload=1 fi
elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ] && ! cmp -s "$final_pem" "$temp_pem"; then elif [ -f "$final_cert" ]; then
needs_reload=1 if ! cmp -s "$final_cert" "$temp_cert"; then
elif [ "$FULLCHAIN_PEM" = "true" ] && [ ! -f "$final_pem" ]; then needs_reload=1
fi
else
needs_reload=1 needs_reload=1
fi fi