Skyfritt/certman
4
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: Skyfritt:main
Branches Tags
Skyfritt:main
Skyfritt:install
Skyfritt:dev
..
compare: Skyfritt:install
Branches Tags
Skyfritt:main
Skyfritt:install
Skyfritt:dev

1 commit
main ... install

Author SHA1 Message Date
Ruben
44f1cec7ec Use install for certificate file permissions and ownership 
Replace separate cp and chmod/chown operations with single install
commands
for certificate, key, and PEM files to simplify permission handling
 2026-02-20 23:03:09 +01:00
1 changed files with 29 additions and 38 deletions
Show stats Expand all files Collapse all files

59
certman.sh
View file

@ -71,8 +71,13 @@ check_requirements() {
done
}
validate_api_key() {
local api_key=$1
[[ $api_key =~ ^[A-Za-z0-9_-]{32,}$ ]]
}
setup_directories() {
local dirs=("$CERT_PATH" "$KEY_PATH")
local dirs=("$CERT_PATH" "$KEY_PATH" "$TEMP_PATH")
for dir in "${dirs[@]}"; do
if ! mkdir -p "$dir"; then
echo -e "${RED}Error: Failed to create directory: $dir${NC}"
@ -106,56 +111,40 @@ download_and_verify_cert() {
fi
# Download fullchain PEM file
if [ "$FULLCHAIN_PEM" = "true" ]; then
if ! curl -s -fL -o "$temp_pem" -H "X-API-Key: $cert_api_key.$key_api_key" \
"https://$CERTWARDEN_SERVER/certwarden/api/v1/download/privatecertchains/$domain"; then
echo -e "${RED}Failed to download fullchain PEM file for $domain${NC}"
return 1
fi
fi
# Verify files are not empty
if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ]; then
if [ ! -s "$temp_cert" ] || [ ! -s "$temp_key" ] || [ ! -s "$temp_pem" ]; then
echo -e "${RED}Downloaded files are empty for $domain${NC}"
return 1
fi
if [ "$FULLCHAIN_PEM" = "true" ] && [ ! -s "$temp_pem" ]; then
echo -e "${RED}Downloaded PEM file is empty for $domain${NC}"
return 1
fi
# Validate certificate and key match
local cert_fingerprint key_fingerprint
local cert_fingerprint
cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256) || true
key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER |
openssl dgst -sha256) || true
if [ -z "$cert_fingerprint" ] || [ -z "$key_fingerprint" ]; then
echo -e "${RED}Failed to extract fingerprints for $domain${NC}"
return 1
fi
openssl pkey -pubin -outform DER 2>/dev/null |
openssl dgst -sha256)
local key_fingerprint
key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null |
openssl dgst -sha256)
local pem_fingerprint
pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
openssl pkey -pubin -outform DER 2>/dev/null |
openssl dgst -sha256)
if [ "$cert_fingerprint" != "$key_fingerprint" ]; then
echo -e "${RED}Certificate and key do not match for $domain${NC}"
return 1
fi
if [ "$FULLCHAIN_PEM" = "true" ]; then
local pem_fingerprint
pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256) || true
if [ -z "$pem_fingerprint" ]; then
echo -e "${RED}Failed to extract PEM fingerprint for $domain${NC}"
return 1
fi
if [ "$cert_fingerprint" != "$pem_fingerprint" ]; then
if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then
echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
return 1
fi
fi
return 0
}
@ -173,13 +162,15 @@ install_certificate() {
# Check if certificate needs updating
if [ "$FORCE_UPDATE" = "true" ]; then
needs_reload=1
elif [ ! -f "$final_cert" ] || [ ! -f "$final_key" ]; then
elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ]; then
if ! cmp -s "$final_pem" "$temp_pem"; then
needs_reload=1
elif ! cmp -s "$final_cert" "$temp_cert" || ! cmp -s "$final_key" "$temp_key"; then
fi
elif [ -f "$final_cert" ]; then
if ! cmp -s "$final_cert" "$temp_cert"; then
needs_reload=1
elif [ "$FULLCHAIN_PEM" = "true" ] && [ -f "$final_pem" ] && ! cmp -s "$final_pem" "$temp_pem"; then
needs_reload=1
elif [ "$FULLCHAIN_PEM" = "true" ] && [ ! -f "$final_pem" ]; then
fi
else
needs_reload=1
fi