# Certwarden Certificate Management

A bash script for managing SSL/TLS certificates through the Certwarden API. This tool provides both automated and interactive interfaces for downloading, installing, and managing certificates on your system.

## Features

- Download and verify certificates and private keys from Certwarden server
- Automatic installation with proper permissions and ownership
- Certificate and key pair validation
- Service reload after certificate updates
- Certificate expiration monitoring
- Interactive menu-driven interface
- Automated mode support through environment configuration
- Proper error handling and logging
- Support for multiple certificates

## Prerequisites

The script requires the following dependencies:
- `curl`: For API interactions
- `jq`: For JSON processing
- `openssl`: For certificate operations

## Installation

1. Clone this repository:
```bash
git clone <repository-url>
cd certman
```

2. Make the script executable:
```bash
chmod +x certman.sh
```

3. Create a `.env` file with your configuration:
```bash
# Server Configuration
CERTWARDEN_SERVER="certwarden.dmz.skyfritt.net:443"

# Certificate Paths
CERT_PATH="/etc/forgejo"
KEY_PATH="/etc/forgejo"
TEMP_PATH="/tmp/certman"

# Service Configuration
SERVICE_NAME="forgejo"
CERT_OWNER="git"
CERT_GROUP="git"
CERT_PERMISSIONS="644"
KEY_PERMISSIONS="600"

# Certificate Configurations (JSON format)
CERTIFICATES='[
  {
    "domain": "example.com",
    "cert_api_key": "your_cert_api_key",
    "key_api_key": "your_key_api_key"
  }
]'

# Optional: Auto mode configuration
AUTO_MODE="false"
```

### Environment Variables Explained

| Variable | Description | Required |
|----------|-------------|----------|
| CERTWARDEN_SERVER | Certwarden API server hostname and port | Yes |
| CERT_PATH | Directory for certificate storage | Yes |
| KEY_PATH | Directory for private key storage | Yes |
| TEMP_PATH | Temporary directory for downloads | Yes |
| SERVICE_NAME | Service to reload after certificate updates | Yes |
| CERT_OWNER | User owner for certificate files | Yes |
| CERT_GROUP | Group owner for certificate files | Yes |
| CERT_PERMISSIONS | Certificate file permissions | Yes |
| KEY_PERMISSIONS | Private key file permissions | Yes |
| CERTIFICATES | JSON array of certificate configurations | Yes |
| AUTO_MODE | Enable automated operation | No |

## Usage

### Interactive Mode
Run the script without any arguments:
```bash
./certman.sh
```

This will present a menu with the following options:
1. Process all certificates
2. List installed certificates
3. Check certificate expiration
4. Exit

### Automated Mode
Set `AUTO_MODE="true"` in the `.env` file and run the script. This is suitable for cron jobs.

### Cron Configuration
Add these lines to your crontab for automated certificate management:
```cron
@reboot sleep 15 && /path/to/certman.sh
5 4 * * 2 /path/to/certman.sh
```

## Security Considerations

- Store the script and `.env` file in a secure location with restricted permissions
- Use appropriate permissions for certificate and key files
- Keep API keys secure and rotate them periodically
- Run the script as a user with appropriate privileges