Skyfritt/certman
4
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
certman/README.md

111 lines
3.2 KiB
Markdown
Raw Blame History

# Certwarden Certificate Management
A bash script for managing SSL/TLS certificates through the Certwarden API. This tool provides both automated and interactive interfaces for downloading, installing, and managing certificates on your system.
## Features
- Download and verify certificates and private keys from Certwarden server
- Automatic installation with proper permissions and ownership
- Certificate expiration monitoring
- Interactive menu-driven interface
- Force update option for certificate renewals
- Support for multiple certificates
## Prerequisites
The script requires the following dependencies:
- `curl`: For API interactions
- `jq`: For JSON processing
- `openssl`: For certificate operations
## Installation
1. Clone this repository into `/opt/certman/`:
```bash
git clone https://forge.dmz.skyfritt.net/Skyfritt/certman.git --depth=1 /opt/certman && cd certman
```
2. Rename `example.env` to `.env` and modify as needed:
```bash
# Server Configuration
CERTWARDEN_SERVER="certwarden.dmz.skyfritt.net:443"
# Certificate Paths
CERT_PATH="/etc/certs"
KEY_PATH="/etc/certs"
TEMP_PATH="/tmp/certman"
FULLCHAIN_PEM="true"
# Service Configuration
SERVICE_NAME="nginx"
CERT_OWNER="www-data"
CERT_GROUP="www-data"
CERT_PERMISSIONS="644"
KEY_PERMISSIONS="600"
# Certificate Configurations (JSON format)
# Add as many or few domains as you need (but remember to add or delete the JSON comma!)
CERTIFICATES='[
{
"domain": "example-one.com",
"cert_api_key": "your_cert_api_key",
"key_api_key": "your_key_api_key"
}
]'
```
## Usage
### Interactive Mode
Run the script without any arguments
```bash
./certman.sh
```
### Cron Configuration
Add these lines to your crontab for automated certificate management:
```cron
@reboot sleep 15 && /path/to/certman.sh --silent
2 2 * * 7 /opt/certman/certman.sh --silent
```
### Silent Mode
Run the script with the `--silent` flag for a silent certificate check. It will use the options set in the `.env` file.
```bash
./certman.sh --silent
```
### Force Update
Use the `--force` flag to force certificate updates regardless of current status:
```bash
./certman.sh --force
```
### Disable fetching fullchain PEM
Use the `--disable-pem` to only fetch the .key and .crt:
```bash
./certman.sh --disable-pem
```
### Restart service instead of Reload
Some services do not support at soft restart (reload). use `--restart` to force this option insted of the default reload.
```bash
./certman.sh --restart
```
## Environment Variables
| Variable | Description | Required |
|----------|-------------|----------|
| CERTWARDEN_SERVER | Certwarden API server hostname and port | Yes |
| CERT_PATH | Directory for certificate storage | Yes |
| KEY_PATH | Directory for private key storage | Yes |
| TEMP_PATH | Temporary directory for downloads | Yes |
| FULLCHAIN_PEM | Enabled by default | No |
| SERVICE_NAME | Service to reload after certificate updates | Yes |
| SERIVCE_SUPPORTS | Reload or restart? Reload is the default | No |
| CERT_OWNER | User owner for certificate files | Yes |
| CERT_GROUP | Group owner for certificate files | Yes |
| CERT_PERMISSIONS | Certificate file permissions | Yes |
| KEY_PERMISSIONS | Private key file permissions | Yes |
| CERTIFICATES | JSON array of certificate configurations | Yes |
Reference in a new issue View git blame Copy permalink