Skyfritt/certman
4
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
No description
10 commits 2 branches 0 tags 109 KiB
Shell 100%
Find a file
Ruben 75a8370c9f Add +x to script
2025-03-03 13:32:12 +01:00
.gitignore Add .env and README 2025-02-28 21:48:08 +01:00
certman.sh Add +x to script 2025-03-03 13:32:12 +01:00
example.env Remove AUTO_MODE from env 2025-03-03 13:30:54 +01:00
LICENSE Initial commit 2025-02-28 21:24:51 +01:00
README.md Add +x to script 2025-03-03 13:32:12 +01:00

README.md

Certwarden Certificate Management

A bash script for managing SSL/TLS certificates through the Certwarden API. This tool provides both automated and interactive interfaces for downloading, installing, and managing certificates on your system.

Features

  • Download and verify certificates and private keys from Certwarden server
  • Automatic installation with proper permissions and ownership
  • Certificate and key pair validation
  • Service reload after certificate updates
  • Certificate expiration monitoring
  • Interactive menu-driven interface
  • Silent mode for automated operations
  • Force update option for certificate renewals
  • Proper error handling and logging
  • Support for multiple certificates
  • Secure temporary file handling

Prerequisites

The script requires the following dependencies:

  • curl: For API interactions
  • jq: For JSON processing
  • openssl: For certificate operations

Installation

  1. Clone this repository:
git clone <repository-url>
cd certman
  1. Create a .env file with your configuration:
# Server Configuration
CERTWARDEN_SERVER="certwarden.dmz.skyfritt.net:443"

# Certificate Paths
CERT_PATH="/etc/forgejo"
KEY_PATH="/etc/forgejo"
TEMP_PATH="/tmp/certman"

# Service Configuration
SERVICE_NAME="forgejo"
CERT_OWNER="git"
CERT_GROUP="git"
CERT_PERMISSIONS="644"
KEY_PERMISSIONS="600"

# Certificate Configurations (JSON format)
CERTIFICATES='[
  {
    "domain": "example.com",
    "cert_api_key": "your_cert_api_key",
    "key_api_key": "your_key_api_key"
  }
]'

Usage

Interactive Mode

Run the script without any arguments:

./certman.sh

This will present a menu with the following options:

  1. Process all certificates
  2. List installed certificates
  3. Check certificate expiration
  4. Exit

Automated Mode

Run the script with the --silent flag for automated operations:

./certman.sh --silent

Force Update

Use the --force flag to force certificate updates regardless of current status:

./certman.sh --force

Flags can be combined:

./certman.sh --silent --force

Cron Configuration

Add these lines to your crontab for automated certificate management:

@reboot sleep 15 && /path/to/certman.sh --silent
5 4 * * 2 /path/to/certman.sh --silent

Environment Variables

Variable Description Required
CERTWARDEN_SERVER Certwarden API server hostname and port Yes
CERT_PATH Directory for certificate storage Yes
KEY_PATH Directory for private key storage Yes
TEMP_PATH Temporary directory for downloads Yes
SERVICE_NAME Service to reload after certificate updates Yes
CERT_OWNER User owner for certificate files Yes
CERT_GROUP Group owner for certificate files Yes
CERT_PERMISSIONS Certificate file permissions Yes
KEY_PERMISSIONS Private key file permissions Yes
CERTIFICATES JSON array of certificate configurations Yes

Security Considerations

  • Store the script and .env file in a secure location with restricted permissions
  • Use appropriate permissions for certificate and key files
  • Keep API keys secure and rotate them periodically
  • Run the script as a user with appropriate privileges
  • Temporary files are automatically cleaned up using secure practices
  • Certificate and key pairs are validated before installation