certman/README.md

# Certwarden Certificate Management

A bash script for managing SSL/TLS certificates through the Certwarden API. This tool provides both automated and interactive interfaces for downloading, installing, and managing certificates on your system.

## Features

- Download and verify certificates and private keys from Certwarden server
- Automatic installation with proper permissions and ownership
- Certificate and key pair validation
- Service reload after certificate updates
- Certificate expiration monitoring
- Interactive menu-driven interface
- Silent mode for automated operations
- Force update option for certificate renewals
- Proper error handling and logging
- Support for multiple certificates
- Secure temporary file handling

## Prerequisites

The script requires the following dependencies:
- `curl`: For API interactions
- `jq`: For JSON processing
- `openssl`: For certificate operations

## Installation

1. Clone this repository:
```bash
git clone <repository-url>
cd certman
```

2. Create a `.env` file with your configuration:
```bash
# Server Configuration
CERTWARDEN_SERVER="certwarden.dmz.skyfritt.net:443"

# Certificate Paths
CERT_PATH="/etc/forgejo"
KEY_PATH="/etc/forgejo"
TEMP_PATH="/tmp/certman"

# Service Configuration
SERVICE_NAME="forgejo"
CERT_OWNER="git"
CERT_GROUP="git"
CERT_PERMISSIONS="644"
KEY_PERMISSIONS="600"

# Certificate Configurations (JSON format)
# Add as many or few domains as you need (but remember to add or delete the JSON comma!)
CERTIFICATES='[
  {
    "domain": "example-one.com",
    "cert_api_key": "your_cert_api_key",
    "key_api_key": "your_key_api_key"
  },
  {
    "domain": "example-two.com",
    "cert_api_key": "your_cert_api_key",
    "key_api_key": "your_key_api_key"
  }
]'
```

## Usage

### Interactive Mode
Run the script without any arguments:
```bash
./certman.sh
```

This will present a menu with the following options:
1. Process all certificates
2. List installed certificates
3. Check certificate expiration
4. Force update all certificates
5. Exit

### Automated Mode
Run the script with the `--silent` flag for automated operations:
```bash
./certman.sh --silent
```

### Force Update
Use the `--force` flag to force certificate updates regardless of current status:
```bash
./certman.sh --force
```

Flags can be combined:
```bash
./certman.sh --silent --force
```

### Fullchain PEM
Use the `--fullchain-pem` flag to combine certificate and private key into a single PEM file:
```bash
./certman.sh --fullchain-pem

### Cron Configuration
Add these lines to your crontab for automated certificate management:
```cron
@reboot sleep 15 && /path/to/certman.sh --silent
5 4 * * 2 /path/to/certman.sh --silent
```

## Environment Variables

| Variable | Description | Required |
|----------|-------------|----------|
| CERTWARDEN_SERVER | Certwarden API server hostname and port | Yes |
| CERT_PATH | Directory for certificate storage | Yes |
| KEY_PATH | Directory for private key storage | Yes |
| TEMP_PATH | Temporary directory for downloads | Yes |
| FULLCHAIN_PEM | Optional: Combine cert and key into single PEM file | No |
| SERVICE_NAME | Service to reload after certificate updates | Yes |
| CERT_OWNER | User owner for certificate files | Yes |
| CERT_GROUP | Group owner for certificate files | Yes |
| CERT_PERMISSIONS | Certificate file permissions | Yes |
| KEY_PERMISSIONS | Private key file permissions | Yes |
| CERTIFICATES | JSON array of certificate configurations | Yes |

## Security Considerations

- Store the script and `.env` file in a secure location with restricted permissions
- Use appropriate permissions for certificate and key files
- Keep API keys secure and rotate them periodically
- Run the script as a user with appropriate privileges
- Temporary files are automatically cleaned up using secure practices
- Certificate and key pairs are validated before installation