cm.sh

#!/usr/bin/env bash
# ======================================================================
#
# WRAPPER FOR ACME.SH 
# Let's Encrypt client
#
# requires
# - bash
# - openssl
# - curl
# - dig (opional)
# - acme.sh client
#
# ----------------------------------------------------------------------
# 2021-02-02  <axel.hahn@iml.unibe.ch>  first lines
# 2021-02-10  <axel.hahn@iml.unibe.ch>  compare hashes, logging
# 2021-02-12  <axel.hahn@iml.unibe.ch>  added self test
# 2021-02-17  <axel.hahn@iml.unibe.ch>  ensure checks list of aliases; new: optional host filter before adding a cert
# 2021-03-12  <axel.hahn@iml.unibe.ch>  create file for haproxy
# 2021-03-22  <axel.hahn@iml.unibe.ch>  for haproxy: use chained cert instead of server cert
# 2021-04-12  <axel.hahn@iml.unibe.ch>  reject multiple usage of fqdn in cli params
# 2021-04-12  <axel.hahn@iml.unibe.ch>  optional: force excecution with a given user only
# 2021-06-24  <axel.hahn@iml.unibe.ch>  added transfer command; delete files if acme.sh --install-cert ... failes
# 2021-07-14  <axel.hahn@iml.unibe.ch>  added _wait_for_free_slot in cert actions to execute multiple processes sequentially
# 2021-09-27  <axel.hahn@iml.unibe.ch>  softer behaviour: do not revoke changed certs (add does not stop; ensure does not delete)
# 2021-12-23  <axel.hahn@iml.unibe.ch>  added param --trace as 1st param to generate a trace log 
# 2022-01-10  <axel.hahn@iml.unibe.ch>  _wait_for_free_slot: exclude ssh calls 
# 2022-03-30  <axel.hahn@iml.unibe.ch>  remove usage of csr and generation of key file
# 2022-03-31  <axel.hahn@iml.unibe.ch>  dns authentication with alias domain
# 2022-04-04  <axel.hahn@iml.unibe.ch>  Bugfix: copy key from csr folder to ~/.acme/
# 2022-04-04  <axel.hahn@iml.unibe.ch>  added param "list-old"
# 2022-04-07  <axel.hahn@iml.unibe.ch>  fix missing key in public_ensure before calling public_add too.
# 2022-04-20  <axel.hahn@iml.unibe.ch>  fix multiple domains using domain alias
# 2022-04-21  <axel.hahn@iml.unibe.ch>  mix multiple domains using domain alias or not
# 2022-05-19  <axel.hahn@iml.unibe.ch>  add timer and debug.log
# 2022-05-20  <axel.hahn@iml.unibe.ch>  update _wait_4_free_slot and data in debug.log
# ======================================================================


# ----------------------------------------------------------------------
#
# CONFIG
#
# ----------------------------------------------------------------------

logdir="./log"
touchfile="$logdir/lastchange.txt"
logfile="$logdir/certmanager.log"
debuglogfile="$logdir/debug.log"

# CSR USAGE WAS REMOVED
# csrfile="./templates/csr.txt"

line="_______________________________________________________________________________"

# flag: show debug infos on console (STDOUT)
CM_showdebug=0

# flag: write a log for created/ renewd/ deleted certs
CM_writelog=1

# flag: write a log for executed functions with timer and process count
CM_writedebuglog=0

CM_timer_start=$( date +%s.%N )

# ----------------------------------------------------------------------
#
# INTERNAL FUNCTIONS
#
# ----------------------------------------------------------------------

# BUGFIX: acme.sh does not create a new key file on renew.
# After switching from csr method to param -d we got a 0 byte Keyfile
function _fixKeyfile(){
	local _acme_keyfile=~/.acme.sh/${CM_fqdn}/${CM_fqdn}.key
	if test ! -f "$_acme_keyfile"
	then
		echo "FIX: copy key from csr folder $CM_filekey to $_acme_keyfile"
		if ! cp "$CM_filekey" "$_acme_keyfile"
		then
			exit 1
		fi
	fi

}

# internal function; list certificates incl. creation date and renew date
function _listCerts(){
	$ACME --list	
}

# internal function; get a list of fqdn of all existing certs
function _listCertdomains(){
	_listCerts | sed -n '2,$p' | awk '{ print $1 }'
}

# internal function; checks if a certificate for a given FQDN already exists
# used in _certMustExist, _certMustNotExist
# param  string  FQDN
function _certExists(){
	_listCertdomains | grep "^${CM_fqdn}$" >/dev/null
}

# internal function; a certificate of a given FQDN must exist - otherwise
# the script will be aborted
# param  string  FQDN
function _certMustExist(){
	_certExists
	if [ $? -ne 0 ]; then
		echo "ERROR: cert ${CM_fqdn} was not added yet."
		exit 1
	fi
}

# internal function; a certificate of a given FQDN must not exist - otherwise
# the script will be aborted
# param  string  FQDN
function _certMustNotExist(){
	if _certExists
	then
		echo "ERROR: cert ${CM_fqdn} was added already."
		# exit 1
		echo "Press Ctrl+C to abort within the next 10 sec..."
		sleep 10
	fi
}

# internal function: transfer generated/ updated cert data to a
# known directory (based on CM_diracme - see inc_config.sh)
# used in public_add and public_renew
# used in ADD and RENEW action
function _certTransfer(){
	_wd "--- acme internal data - ~/.acme.sh/${CM_fqdn}"
	ls -l ~/.acme.sh/${CM_fqdn}

	_wd "--- delete current files in ${CM_dircerts}/ if they already exist."
    test -d ${CM_dircerts} && rm -f "${CM_dircerts}/*" 2>/dev/null

	_wd "--- transfer acme.sh files to ${CM_dircerts}/"
	if ! $ACME \
		--install-cert \
		-d "${CM_fqdn}" \
		--key-file        "${CM_outfile_key}"   \
		--cert-file       "${CM_outfile_cert}"  \
		--fullchain-file  "${CM_outfile_chain}" \
		--ca-file         "${CM_outfile_ca}"
    then
        echo "ERROR occured during acme transfer. Removing files in ${CM_dircerts} to prevent strange effects..."
        rm -f "${CM_dircerts}/*"
        exit 2
    fi
	echo "OK."
	
	# _wd "--- copy key to ${CM_dircerts}"
	# cp ${CM_filekey} ${CM_outfile_key}

	_wd "--- create chained file for haproxy"
	cat "${CM_outfile_chain}" "${CM_outfile_key}" > "${CM_outfile_haproxy}"

	_wd "--- content of output dir $CM_dircerts:"
	if ! ls -l "${CM_outfile_cert}" "${CM_outfile_chain}" "${CM_outfile_key}" "${CM_outfile_haproxy}"
    then
        echo "ERROR missing a file (or no access?)"
        rm -f "${CM_dircerts}/*"
        exit 2
    fi
}

# internal function; show md5 hashsums for certificate and key
# for visual comparison if the match
function _certMatching(){
	# CSR USAGE WAS REMOVED
	# local md5_csr=$(  test -f ${CM_filecsr}      && openssl req  -noout -modulus -in ${CM_filecsr}      | openssl md5 | cut -f 2 -d " " )
	local md5_key=$(  test -f ${CM_outfile_key}  && openssl rsa  -noout -modulus -in ${CM_outfile_key}  | openssl md5 | cut -f 2 -d " " )
	local md5_cert=$( test -f ${CM_outfile_cert} && openssl x509 -noout -modulus -in ${CM_outfile_cert} | openssl md5 | cut -f 2 -d " " )

	echo
	echo "--- compare hashes"
	# CSR USAGE WAS REMOVED
	# echo "csr  : $md5_csr (used for creation of cert)"
	echo "key  : $md5_key"
	echo "cert : $md5_cert"
	if [ "$md5_key" = "$md5_cert" ]; then
		echo "OK, key and cert match :-)"
	else
		echo "ERROR: key and cert do NOT MATCH!"
	fi
	echo
}

# internal function: dig for given fqdn.
# Function stops if fqdn was not found in DNS.
# If dig is not found the function skips the DNS check.
# This function is used in _dnsCheck
# param  string  fqdn to check
# param  string  type of dns entry; one of a|cname
# param  string  optional filter on output of dig (regex)
function _checkDig(){
    local myfqdn=$1
	local _type=${2:-"a"}
	local _verify=${3:-"."}

    if which dig >/dev/null
    then
        # _wd "[$myfqdn] exists as type [$_type] in DNS?"
        if ! dig "${myfqdn}" "${_type}" | grep "^${myfqdn}" | grep -E "${_verify}"
        then
            echo "ERROR: [$myfqdn] was not found. Maybe there is a typo in the hostname or it does not exist in DNS."
            exit 2
        fi
        _wd "OK: [$myfqdn] exists in DNS."
    else
        _wd "SKIP: dig was not found"
    fi
    echo

}

# internal function: check DNS entries
# - the hostname to be added in the certificate must exist
# - if a hostname does not match and CM_challenge_alias was set:
#   - _acme-challenge.FQDN must be a cname to _acme-challenge.${CM_challenge_alias}
# Function stops if a fqdn was not found in DNS.
# param  string  fqdn(s) that are part of the certificate
function _dnsCheck(){
	local altdns=
	local _mydomain=
	local _subdomain='_acme-challenge'

	for _mydomain in $*
	do
		_wd "dig check - domain for cert"
		_checkDig "$_mydomain" "a" "IN.*(A|CNAME)" # matches A and CNAME records

		if [ -n "${CM_challenge_alias}" ] && ! echo "$_mydomain" | grep "${CM_certmatch}" >/dev/null
		then
			_wd "dig check - cname ${_subdomain}.${_mydomain} must exist"
			_checkDig "${_subdomain}.${_mydomain}" "cname"
			_wd "dig check - cname ${_subdomain}.${_mydomain} must point to ${_subdomain}.${CM_challenge_alias}"
			_checkDig "${_subdomain}.${_mydomain}" "cname" "${_subdomain}.${CM_challenge_alias}"
		fi
	done

}

# CSR USAGE WAS REMOVED
# internal function; generate a csr file before creating a new certifcate
# this function is used in public_add
# function _UNUSED_gencsr(){

# 	local altdns=

# 	for myalt in $*
# 	do
# 		altdns="${altdns}DNS:$myalt,"
# 	done
# 	altdns=$( echo $altdns | sed "s#,\$##" )
#     _wd "--- $CM_fqdn"
# 	_wd "DNS alternative names: $altdns"

# 	rm -f $CM_filecnf $CM_filekey $CM_filecsr
# 	mkdir -p "${CM_dircsr}" 2>/dev/null

# 	cat $csrfile \
# 		| sed "s#__FQDN__#$CM_fqdn#g"  		\
# 		| sed "s#__ALTNAMES__#$altdns#g"	\
# 		> $CM_filecnf || exit 1

# 	# generate csr
# 	_wd "creating key and csr"
# 	openssl req -new -config $CM_filecnf -keyout $CM_filekey -out $CM_filecsr || exit 1

# 	# view csr
# 	# openssl req -noout -text -in $CM_filecsr
# 	ls -ltr $CM_filecnf $CM_filekey $CM_filecsr
# }

# internal function; get a sorted list of DNS aliases in the current cert
function _getAliases(){
	_sortWords $(
		openssl x509 -noout -text -in ${CM_outfile_cert} \
			| grep -E "(DNS:)" \
			| sed "s#^\ *##g"  \
			| sed "s#DNS:##g"  \
			| sed "s#,##g"
	)
}

# internal function; check if a required 2nd CLI parameter was given
# if not the script will abort
function _requiresFqdn(){
	if [ -z "$CM_fqdn" ]; then
		echo "ERROR: 2nd parameter must be a FQDN for Main_Domain."
		exit 1
	fi
}

# internal function; it shows a message if the current instance uses a stage
# server. It shows a message that it is allowed to test arround ... or to be 
# careful with LE requests on a production system
function _testStaging(){
	echo $ACME_Params | grep "\-\-staging" >/dev/null
	if [ $? -eq 0 ]; then
		_wd "Using Let's Encrypt STAGE environment ..."
		_wd "You can test and mess around. Do not use certs in production."
	else
		_wd "Using Let's Encrypt LIVE environment for production."
		_wd "Be careful with count of connects to Let's Encrypt servers."
	fi
	echo
}
# internal function; if a user was set as CM_user then verify it with
# current user
function _testUser(){
	if [ ! -z "$CM_user" ]; then
		local _sUser=`id | cut -f 2 -d "(" | cut -f 1 -d ")"`
		if [[ $_sUser != "$CM_user" ]]; then
			echo "ERROR: Run this script under user [$CM_user] - not as $_sUser."
			exit 1
		fi
	fi

}

# set update message into access log file
# global bool CM_writedebuglog flag to write access log.
# param  string(s)  message
function _debuglog(){
	if [ ${CM_writedebuglog} -eq 1 ]; then
		echo "$( date ) $CM_fqdn [$$] | $(show_timer) | $*" >> ${debuglogfile}
	fi
}


# set update message in a file
# param  string(s)  message
function _update(){
	echo "[$( date )] $*" > ${touchfile}
	test ${CM_writelog} -ne 0 && echo "[$( date )] $*" >> ${logfile}
}

# "neverending" loop that waits until the current process is
# the one with lowest PID
function _wait_for_free_slot(){
    local _bWait=true
	_debuglog "start in _wait_for_free_slot"
    typeset -i local _iFirstPID=0
    typeset -i local _iPos=0
    local _sProcesses
	
	_wd "--- Need to wait until own process PID $$ is on top ... "
    while [ $_bWait = true ];
    do
		_sProcesses=$( ps -ef | grep "bash.*$0" | grep -v "ssh.*@" | grep -v "grep" | sort -k 2 -n )
		_iPos=$( echo "$_sProcesses" | grep -n " $$ " | head -1 | cut -f 1 -d ':' )

		_wd "instances: $_iProcesses"
		test ${CM_showdebug} -ne 0 && echo "$_sProcesses"

        # if [ $_iFirstPID -eq $$ ]; then
        if [ $_iPos -eq 1 ]; then
            _bWait=false
			_debuglog "GO from _wait_for_free_slot"
            _wd "OK. Go!"
        else
			_iProcesses=$( echo "$_sProcesses" | wc -l )
			_iFirstPID=$( echo "$_sProcesses" | head -1 | awk '{ print $2}' )
			_debuglog "zzz ... waiting in _wait_for_free_slot ... $_iFirstPID is first ... my pos is $_iPos of $_iProcesses"
            sleep 10
        fi
    done
	_debuglog "end _wait_for_free_slot"
}

# write debug output if CM_showdebug is set to 1
function _wd(){
	test ${CM_showdebug} -ne 0 && echo "DEBUG: $*"
}

# set environment for a single certificate based on FQDN
# param  string  FQDN
function _setenv(){
	CM_fqdn=$1
	# CSR USAGE WAS REMOVED
	# keeping vars to delete files of existing certs that used a csr
	CM_filecsr="${CM_dircsr}/${CM_fqdn}.csr"
	CM_filecnf="${CM_dircsr}/${CM_fqdn}.cnf"
	CM_filekey="${CM_dircsr}/${CM_fqdn}.key"

	CM_dircerts="${CM_diracme}/${CM_fqdn}"
	CM_outfile_cert=${CM_dircerts}/${CM_fqdn}.cert.cer
	CM_outfile_chain=${CM_dircerts}/${CM_fqdn}.fullchain.cer
	CM_outfile_key=${CM_dircerts}/${CM_fqdn}.key.pem
	CM_outfile_haproxy=${CM_dircerts}/${CM_fqdn}.haproxy.pem
	CM_outfile_ca=${CM_dircerts}/${CM_fqdn}.ca.cer

	# echo $CM_fqdn; set | grep "^CM_"; echo

}
# internal function; helper: sort words in alphabetic order
function _sortWords(){
	echo $* | tr " " "\n" | sort | tr "\n" " "
}

# internal function; verify fqdn in cli params - each fqdn is allowed only once.
# on error it shows the count of usage of each fqdn
function _testFqdncount(){
	typeset -i local iHostsInParam=$( echo $* | wc -w )
	typeset -i iHostsUniq=$( echo $* | tr " " "\n" | sort -u | wc -w )
	if [ $iHostsInParam -ne $iHostsUniq ]; then
		echo "ERROR: each given FQDN is allowed only once. You need to remove double entries."
		
		for myhost in $( echo $* | tr " " "\n" | sort -u )
		do
			typeset -i iHostcount=$( echo $* | tr " " "\n" | grep "^$myhost$" | wc -l )
			test $iHostcount -gt 1 && echo "  $iHostcount x $myhost"
		done
		echo
		exit 1
	fi
}

# get time in sec and milliseconds since start
# no parameter is required
function show_timer(){
         local timer_end=$( date +%s.%N )
         local totaltime=$( awk "BEGIN {print $timer_end - $CM_timer_start }" )

         local sec_time=$( echo $totaltime | cut -f 1 -d "." )
         test -z "$sec_time" && sec_time=0

         local ms_time=$( echo $totaltime | cut -f 2 -d "." | cut -c 1-3 )

         echo "$sec_time.$ms_time sec"
}

# ----------------------------------------------------------------------
#
# PUBLIC FUNCTIONS
#
# ----------------------------------------------------------------------

#
# pulic function ADD certificate
# 
function public_add(){
	local _params=""

	_debuglog "start public_add"
	_wait_for_free_slot
	_requiresFqdn
    _certMustNotExist

	_dnsCheck $CM_fqdn $*

	for _mydomain in $CM_fqdn $*
	do
		_params+="-d $_mydomain --challenge-alias "

		if [ -n "${CM_challenge_alias}" ] && ! echo "$_mydomain" | grep "${CM_certmatch}" >/dev/null
		then
			_params+="${CM_challenge_alias} "
		else
			_params+="no "
		fi
	done

	_wd "--- create output dir $dircerts"
	mkdir -p "${CM_dircerts}" 2>/dev/null

	_wd "--- create certificate"
	echo "$ACME --issue $_params $ACME_Params"
	if ! $ACME --issue $_params $ACME_Params 
	then
		echo "ERROR: adding cert failed. Trying to delete internal data ..."
		public_delete $CM_fqdn
		exit 1
	fi
	# $ACME --issue -d $CM_fqdn $ACME_Params || exit 1

	_certTransfer
	_certMatching

	_update "added $CM_fqdn $*"
	_debuglog "end public_add"
}

# CSR USAGE WAS REMOVED
# function OLD__public_add(){
# 	_wait_for_free_slot
# 	_requiresFqdn
#     _certMustNotExist

# 	for myhost in $( echo $CM_fqdn $*)
# 	do 
# 		echo $myhost | grep "$CM_certmatch" >/dev/null
# 		if [ $? -ne 0 ]; then
# 			echo "ERROR: host $myhost does not match [$CM_certmatch]."
# 			exit 1
# 		fi
# 	done
# 	_gencsr $CM_fqdn $*

# 	_wd "--- create output dir $dircerts"
# 	mkdir -p "${CM_dircerts}" 2>/dev/null

# 	_wd "--- csr data"
# 	$ACME --showcsr  --csr $CM_filecsr || exit 1

# 	_wd "--- create certificate"
# 	echo $ACME --signcsr --csr $CM_filecsr $ACME_Params 
# 	$ACME --signcsr --csr $CM_filecsr $ACME_Params 
# 	if [ $? -ne 0 ]; then
# 		echo "ERROR: adding cert failed. Trying to delete internal data ..."
# 		public_delete $CM_fqdn
# 		exit 1
# 	fi
# 	# $ACME --issue -d $CM_fqdn $ACME_Params || exit 1

# 	_certTransfer
# 	_certMatching

# 	_update "added $CM_fqdn $*"
# }

#
# pulic function ADD OR RENEW certificate
# 
function public_ensure(){
	_wait_for_free_slot
	_requiresFqdn
	_certExists
	if [ $? -eq 0 ]; then
		_wd "--- cert $CM_fqdn was found ... compare aliases"
		local _newAliases=$( _sortWords $CM_fqdn $* )
		local _certAliases=$( _getAliases )

		_wd "from params: $_newAliases"
		_wd "inside cert: $_certAliases"
		if [ "$_newAliases" = "$_certAliases" ]; then
			_wd "--- DNS aliases match ... renew it (ignore --force - it comes from acme.sh)"
			public_renew $*
		else
			# _wd "--- DNS aliases do NOT match ... deleting cert and create a new one"
			# public_delete $*
			_wd "--- DNS aliases do NOT match ... creating a new one"
			_fixKeyfile
			public_add $*
		fi
	else
		_wd "--- cert does mot exist ... add it"
		public_add $*
	fi
}

#
# public function to delete a cert
#
function public_delete(){
	_debuglog "start public_delete"
	_wait_for_free_slot
	_requiresFqdn
	_certMustExist

	# TODO: revoke it too??
	_wd "--- revoke cert"
	$ACME --revoke -d ${CM_fqdn} $ACME_Params
	_wd "--- delete ACME.SH data"
	$ACME --remove -d ${CM_fqdn} $ACME_Params
	_wd "--- delete local data"

	# CSR USAGE WAS REMOVED
	rm -rf ${CM_dircerts} ${CM_filecnf} ${CM_filekey} ${CM_filecsr} ~/.acme.sh/${CM_fqdn} && echo OK
	_update "deleted ${CM_fqdn}"
	_debuglog "end public_delete"
}


#
# public function; list certificates incl. creation date and renew date
# 
function public_list(){
	_listCerts

}
#
# public function; list old / outdated certificates
# 
function public_list-old(){

	local _iRuntime=90
	local _iWarn=65
	typeset -i local _rc=0

	cd "${CM_dircerts}"  || exit 1

	echo
	echo "Cert dir is $( pwd )"
	echo
	echo "---- Certificates expiring soon - with age $_iWarn ... $_iRuntime days:"
	if find -type f -name "*.cert.cer" -mtime +$_iWarn -mtime -$_iRuntime | grep . >/dev/null
	then
		find -type f -name "*.cert.cer" -mtime +$_iWarn -mtime -$_iRuntime  -exec ls -ld {} \; | nl
		_rc=1
	else 
		echo "     NONE."
	fi
	echo
	echo "---- Certificate list ... older $_iRuntime days:"
	if find -type f -name "*.cert.cer" -mtime +$_iRuntime | grep . >/dev/null
	then
		find -type f -name "*.cert.cer" -mtime +$_iRuntime -exec ls -ld {} \; | nl
		_rc=2
	else
		echo "     NONE."
	fi

	echo	
	cd - >/dev/null

	_wd "Exiting with rc=$_rc"
	exit $_rc
}


#
# public function - renew a certificate
# param  string  fqdn of domain to renew
function public_renew(){
	_debuglog "start public_renew"
	_wait_for_free_slot
	_requiresFqdn
	_certMustExist

	_fixKeyfile

	$ACME --renew -d ${CM_fqdn} $ACME_Params
	local _rc=$?

	case $_rc in
		0)
			_certTransfer
			_certMatching
			_update "renewed ${CM_fqdn}"
			;;
		2)
			_wd "renew was skipped ... we need to wait a while."
			;;
		*)
			_wd "Error ocured."
			exit $_rc
	esac
	_debuglog "end public_renew"
}

#
# public function - renew all certificates (to be used in a cronjob)
# no params
function public_renew-all(){

	_listCertdomains | while read mydomain
	do
		_wd "--- renew $mydomain"
		_setenv ${mydomain}
		public_renew
	done

}


# internal function; helper for selftest to handle a single selftest
# if a given command is successful it shows "OK" or "ERROR" followed
# by the label inparam 2.
# The value _iErrors will be incremented by 1 if an error occured.
# param  string  command to verify
# param  string  output label
function _selftestItem(){
	local _check=$1
	local _label=$2
	local _status="OK:"

	eval "$_check"
	if [ $? -ne 0 ]; then
		_status="ERROR: the check failed for the test of -"
		_iErrors=$_iErrors+1
	fi

	echo "$_status $_label"
}

#
# list existing certs
# no params
function public_selftest(){

	typeset -i _iErrors=0

	echo
	echo --- dependencies
	_selftestItem "which openssl" "openssl was found"
	_selftestItem "which curl" "curl was found"
	echo

	echo --- acme.sh client
	_selftestItem "ls -ld ${ACME}" "${ACME} exits"
	_selftestItem "test -x ${ACME}" "${ACME} is executable"
	echo

	echo --- acme.sh installation \(may fail in future releases of acme.sh\)
	_selftestItem "ls -ld ~/.acme.sh" "internal acme data were found = [acme.sh --install] was done"
	_selftestItem "test -w ~/.acme.sh/" "it is writable"
	echo

	# CSR USAGE WAS REMOVED
	# echo --- csr template
	# _selftestItem "ls -ld ${csrfile}"  "csr base template exists"
	# _selftestItem "test -r ${csrfile}" "it is readable"
	# echo
    #
	# echo --- output directory for csr and key
	# _selftestItem "ls -ld ${CM_dircsr}"  "data dir for csr exists"
	# _selftestItem "test -w ${CM_dircsr}" "it is writable"
	# echo

	echo --- output dir for centralized place of certificates
	_selftestItem "ls -ld ${CM_diracme}"  "central output dir for certificate data exists"
	_selftestItem "test -w ${CM_diracme}" "it is writable"
	echo


	echo --- logs
	_selftestItem "ls -ld ./log/" "Logdir exists"
	_selftestItem "test -w" "Logdir is writable"
	test -f $logfile    &&  _selftestItem  "test -w $logfile" "Logfile $logfile is writable"
	test -f $touchfile  && _selftestItem "test -w $touchfile" "Logfile $touchfile is writable"
	echo

	echo --- Errors: $_iErrors
	test $_iErrors -eq 0 && echo "OK, this looks fine."
	echo
	exit $_iErrors
}

#
# list existing certs
# no params
function public_show(){
	_requiresFqdn
	_certMustExist

	# CSR USAGE WAS REMOVED
	# ls -l ${CM_filecsr} ${CM_dircerts}/*
	ls -l ${CM_dircerts}/*
	_certMatching

	# CSR USAGE WAS REMOVED
	# echo $line
	# echo CSR $CM_filecsr
	# openssl req -noout -text -in $CM_filecsr | grep -E "(Subject:|DNS:)" | sed "s#^\ *##g"

	for myfile in ${CM_outfile_cert} ${CM_outfile_haproxy}
	do
        echo $line
        echo Cert ${myfile}
        # openssl x509 -noout -text -in ${CM_outfile_cert}
        openssl x509 -noout -text -in ${myfile} | grep -E "(Issuer:|Subject:|Not\ |DNS:)"| sed "s#^\ *##g"
    done
}

# Transfer cert from acme.sh internal cache to our output dir again
function public_transfer(){
	_wait_for_free_slot
	_requiresFqdn
	_certExists

	_certTransfer
}

# ----------------------------------------------------------------------
#
# main
#
# ----------------------------------------------------------------------

cd $( dirname $0 )

if [ "$1" = "--trace" ]; then
	tracelog="$logdir/trace__$2__$3__`date +%Y-%m-%d__%H-%M-%S`.log"
	exec  > >(tee -a ${tracelog}    )
	exec 2> >(tee -a ${tracelog} >&2)
	echo "TRACELOG was triggered."
	echo "TIME   : $(date)"
	echo "COMMAND: $0 $*"
	echo "LOG    : $tracelog"

	# set -vx
	shift 1
fi

cat <<ENDOFHEADER
$line


             	- - - ---===>>> CERT MANAGER <<<===--- - - -

$line

ENDOFHEADER

which openssl >/dev/null || exit 1

. ./inc_config.sh
if [ $? -ne 0 ]; then
	echo "ERROR: loading the config failed."
	echo "Copy the inc_config.sh.dist to inc_config.sh and make your settings in it."
	echo
	exit 1
fi

_testUser
_testStaging

test -z "${CM_diracme}" && CM_diracme=./certs
test -z "${CM_dircsr}"  && CM_dircsr=./csr

grep "function\ public_$1" $( basename $0 ) >/dev/null 
if [ $# -gt 0 -a $? -eq 0 ]; then
	# _wd $*
	action=$1
	CM_fqdn=$2
	shift 2

	_testFqdncount $CM_fqdn $*

	test -z "${ACME}" && ACME=$( which acme.sh )
	if [ ! -x "${ACME}" ]; then
		echo "ERROR: acme.sh not found. You need to install acme.sh client and configure it in inc_config.sh."
		exit 1
	fi

	_setenv $CM_fqdn

	_wd "A C T I O N -->> $action <<--"
	_debuglog ">>> START public_$action $CM_fqdn $*"
	eval "public_$action $*"
	_debuglog ">>> DONE public_$action $CM_fqdn $*"

else
	self=$( basename $0 )
	cat <<EOF

HELP

The basic syntax is
$self [--trace] ACTION [FQDN] [ALIAS_1 [.. ALIAS_N]]

The ACTIONs for SINGLE certificate handlings are:

        add FQDN [.. FQDN-N] 
                create new certificate
                The first FQDN is a hostname to generate the certificate for. 
                Following multiple hostnames will be used as DNS aliases in the 
                same certificate.
                It updates files in ${CM_diracme}

        ensure FQDN [.. FQDN-N] 
                It ensures that a certificate with given aliases exists and is up to date.
                This param is for simple usage in automation tools like Ansible or Puppet.
                It is required to add all aliases as parameters what is unhandy for
                direct usage on cli.

                If the cert does not exist it will be created (see "add").
                If fqdn and aliases are the same like in the certificate it performs a renew.
                If fqdn and aliases differ:
                - the current certificate will be rejected + deleted (see "delete")
                - a new certificate will be added ()

        delete FQDN
                delete all files of a given certificate

        renew FQDN
                renew (an already added) certificate
                and update files in ${CM_diracme}

        show FQDN
                show place of certificate data and show basic certificate data
                (issuer, subject, aliases, ending date)

        transfer FQDN
                Transfer cert from acme.sh internal cache to our output dir again.
                It is done during add or renew. With transfer command you can repeat it.

ACTIONs for ALL certs

        list
                list all certificates including creation and renew date

        list-old
                list all certificates older 65 and older 90 days and exit.
				Exitcodes:
				  0 - all certs are up to date.
				  1 - certificates to renew were found
				  2 - outdatedt certificates were found

        renew-all
                renew all certificates (fast mode - without --force)
                and update files in ${CM_diracme}
                It is useful for a cronjob.

other ACTIONs

        selftest
                check of health with current setup and requirements.
                This command is helpful for initial setups.

OPTIONS
        --trace (it must be the 1st parameter) 
                the output additionally will be written into a tracelog file 
                below $logdir.

EOF
fi

echo
_testStaging