30_Usage.md


./cm.sh -h
_______________________________________________________________________________


          - - - ---===>>> CERT MANAGER - v2025-01-09 <<<===--- - - -

_______________________________________________________________________________


HELP

Wrapper script for acme.sh to handle certificates.
For automation you should use the "ensure" action that detects if a
certificate must be created, renewed or re-created.

📄 Source: <https://git-repo.iml.unibe.ch/iml-open-source/iml-certman>
📜 License: GNU GPL 3.0
📗 Docs: <https://os-docs.iml.unibe.ch/iml-certman/>

SYNTAX:

    cm.sh [OPTIONS] ACTION <FQDN> [<ALIASES>]

OPTIONS:

    -a|--alias
        Use http challenge with existing http server on port 80
        Challenge file will be written into ../alias-dir/

    -f|--force
        Force renew of certificate even if it is not due yet.
        Use it carefully - remember the execution limits on Let's Encrypt.

    -t|--trace
        the output additionally will be written into a tracelog file
        below ./log.

    -v|--verbose
        show debug infos on console.
        Remark: for permanent usage set CM_showdebug=1 in inc_config.sh

    -w|--webroot <DIR>
        Use http challenge with existing http server on port 80
        Challenge file will be written into given directory

The ACTIONs for SINGLE certificate handlings are:

    add <FQDN> [.. <FQDN-N>]
        create new certificate
        The first FQDN is a hostname to generate the certificate for.
        Following multiple hostnames will be used as DNS aliases in the
        same certificate.
        It updates files in ./certs

    ensure <FQDN> [.. <FQDN-N>]
        It ensures that a certificate with given aliases exists and is up to date.
        This param is for simple usage in automation tools like Ansible or Puppet.
        It is required to add all aliases as parameters what is unhandy for
        direct usage on cli.

        If the cert does not exist it will be created (see "add").
        If fqdn and aliases are the same like in the certificate it performs a renew.
        If fqdn and aliases differ:
        - the current certificate will be rejected + deleted (see "delete")
        - a new certificate will be added ()

    delete <FQDN>
        delete all files of a given certificate

    renew <FQDN>
        renew (an already added) certificate
        and update files in ./certs

    show <FQDN>
        show place of certificate data and show basic certificate data
        (issuer, subject, aliases, ending date)

    transfer <FQDN>
        Transfer cert from acme.sh internal cache to our output dir again.
        It is done during add or renew. With transfer command you can repeat it.

ACTIONs for ALL certs

    list
        list all certificates including creation and renew date

    list-old
        list all certificates older 65 and older 90 days and exit.
        Exitcodes:
            0 - all certs are up to date.
            1 - certificates to renew were found
            2 - outdatedt certificates were found

    renew-all
        renew all certificates (fast mode - without --force)
        and update files in ./certs
        It is useful for a cronjob.

other ACTIONs

    selftest
        check of health with current setup and requirements.
        This command is helpful for initial setups.