certops 1.0.4 → 1.0.7

package/README.md

@@ -0,0 +1,131 @@
+# certops
+
+CLI for managing and auto-renewing SSL certificates from the [SSL Pilot](https://ssl-manager.dcom.at) platform.
+
+## Install
+
+```bash
+npm install -g certops
+```
+
+## Requirements
+
+- Node.js 18+
+- An SSL Pilot API key (`sslpilot_...`) from your dashboard
+
+## Quick start
+
+```bash
+# Set your API key
+export CERTOPS_API_KEY='sslpilot_...'
+
+# List certificates
+certops list
+
+# Download a certificate (interactive picker)
+sudo certops download
+
+# Download a specific domain
+sudo certops download '*.example.com'
+
+# Download by ID
+sudo certops download --id <cert-id>
+```
+
+## Commands
+
+### `certops list`
+
+Lists all certificates in your organisation with status and expiry.
+
+### `certops download [certName]`
+
+Downloads a certificate to `/etc/certops/<domain>/` in certbot-compatible format:
+
+```
+/etc/certops/<domain>/
+├── fullchain.pem   # cert + chain
+├── cert.pem        # leaf cert only
+├── chain.pem       # intermediate chain
+└── privkey.pem     # private key (chmod 600)
+```
+
+Requires root (`sudo`).
+
+Options:
+- `-i, --id <id>` — download by certificate ID
+
+### `certops service install`
+
+Installs and configures a systemd background service that monitors certificates and auto-renews them before expiry.
+
+```bash
+sudo -E certops service install
+```
+
+### `certops service <status|start|stop|uninstall|check>`
+
+Manage the background renewal service.
+
+```bash
+certops service status
+sudo certops service start
+sudo certops service stop
+sudo certops service check        # run one renewal cycle now
+sudo certops service uninstall
+journalctl -u certops -f          # follow logs
+```
+
+## Auto-renewal service
+
+The service polls your SSL Pilot account, checks local expiry state, and re-downloads certificates approaching expiry. Hook scripts in `/etc/certops/hooks/` run after each download.
+
+**Hook environment variables:**
+
+| Variable | Value |
+|----------|-------|
+| `SSL_PILOT_CERT_NAME` | Certificate name |
+| `SSL_PILOT_DOMAIN` | Domain (certName from API) |
+| `SSL_PILOT_FULLCHAIN_PATH` | Path to `fullchain.pem` |
+| `SSL_PILOT_CERT_PATH` | Path to `cert.pem` |
+| `SSL_PILOT_CHAIN_PATH` | Path to `chain.pem` |
+| `SSL_PILOT_KEY_PATH` | Path to `privkey.pem` |
+
+**Example hook** (`/etc/certops/hooks/example.com.sh`):
+
+```bash
+#!/usr/bin/env bash
+systemctl reload nginx
+```
+
+## File layout
+
+```
+/etc/certops/
+  config.json          # service configuration
+  state.json           # local expiry cache
+  hooks/
+    global.sh          # runs after every download
+    example.com.sh     # runs after example.com downloads
+  example.com/
+    fullchain.pem
+    cert.pem
+    chain.pem
+    privkey.pem
+```
+
+## Configuration (`/etc/certops/config.json`)
+
+| Field | Default | Description |
+|-------|---------|-------------|
+| `renewalThresholdDays` | `5` | Days before expiry to trigger renewal |
+| `checkIntervalHours` | `12` | How often the daemon checks |
+| `watchDomains` | `[]` | Domains to watch (empty = all active) |
+| `maxDownloadRetries` | `3` | Per-cert retry count on failure |
+| `apiUrl` | ssl-manager.dcom.at | Custom API base URL |
+
+## Update
+
+```bash
+npm install -g certops@latest
+```

package/dist/api.js

@@ -1,32 +1,47 @@
 export function createApiClient(options) {
     const base = (options.apiUrl ?? 'https://ssl-manager.dcom.at').replace(/\/$/, '');
+    const baseHeaders = {
+        'Authorization': `Bearer ${options.apiKey}`,
+        'X-CLI-Version': options.cliVersion,
+    };
+    function handleErrorResponse(status, errors) {
+        const code = errors?.[0]?.code;
+        const msg = errors?.[0]?.message ?? `HTTP ${status}`;
+        if (status === 426 || code === 'CLI_UPDATE_REQUIRED') {
+            throw new Error(`Your certops CLI is out of date (current: v${options.cliVersion}).\n\n` +
+                `  Update now:\n` +
+                `    npm install -g certops@latest\n`);
+        }
+        if (status === 400 && code === 'INVALID_CLI_VERSION') {
+            throw new Error(`Server rejected CLI version header (sent: v${options.cliVersion}).\n\n` +
+                `  Update now:\n` +
+                `    npm install -g certops@latest\n`);
+        }
+        throw new Error(msg);
+    }
     async function request(path) {
         const res = await fetch(`${base}/api/cli${path}`, {
-            headers: {
-                'Authorization': `Bearer ${options.apiKey}`,
-                'Content-Type': 'application/json',
-            },
+            headers: { ...baseHeaders, 'Content-Type': 'application/json' },
         });
         const body = (await res.json());
         if (!res.ok || 'errors' in body) {
             const errBody = body;
-            const msg = errBody.errors?.[0]?.message ?? `HTTP ${res.status}`;
-            throw new Error(msg);
+            handleErrorResponse(res.status, errBody.errors);
         }
         return body.data;
     }
     async function requestBinary(path) {
         const res = await fetch(`${base}/api/cli${path}`, {
-            headers: { 'Authorization': `Bearer ${options.apiKey}` },
+            headers: baseHeaders,
         });
         if (!res.ok) {
-            let msg = `HTTP ${res.status}`;
+            let errors = [];
             try {
                 const body = (await res.json());
-                msg = body.errors?.[0]?.message ?? msg;
+                errors = body.errors ?? [];
             }
             catch { /* ignore */ }
-            throw new Error(msg);
+            handleErrorResponse(res.status, errors);
         }
         return Buffer.from(await res.arrayBuffer());
     }

package/dist/client.js

@@ -1,6 +1,7 @@
 import input from '@inquirer/input';
 import { readConfig } from './config.js';
 import { createApiClient } from './api.js';
+import { CLI_VERSION } from './version.js';
 export async function getConfiguredClient() {
     let apiKey = process.env['CERTOPS_API_KEY'];
     if (!apiKey) {
@@ -17,5 +18,5 @@ export async function getConfiguredClient() {
         });
     }
     const config = await readConfig();
-    return createApiClient({ apiKey, apiUrl: config.apiUrl });
+    return createApiClient({ apiKey, apiUrl: config.apiUrl, cliVersion: CLI_VERSION });
 }

package/dist/commands/service/renew.js

@@ -3,6 +3,7 @@ import { saveZip } from '../../files.js';
 import { readConfig } from '../../config.js';
 import { readState, updateCertState } from '../../state.js';
 import { runHooks } from '../../hooks.js';
+import { CLI_VERSION } from '../../version.js';
 const BASE_RETRY_DELAY_MS = 2_000; // 2 s → 4 s → 8 s …
 function sleep(ms) {
     return new Promise(resolve => setTimeout(resolve, ms));
@@ -22,7 +23,7 @@ export async function resolveApiKey() {
 }
 export async function runRenewalCycle(apiKey, log) {
     const config = await readConfig();
-    const client = createApiClient({ apiKey, apiUrl: config.apiUrl });
+    const client = createApiClient({ apiKey, apiUrl: config.apiUrl, cliVersion: CLI_VERSION });
     const allCerts = await client.listCerts();
     const DOWNLOADABLE = new Set(['active', 'renewing']);
     const certs = (config.watchDomains.length > 0

package/dist/version.js

@@ -0,0 +1,18 @@
+import { readFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+function isPackageJson(value) {
+    return (typeof value === 'object' &&
+        value !== null &&
+        'version' in value &&
+        typeof value.version === 'string');
+}
+function readCliVersion() {
+    const dir = dirname(fileURLToPath(import.meta.url));
+    const path = join(dir, '..', 'package.json');
+    const raw = JSON.parse(readFileSync(path, 'utf8'));
+    if (!isPackageJson(raw))
+        throw new Error('package.json is missing a valid version field');
+    return raw.version;
+}
+export const CLI_VERSION = readCliVersion();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "certops",
-  "version": "1.0.4",
+  "version": "1.0.7",
   "description": "SSL Pilot CLI — download and manage your SSL certificates",
   "type": "module",
   "files": [