Skip to content

Instantly share code, notes, and snippets.

@Adrian-Grimm

Adrian-Grimm/ngix-pm-cert-download.bash

Last active August 24, 2025 11:46
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Adrian-Grimm/ee98df0ee9e0080f2f338dec226447cb to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Adrian-Grimm/ee98df0ee9e0080f2f338dec226447cb to your computer and use it in GitHub Desktop.
Download ZIP
Script to fetch the Cert from an NGINX Proxy Manager
Raw
ngix-pm-cert-download.bash
#!/usr/bin/env bash
set -euo pipefail
# Defaults
declare -a CURL_FLAGS=()
API_HOST=""
API_USER=""
API_PASS=""
CERT_NAME=""
CERT_ID=""
OUT_DIR=""
usage() {
cat <<EOF
Usage:
$(basename "$0") -h <api_base_url> -u <email> -p <password> (-n <cert_name> | -i <cert_id>) -o <output_dir> [--insecure]
EOF
}
# Parameter
while [[ $# -gt 0 ]]; do
case "$1" in
-h|--host) API_HOST="$2"; shift 2;;
-u|--user) API_USER="$2"; shift 2;;
-p|--pass) API_PASS="$2"; shift 2;;
-n|--name) CERT_NAME="$2"; shift 2;;
-i|--id) CERT_ID="$2"; shift 2;;
-o|--out) OUT_DIR="$2"; shift 2;;
--insecure) CURL_FLAGS+=(--insecure); shift;;
-?|--help) usage; exit 0;;
*) echo "Unknown argument: $1"; usage; exit 1;;
esac
done
[[ -z "$API_HOST" || -z "$API_USER" || -z "$API_PASS" || -z "$OUT_DIR" ]] && { echo "❌ Missing required arguments."; usage; exit 1; }
[[ -z "$CERT_NAME" && -z "$CERT_ID" ]] && { echo "❌ Provide either --name or --id."; usage; exit 1; }
for bin in curl jq unzip; do
command -v "$bin" >/dev/null || { echo "❌ Missing dependency: $bin"; exit 1; }
done
API_HOST="${API_HOST%/}"
# 1) Login
LOGIN_JSON=$(jq -n --arg identity "$API_USER" --arg secret "$API_PASS" '{identity:$identity, secret:$secret}')
AUTH_RESP=$(curl -sS ${CURL_FLAGS[@]+"${CURL_FLAGS[@]}"} -H "Content-Type: application/json" \
-X POST "$API_HOST/api/tokens" -d "$LOGIN_JSON")
JWT=$(echo "$AUTH_RESP" | jq -r '.token // empty')
[[ -z "$JWT" || "$JWT" == "null" ]] && { echo "❌ Authentication failed"; echo "$AUTH_RESP"; exit 1; }
AUTH_HDR=("Authorization: Bearer $JWT")
# 2) Cert-ID search
if [[ -n "$CERT_NAME" && -z "$CERT_ID" ]]; then
CERTS_JSON=$(curl -sS ${CURL_FLAGS[@]+"${CURL_FLAGS[@]}"} -H "${AUTH_HDR[@]}" "$API_HOST/api/nginx/certificates")
if ! echo "$CERTS_JSON" | jq -e 'type=="array"' >/dev/null; then
echo "❌ Unexpected certificates response:"; echo "$CERTS_JSON"; exit 1
fi
CERT_ID=$(echo "$CERTS_JSON" | jq -r --arg n "$CERT_NAME" '
.[]? | select((.nice_name == $n) or ((.domain_names // []) | any(. == $n))) | .id' | head -n1)
[[ -z "$CERT_ID" ]] && { echo "❌ No certificate with name/domain '$CERT_NAME'"; exit 1; }
fi
# 3) get cert details
CERT_DETAIL=$(curl -sS ${CURL_FLAGS[@]+"${CURL_FLAGS[@]}"} -H "${AUTH_HDR[@]}" \
"$API_HOST/api/nginx/certificates/$CERT_ID")
if ! echo "$CERT_DETAIL" | jq -e 'type=="object" and (.id? != null)' >/dev/null; then
echo "❌ Failed to fetch certificate"; echo "$CERT_DETAIL"; exit 1
fi
mkdir -p "$OUT_DIR"
umask 077
CERT_PEM=$(echo "$CERT_DETAIL" | jq -r '.meta.certificate // empty')
KEY_PEM=$(echo "$CERT_DETAIL" | jq -r '.meta.certificate_key // empty')
if [[ -n "$CERT_PEM" && -n "$KEY_PEM" && "$CERT_PEM" != "null" && "$KEY_PEM" != "null" ]]; then
# extract from json
echo "$CERT_PEM" > "$OUT_DIR/fullchain.pem"
echo "$KEY_PEM" > "$OUT_DIR/privkey.pem"
else
# Download-ZIP and extract
TMP_ZIP=$(mktemp)
curl -sS ${CURL_FLAGS[@]+"${CURL_FLAGS[@]}"} -H "${AUTH_HDR[@]}" \
"$API_HOST/api/nginx/certificates/$CERT_ID/download" -o "$TMP_ZIP"
unzip -o -j "$TMP_ZIP" -d "$OUT_DIR"
rm -f "$TMP_ZIP"
fi
echo "✅ Certificate exported to: $OUT_DIR"
ls -l "$OUT_DIR"
@Adrian-Grimm
Copy link
Author

Adrian-Grimm commented Aug 24, 2025

Bash Version of: https://gist.github.com/Adrian-Grimm/336346f3e37e4843bd8e04b9802e6573

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment