tony
/
mb-admin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix certificate mismatch

main
TonyGarces 2025-03-21 02:22:22 +08:00
parent 83b158d7e0
commit 40402a4454
1 changed files with 270 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

366
scripts/ssl-manager/ssl_manager.sh
View File

@ -122,43 +122,23 @@ update_litespeed_config() {
cp "$config_file" "$backup_file" cp "$config_file" "$backup_file"
log "Created backup of LiteSpeed configuration at $backup_file" log "Created backup of LiteSpeed configuration at $backup_file"
# First, clean up any redundant listeners for this domain # Clean up any redundant listeners for this domain
cleanup_redundant_listeners "$config_file" "$DOMAIN" cleanup_redundant_listeners "$config_file" "$DOMAIN"
# After cleaning up redundant listeners but before adding domain mappings, # Create domain-specific virtual host
# create a virtual host for the domain if ! create_domain_virtual_host "$DOMAIN"; then
create_domain_virtual_host "$DOMAIN" log "ERROR: Failed to create virtual host for $DOMAIN. Aborting configuration update."
return 1
# Check if the required listeners exist and contain correct cert paths
local need_cert_update=false
local has_domain_listener=false
# Check if domain exists in HTTPS and HTTPS-ipv6 listeners with correct cert paths
if grep -A30 "<name>HTTPS</name>" "$config_file" | grep -q "<domain>$DOMAIN</domain>" && \
grep -A30 "<name>HTTPS-ipv6</name>" "$config_file" | grep -q "<domain>$DOMAIN</domain>"; then
# Domain exists in both listeners, check cert paths
if ! grep -A30 "<name>HTTPS</name>" "$config_file" | grep -q "<keyFile>$key_file</keyFile>" || \
! grep -A30 "<name>HTTPS-ipv6</name>" "$config_file" | grep -q "<keyFile>$key_file</keyFile>"; then
need_cert_update=true
log "Certificate paths need updating"
else
log "Domain mappings and certificate paths are already correct"
fi
else
log "Domain mappings need to be added"
fi fi
# Update certificate paths if needed # Create domain-specific listener
if [ "$need_cert_update" = true ]; then if ! create_domain_listener "$DOMAIN"; then
log "Updating certificate paths..." log "ERROR: Failed to create listener for $DOMAIN. Aborting configuration update."
# Update keyFile and certFile for all listeners that match our domain return 1
sed -i "/<listener>/,/<\/listener>/ s|<keyFile>.*letsencrypt/live/$DOMAIN/.*</keyFile>|<keyFile>$key_file</keyFile>|g" "$config_file"
sed -i "/<listener>/,/<\/listener>/ s|<certFile>.*letsencrypt/live/$DOMAIN/.*</certFile>|<certFile>$cert_file</certFile>|g" "$config_file"
fi fi
# Add domain mapping to listeners (modified function will use the correct virtual host) # Remove domain from shared listeners - safer to avoid certificate mismatch errors
add_domain_mapping "HTTPS" remove_domain_from_shared_listeners
add_domain_mapping "HTTPS-ipv6"
# Final validation of the complete file # Final validation of the complete file
if ! validate_xml_config "$config_file" "$backup_file"; then if ! validate_xml_config "$config_file" "$backup_file"; then
@ -167,7 +147,7 @@ update_litespeed_config() {
return 1 return 1
fi fi
log "LiteSpeed configuration updated successfully with proper domain-to-virtualhost mapping." log "LiteSpeed configuration updated successfully with dedicated domain configuration."
return 0 return 0
} }
@ -439,68 +419,53 @@ install_xml_tools() {
return 0 return 0
} }
# New function to create or update domain-specific virtual host # Function to create or update a domain-specific HTTPS listener
create_domain_virtual_host() {
local domain="$1"
local config_file="/var/www/conf/httpd_config.xml"
local vhost_name="${domain//./_}" # Replace dots with underscores for uniqueness
log "Checking if virtual host for $domain needs to be created..."
# Check if virtual host already exists
if grep -q "<name>$vhost_name</name>" "$config_file"; then
log "Virtual host '$vhost_name' already exists, skipping creation."
return 0
fi
log "Creating virtual host for $domain..."
local temp_file=$(mktemp)
# Create the virtual host definition
local vhost_config="<virtualHost>\n <name>$vhost_name</name>\n <vhRoot>/var/www/webroot/</vhRoot>\n <configFile>\$SERVER_ROOT/conf/vhconf.xml</configFile>\n <allowSymbolLink>1</allowSymbolLink>\n <enableScript>1</enableScript>\n <restrained>1</restrained>\n <setUIDMode>0</setUIDMode>\n <chrootMode>0</chrootMode>\n</virtualHost>"
# Insert the virtual host before the end of virtualHostList tag
awk -v vhost="$vhost_config" '
/<\/virtualHostList>/ { print " " vhost; }
{ print }
' "$config_file" > "$temp_file"
# Check if file looks valid
if [ -s "$temp_file" ] && grep -q "<httpServerConfig>" "$temp_file" && grep -q "</httpServerConfig>" "$temp_file"; then
cp "$temp_file" "$config_file"
log "Virtual host for $domain created successfully."
else
log "Error: Generated configuration appears invalid. Virtual host not created."
rm -f "$temp_file"
return 1
fi
rm -f "$temp_file"
return 0
}
# Add a new function to create a domain-specific HTTPS listener
create_domain_listener() { create_domain_listener() {
local domain="$1" local domain="$1"
local config_file="/var/www/conf/httpd_config.xml"
local vhost_name="${domain//[.]/_}"
local key_file="/etc/letsencrypt/live/$domain/privkey.pem" local key_file="/etc/letsencrypt/live/$domain/privkey.pem"
local cert_file="/etc/letsencrypt/live/$domain/fullchain.pem" local cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"
local config_file="/var/www/conf/httpd_config.xml" local timestamp=$(date +%Y%m%d%H%M%S)
local vhost_name="${domain%%.*}" local backup_file="${config_file}.backup.${timestamp}"
log "Creating domain-specific HTTPS listener for $domain..." log "Creating/updating domain-specific HTTPS listener for $domain..."
# Create backup if not already done
if [ ! -f "$backup_file" ]; then
cp "$config_file" "$backup_file"
log "Created backup of LiteSpeed configuration at $backup_file"
fi
# Check if listener already exists # Check if listener already exists
if grep -q "<name>HTTPS-$domain</name>" "$config_file"; then if grep -q "<name>HTTPS-$domain</name>" "$config_file"; then
log "HTTPS listener for $domain already exists, updating certificate paths..." log "HTTPS listener for $domain already exists, updating configuration..."
sed -i "/<name>HTTPS-$domain<\/name>/,/<\/listener>/s|<keyFile>.*</keyFile>|<keyFile>$key_file</keyFile>|" "$config_file"
sed -i "/<name>HTTPS-$domain<\/name>/,/<\/listener>/s|<certFile>.*</certFile>|<certFile>$cert_file</certFile>|" "$config_file" # Update certificate paths in existing listener
sed -i "/<name>HTTPS-$domain<\/name>/,/<\/listener>/ s|<keyFile>.*</keyFile>|<keyFile>$key_file</keyFile>|" "$config_file"
sed -i "/<name>HTTPS-$domain<\/name>/,/<\/listener>/ s|<certFile>.*</certFile>|<certFile>$cert_file</certFile>|" "$config_file"
# Verify updates were applied
if grep -A5 "<name>HTTPS-$domain</name>" "$config_file" | grep -q "$key_file"; then
log "Certificate paths updated successfully for $domain listener."
else
log "ERROR: Failed to update certificate paths for $domain listener."
return 1
fi
return 0 return 0
fi fi
# Create a new listener with domain-specific settings log "Creating new HTTPS listener for $domain..."
local temp_file=$(mktemp)
# Insert the new listener before the end of listenerList # Create a temporary file for XML editing
local temp_file=$(mktemp)
if [ ! -f "$temp_file" ]; then
log "ERROR: Failed to create temporary file for configuration update."
return 1
fi
# Insert new listener into configuration before listenerList end tag
awk -v domain="$domain" -v vhost="$vhost_name" -v key="$key_file" -v cert="$cert_file" ' awk -v domain="$domain" -v vhost="$vhost_name" -v key="$key_file" -v cert="$cert_file" '
/<\/listenerList>/ { /<\/listenerList>/ {
print " <listener>" print " <listener>"
@ -522,12 +487,233 @@ create_domain_listener() {
print " <sslSessionTickets>1</sslSessionTickets>" print " <sslSessionTickets>1</sslSessionTickets>"
print " <enableSpdy>15</enableSpdy>" print " <enableSpdy>15</enableSpdy>"
print " </listener>" print " </listener>"
print $0
next
} }
{ print } { print }
' "$config_file" > "$temp_file" ' "$config_file" > "$temp_file"
mv "$temp_file" "$config_file" # Validate the temporary file
log "Domain-specific HTTPS listener created for $domain." if [ ! -s "$temp_file" ]; then
log "ERROR: Generated configuration is empty. Keeping original configuration."
rm -f "$temp_file"
return 1
fi
# Check for basic XML validity
if ! grep -q "<httpServerConfig>" "$temp_file" || ! grep -q "</httpServerConfig>" "$temp_file"; then
log "ERROR: Generated configuration appears invalid. Keeping original configuration."
rm -f "$temp_file"
return 1
fi
# Apply changes
cp "$temp_file" "$config_file"
if [ $? -ne 0 ]; then
log "ERROR: Failed to update configuration file. Keeping original configuration."
rm -f "$temp_file"
return 1
fi
# Clean up temp file
rm -f "$temp_file"
log "Domain-specific HTTPS listener for $domain created successfully."
return 0
}
# Function to create or update domain-specific virtual host
create_domain_virtual_host() {
local domain="$1"
local config_file="/var/www/conf/httpd_config.xml"
local vhost_name="${domain//[.]/_}"
log "Checking if virtual host for $domain needs to be created..."
# Check if virtual host already exists
if grep -q "<name>$vhost_name</name>" "$config_file"; then
log "Virtual host '$vhost_name' already exists, skipping creation."
return 0
fi
log "Creating virtual host for $domain..."
local temp_file=$(mktemp)
if [ ! -f "$temp_file" ]; then
log "ERROR: Failed to create temporary file for virtual host creation."
return 1
fi
# Insert new virtual host before virtualHostList end tag
awk -v vhost="$vhost_name" '
/<\/virtualHostList>/ {
print " <virtualHost>"
print " <name>" vhost "</name>"
print " <vhRoot>/var/www/webroot/</vhRoot>"
print " <configFile>$SERVER_ROOT/conf/vhconf.xml</configFile>"
print " <allowSymbolLink>1</allowSymbolLink>"
print " <enableScript>1</enableScript>"
print " <restrained>1</restrained>"
print " <setUIDMode>0</setUIDMode>"
print " <chrootMode>0</chrootMode>"
print " </virtualHost>"
print $0
next
}
{ print }
' "$config_file" > "$temp_file"
# Validate the temporary file
if [ ! -s "$temp_file" ]; then
log "ERROR: Generated virtual host configuration is empty. Keeping original configuration."
rm -f "$temp_file"
return 1
fi
# Apply changes
cp "$temp_file" "$config_file"
if [ $? -ne 0 ]; then
log "ERROR: Failed to update configuration with new virtual host. Keeping original configuration."
rm -f "$temp_file"
return 1
fi
# Clean up
rm -f "$temp_file"
log "Virtual host for $domain created successfully."
return 0
}
# Function to remove domain from shared listeners to avoid certificate mismatch
remove_domain_from_shared_listeners() {
local config_file="/var/www/conf/httpd_config.xml"
local domain="$DOMAIN"
log "Removing $domain from shared listeners to prevent certificate mismatch..."
# Create temporary file
local temp_file=$(mktemp)
if [ ! -f "$temp_file" ]; then
log "ERROR: Failed to create temporary file for shared listener cleanup."
return 1
fi
# For HTTPS listener
awk -v domain="$domain" '
/<name>HTTPS<\/name>/,/<\/listener>/ {
if ($0 ~ /<vhostMap>/) {
in_vhostmap = 1
vhostmap_buffer = $0 "\n"
next
}
if (in_vhostmap) {
vhostmap_buffer = vhostmap_buffer $0 "\n"
if ($0 ~ /<\/vhostMap>/) {
if (vhostmap_buffer !~ domain) {
printf "%s", vhostmap_buffer
}
in_vhostmap = 0
vhostmap_buffer = ""
}
next
}
}
{ print }
' "$config_file" > "$temp_file"
# Check if changes were made correctly
if [ ! -s "$temp_file" ]; then
log "ERROR: Generated configuration is empty after domain removal. Keeping original configuration."
rm -f "$temp_file"
return 1
fi
cp "$temp_file" "$config_file"
rm -f "$temp_file"
# For HTTPS-ipv6 listener - repeat the process
temp_file=$(mktemp)
if [ ! -f "$temp_file" ]; then
log "ERROR: Failed to create temporary file for shared listener cleanup."
return 1
fi
awk -v domain="$domain" '
/<name>HTTPS-ipv6<\/name>/,/<\/listener>/ {
if ($0 ~ /<vhostMap>/) {
in_vhostmap = 1
vhostmap_buffer = $0 "\n"
next
}
if (in_vhostmap) {
vhostmap_buffer = vhostmap_buffer $0 "\n"
if ($0 ~ /<\/vhostMap>/) {
if (vhostmap_buffer !~ domain) {
printf "%s", vhostmap_buffer
}
in_vhostmap = 0
vhostmap_buffer = ""
}
next
}
}
{ print }
' "$config_file" > "$temp_file"
if [ ! -s "$temp_file" ]; then
log "ERROR: Generated configuration is empty after domain removal. Keeping original configuration."
rm -f "$temp_file"
return 1
fi
cp "$temp_file" "$config_file"
rm -f "$temp_file"
log "Domain successfully removed from shared listeners."
return 0
}
# Restart LiteSpeed with extra verification
restart_litespeed() {
log "Restarting LiteSpeed web server..."
# Verify configuration before restart
if command -v /usr/local/lsws/bin/lshttpd > /dev/null; then
log "Verifying LiteSpeed configuration before restart..."
/usr/local/lsws/bin/lshttpd -t
if [ $? -ne 0 ]; then
log "ERROR: LiteSpeed configuration test failed. Not restarting server."
return 1
fi
log "LiteSpeed configuration verified successfully."
fi
# Now restart the service
if systemctl is-active --quiet lsws; then
systemctl restart lsws
if [ $? -ne 0 ]; then
log "ERROR: Failed to restart LiteSpeed. Please check logs."
return 1
fi
# Verify LiteSpeed is running after restart
sleep 2
if ! systemctl is-active --quiet lsws; then
log "ERROR: LiteSpeed failed to start after restart. Please check logs."
return 1
fi
log "LiteSpeed successfully restarted."
else
systemctl start lsws
if [ $? -ne 0 ]; then
log "ERROR: Failed to start LiteSpeed. Please check logs."
return 1
fi
log "LiteSpeed was not running. Started the service."
fi
return 0
} }
# Parse input parameters # Parse input parameters
@ -609,18 +795,6 @@ fi
CERTBOT_CMD="certbot certonly --webroot -w /var/www/webroot/ROOT -d $DOMAIN --agree-tos --non-interactive" CERTBOT_CMD="certbot certonly --webroot -w /var/www/webroot/ROOT -d $DOMAIN --agree-tos --non-interactive"
[[ -n "${EMAIL:-}" ]] && CERTBOT_CMD+=" --email $EMAIL" [[ -n "${EMAIL:-}" ]] && CERTBOT_CMD+=" --email $EMAIL"
# Improved LiteSpeed service handling
restart_litespeed() {
log "Restarting LiteSpeed web server..."
if systemctl is-active --quiet lsws; then
systemctl reload lsws || systemctl restart lsws
log "LiteSpeed successfully restarted."
else
systemctl start lsws
log "LiteSpeed was not running. Started the service."
fi
}
# After Certbot installation and before existing certificate check # After Certbot installation and before existing certificate check
install_xml_tools install_xml_tools