diff --git a/scripts/pma-gateway/create_pma_gateway.sh b/scripts/pma-gateway/create_pma_gateway.sh
index 60a52b1..63c328a 100644
--- a/scripts/pma-gateway/create_pma_gateway.sh
+++ b/scripts/pma-gateway/create_pma_gateway.sh
@@ -30,6 +30,51 @@ else
ENV_HOST=${ENV_HOST#node*-} # strip nodeXXXX-
fi
+# ==============================================================================
+# Step 1: Ensure xmlstarlet is installed for safe XML parsing
+# ==============================================================================
+if ! command -v xmlstarlet &> /dev/null; then
+ echo "xmlstarlet not found. Installing for safe XML parsing..." >&2
+ if ! sudo dnf install -y xmlstarlet; then
+ echo "FATAL: Failed to install xmlstarlet. Cannot safely read LiteSpeed config." >&2
+ exit 1
+ fi
+fi
+
+# ==============================================================================
+# Step 2: Dynamically read SSL configuration from main LiteSpeed config
+# ==============================================================================
+LITESPEED_CONFIG="/var/www/conf/httpd_config.xml"
+KEY_FILE_PATH=""
+CERT_FILE_PATH=""
+
+if [[ -f "$LITESPEED_CONFIG" ]]; then
+ echo "Reading SSL configuration from LiteSpeed main config..." >&2
+
+ # Query the main HTTPS listener (port 443) for keyFile and certFile
+ # This is the most specific and robust XPath
+ KEY_FILE_PATH=$(sudo xmlstarlet sel -t -v \
+ "//httpServerConfig/listenerList/listener[name='HTTPS' and secure='1' and address='*:443'][1]/keyFile" \
+ "$LITESPEED_CONFIG" 2>/dev/null | xargs)
+
+ CERT_FILE_PATH=$(sudo xmlstarlet sel -t -v \
+ "//httpServerConfig/listenerList/listener[name='HTTPS' and secure='1' and address='*:443'][1]/certFile" \
+ "$LITESPEED_CONFIG" 2>/dev/null | xargs)
+fi
+
+# ==============================================================================
+# Step 3: Implement fallback to default self-signed certificate
+# ==============================================================================
+if [[ -z "$KEY_FILE_PATH" ]] || [[ -z "$CERT_FILE_PATH" ]]; then
+ echo "No custom SSL certificate found. Falling back to default self-signed certificate." >&2
+ # Use SINGLE quotes to write the literal string "$SERVER_ROOT" to the config,
+ # not the shell variable. This is critical.
+ KEY_FILE_PATH='$SERVER_ROOT/ssl/litespeed.key'
+ CERT_FILE_PATH='$SERVER_ROOT/ssl/litespeed.crt'
+else
+ echo "Using SSL certificate: $CERT_FILE_PATH" >&2
+fi
+
PMADB_DIR="/usr/share/phpMyAdmin"
GATEWAY_FILE="$PMADB_DIR/access-db-$SLUG.php"
@@ -120,8 +165,8 @@ if [ ! -s "$VHOST_CONFIG" ]; then
RewriteRule ^/nospider/ - [F]
- /var/www/ssl/litespeed.key
- /var/www/ssl/litespeed.crt
+ __KEY_FILE_PLACEHOLDER__
+ __CERT_FILE_PLACEHOLDER__
1
@@ -139,6 +184,20 @@ RewriteRule ^/nospider/ - [F]
EOF
+
+ # ==============================================================================
+ # Step 5: Inject the discovered certificate paths using sed
+ # ==============================================================================
+ # Escape special characters (/, $, &, \, ') in paths for use with sed
+ ESCAPED_KEY_PATH=$(printf '%s\n' "$KEY_FILE_PATH" | sed 's/[\/&$\\'"'"']/\\&/g')
+ ESCAPED_CERT_PATH=$(printf '%s\n' "$CERT_FILE_PATH" | sed 's/[\/&$\\'"'"']/\\&/g')
+
+ # Replace placeholders with actual certificate paths
+ sudo sed -i "s|__KEY_FILE_PLACEHOLDER__|$ESCAPED_KEY_PATH|g" "$VHOST_CONFIG"
+ sudo sed -i "s|__CERT_FILE_PLACEHOLDER__|$ESCAPED_CERT_PATH|g" "$VHOST_CONFIG"
+
+ echo "SSL certificate paths injected into vhost configuration." >&2
+
NEEDS_RESTART=1
fi