Fallback to listener cert when PMA certbot unavailable

2026-02-26 22:06:02 +08:00 · 2026-02-26 22:06:02 +08:00 · 5dd63f99e7
parent e59dbc9af0
commit 5dd63f99e7
1 changed files with 53 additions and 33 deletions
--- a/scripts/pma-gateway/create_pma_gateway.sh
+++ b/scripts/pma-gateway/create_pma_gateway.sh
@ -116,6 +116,7 @@ NEEDS_RESTART=0
 LE_LIVE_DIR="/etc/letsencrypt/live"
 LE_CERT_DIR=""
 CERT_DOMAIN_USED=""
+CERT_SOURCE="Let's Encrypt"

 # Find an existing certificate for the first matching candidate.
 for candidate_host in "${DOMAIN_CANDIDATES[@]}"; do
@ -216,36 +217,35 @@ if [[ -z "$LE_CERT_DIR" ]]; then
    fi

    if [[ -z "$CERTBOT_CMD" ]]; then
-        echo "FATAL: certbot is not available and no existing Let's Encrypt certificate was found for '$ENV_HOST'." >&2
-        exit 1
-    fi
-
-    WEBROOT_PATH="/var/www/webroot/ROOT"
-    ACME_CHALLENGE_DIR="$WEBROOT_PATH/.well-known/acme-challenge"
-    sudo mkdir -p "$ACME_CHALLENGE_DIR"
-
-    if [[ -n "$CONTACT_EMAIL" ]]; then
-        if ! sudo "$CERTBOT_CMD" certonly --webroot -w "$WEBROOT_PATH" -d "$ENV_HOST" --non-interactive --agree-tos --email "$CONTACT_EMAIL"; then
-            echo "FATAL: Failed to issue Let's Encrypt certificate for '$ENV_HOST' using contact email '$CONTACT_EMAIL'." >&2
-            exit 1
-        fi
+        echo "WARNING: certbot is unavailable for on-demand issuance. Will try existing listener certificate files as fallback." >&2
    else
-        if ! sudo "$CERTBOT_CMD" certonly --webroot -w "$WEBROOT_PATH" -d "$ENV_HOST" --non-interactive --agree-tos --register-unsafely-without-email; then
-            echo "FATAL: Failed to issue Let's Encrypt certificate for '$ENV_HOST' without contact email." >&2
-            exit 1
-        fi
-    fi
+        WEBROOT_PATH="/var/www/webroot/ROOT"
+        ACME_CHALLENGE_DIR="$WEBROOT_PATH/.well-known/acme-challenge"
+        sudo mkdir -p "$ACME_CHALLENGE_DIR"

-    # Re-check exact and suffixed certificate directories after issuance.
-    if [[ -d "$LE_LIVE_DIR/$ENV_HOST" ]] && [[ -f "$LE_LIVE_DIR/$ENV_HOST/privkey.pem" ]] && [[ -f "$LE_LIVE_DIR/$ENV_HOST/fullchain.pem" ]]; then
-        LE_CERT_DIR="$LE_LIVE_DIR/$ENV_HOST"
-    else
-        for dir in "$LE_LIVE_DIR/$ENV_HOST"-*/; do
-            if [[ -d "$dir" ]] && [[ -f "$dir/privkey.pem" ]] && [[ -f "$dir/fullchain.pem" ]]; then
-                LE_CERT_DIR="${dir%/}"
-                break
+        if [[ -n "$CONTACT_EMAIL" ]]; then
+            if ! sudo "$CERTBOT_CMD" certonly --webroot -w "$WEBROOT_PATH" -d "$ENV_HOST" --non-interactive --agree-tos --email "$CONTACT_EMAIL"; then
+                echo "FATAL: Failed to issue Let's Encrypt certificate for '$ENV_HOST' using contact email '$CONTACT_EMAIL'." >&2
+                exit 1
            fi
-        done
+        else
+            if ! sudo "$CERTBOT_CMD" certonly --webroot -w "$WEBROOT_PATH" -d "$ENV_HOST" --non-interactive --agree-tos --register-unsafely-without-email; then
+                echo "FATAL: Failed to issue Let's Encrypt certificate for '$ENV_HOST' without contact email." >&2
+                exit 1
+            fi
+        fi
+
+        # Re-check exact and suffixed certificate directories after issuance.
+        if [[ -d "$LE_LIVE_DIR/$ENV_HOST" ]] && [[ -f "$LE_LIVE_DIR/$ENV_HOST/privkey.pem" ]] && [[ -f "$LE_LIVE_DIR/$ENV_HOST/fullchain.pem" ]]; then
+            LE_CERT_DIR="$LE_LIVE_DIR/$ENV_HOST"
+        else
+            for dir in "$LE_LIVE_DIR/$ENV_HOST"-*/; do
+                if [[ -d "$dir" ]] && [[ -f "$dir/privkey.pem" ]] && [[ -f "$dir/fullchain.pem" ]]; then
+                    LE_CERT_DIR="${dir%/}"
+                    break
+                fi
+            done
+        fi
    fi
 fi

@ -254,11 +254,30 @@ if [[ -n "$LE_CERT_DIR" ]]; then
    LE_KEY_FILE="$LE_CERT_DIR/privkey.pem"
    LE_CERT_FILE="$LE_CERT_DIR/fullchain.pem"
 else
-    echo "FATAL: Let's Encrypt certificate directory could not be found for ENV_HOST: $ENV_HOST" >&2
-    echo "       Checked candidates: ${DOMAIN_CANDIDATES[*]}" >&2
-    echo "       Checked specific path: $LE_LIVE_DIR/$ENV_HOST" >&2
-    echo "       Checked suffixed paths: $LE_LIVE_DIR/${ENV_HOST}-*" >&2
-    exit 1
+    FALLBACK_KEY_FILE=""
+    FALLBACK_CERT_FILE=""
+
+    if [[ -f "/var/www/ssl/litespeed.key" ]] && [[ -f "/var/www/ssl/litespeed.crt" ]]; then
+        FALLBACK_KEY_FILE="/var/www/ssl/litespeed.key"
+        FALLBACK_CERT_FILE="/var/www/ssl/litespeed.crt"
+    elif [[ -f "/usr/local/lsws/conf/server.key" ]] && [[ -f "/usr/local/lsws/conf/server.crt" ]]; then
+        FALLBACK_KEY_FILE="/usr/local/lsws/conf/server.key"
+        FALLBACK_CERT_FILE="/usr/local/lsws/conf/server.crt"
+    fi
+
+    if [[ -n "$FALLBACK_KEY_FILE" ]] && [[ -n "$FALLBACK_CERT_FILE" ]]; then
+        LE_KEY_FILE="$FALLBACK_KEY_FILE"
+        LE_CERT_FILE="$FALLBACK_CERT_FILE"
+        CERT_SOURCE="Listener fallback"
+        echo "WARNING: No Let's Encrypt certificate available for '$ENV_HOST'. Using existing listener certificate files instead." >&2
+    else
+        echo "FATAL: No usable certificate files were found for PMA gateway TLS." >&2
+        echo "       Checked Let's Encrypt candidates: ${DOMAIN_CANDIDATES[*]}" >&2
+        echo "       Checked LE exact path: $LE_LIVE_DIR/$ENV_HOST" >&2
+        echo "       Checked LE suffixed paths: $LE_LIVE_DIR/${ENV_HOST}-*" >&2
+        echo "       Checked listener fallback paths: /var/www/ssl/litespeed.{key,crt}, /usr/local/lsws/conf/server.{key,crt}" >&2
+        exit 1
+    fi
 fi

 # Check if the Let's Encrypt files exist at the determined paths
@ -268,7 +287,8 @@ if [[ ! -f "$LE_KEY_FILE" ]] || [[ ! -f "$LE_CERT_FILE" ]]; then
    echo "         Cert: $LE_CERT_FILE" >&2
    exit 1
 fi
-echo "INFO: Using Let's Encrypt certificate paths:" >&2
+echo "INFO: Using certificate source: $CERT_SOURCE" >&2
+echo "INFO: Using certificate paths:" >&2
 echo "         Key: $LE_KEY_FILE" >&2
 echo "         Cert: $LE_CERT_FILE" >&2