From 5dd63f99e7278a55b4979bb7c068e4ca2c4cd3cc Mon Sep 17 00:00:00 2001 From: Anthony Date: Thu, 26 Feb 2026 22:06:02 +0800 Subject: [PATCH] Fallback to listener cert when PMA certbot unavailable --- scripts/pma-gateway/create_pma_gateway.sh | 86 ++++++++++++++--------- 1 file changed, 53 insertions(+), 33 deletions(-) diff --git a/scripts/pma-gateway/create_pma_gateway.sh b/scripts/pma-gateway/create_pma_gateway.sh index 0a310dd..e619812 100644 --- a/scripts/pma-gateway/create_pma_gateway.sh +++ b/scripts/pma-gateway/create_pma_gateway.sh @@ -116,6 +116,7 @@ NEEDS_RESTART=0 LE_LIVE_DIR="/etc/letsencrypt/live" LE_CERT_DIR="" CERT_DOMAIN_USED="" +CERT_SOURCE="Let's Encrypt" # Find an existing certificate for the first matching candidate. for candidate_host in "${DOMAIN_CANDIDATES[@]}"; do @@ -216,36 +217,35 @@ if [[ -z "$LE_CERT_DIR" ]]; then fi if [[ -z "$CERTBOT_CMD" ]]; then - echo "FATAL: certbot is not available and no existing Let's Encrypt certificate was found for '$ENV_HOST'." >&2 - exit 1 - fi - - WEBROOT_PATH="/var/www/webroot/ROOT" - ACME_CHALLENGE_DIR="$WEBROOT_PATH/.well-known/acme-challenge" - sudo mkdir -p "$ACME_CHALLENGE_DIR" - - if [[ -n "$CONTACT_EMAIL" ]]; then - if ! sudo "$CERTBOT_CMD" certonly --webroot -w "$WEBROOT_PATH" -d "$ENV_HOST" --non-interactive --agree-tos --email "$CONTACT_EMAIL"; then - echo "FATAL: Failed to issue Let's Encrypt certificate for '$ENV_HOST' using contact email '$CONTACT_EMAIL'." >&2 - exit 1 - fi + echo "WARNING: certbot is unavailable for on-demand issuance. Will try existing listener certificate files as fallback." >&2 else - if ! sudo "$CERTBOT_CMD" certonly --webroot -w "$WEBROOT_PATH" -d "$ENV_HOST" --non-interactive --agree-tos --register-unsafely-without-email; then - echo "FATAL: Failed to issue Let's Encrypt certificate for '$ENV_HOST' without contact email." >&2 - exit 1 - fi - fi + WEBROOT_PATH="/var/www/webroot/ROOT" + ACME_CHALLENGE_DIR="$WEBROOT_PATH/.well-known/acme-challenge" + sudo mkdir -p "$ACME_CHALLENGE_DIR" - # Re-check exact and suffixed certificate directories after issuance. - if [[ -d "$LE_LIVE_DIR/$ENV_HOST" ]] && [[ -f "$LE_LIVE_DIR/$ENV_HOST/privkey.pem" ]] && [[ -f "$LE_LIVE_DIR/$ENV_HOST/fullchain.pem" ]]; then - LE_CERT_DIR="$LE_LIVE_DIR/$ENV_HOST" - else - for dir in "$LE_LIVE_DIR/$ENV_HOST"-*/; do - if [[ -d "$dir" ]] && [[ -f "$dir/privkey.pem" ]] && [[ -f "$dir/fullchain.pem" ]]; then - LE_CERT_DIR="${dir%/}" - break + if [[ -n "$CONTACT_EMAIL" ]]; then + if ! sudo "$CERTBOT_CMD" certonly --webroot -w "$WEBROOT_PATH" -d "$ENV_HOST" --non-interactive --agree-tos --email "$CONTACT_EMAIL"; then + echo "FATAL: Failed to issue Let's Encrypt certificate for '$ENV_HOST' using contact email '$CONTACT_EMAIL'." >&2 + exit 1 fi - done + else + if ! sudo "$CERTBOT_CMD" certonly --webroot -w "$WEBROOT_PATH" -d "$ENV_HOST" --non-interactive --agree-tos --register-unsafely-without-email; then + echo "FATAL: Failed to issue Let's Encrypt certificate for '$ENV_HOST' without contact email." >&2 + exit 1 + fi + fi + + # Re-check exact and suffixed certificate directories after issuance. + if [[ -d "$LE_LIVE_DIR/$ENV_HOST" ]] && [[ -f "$LE_LIVE_DIR/$ENV_HOST/privkey.pem" ]] && [[ -f "$LE_LIVE_DIR/$ENV_HOST/fullchain.pem" ]]; then + LE_CERT_DIR="$LE_LIVE_DIR/$ENV_HOST" + else + for dir in "$LE_LIVE_DIR/$ENV_HOST"-*/; do + if [[ -d "$dir" ]] && [[ -f "$dir/privkey.pem" ]] && [[ -f "$dir/fullchain.pem" ]]; then + LE_CERT_DIR="${dir%/}" + break + fi + done + fi fi fi @@ -254,11 +254,30 @@ if [[ -n "$LE_CERT_DIR" ]]; then LE_KEY_FILE="$LE_CERT_DIR/privkey.pem" LE_CERT_FILE="$LE_CERT_DIR/fullchain.pem" else - echo "FATAL: Let's Encrypt certificate directory could not be found for ENV_HOST: $ENV_HOST" >&2 - echo " Checked candidates: ${DOMAIN_CANDIDATES[*]}" >&2 - echo " Checked specific path: $LE_LIVE_DIR/$ENV_HOST" >&2 - echo " Checked suffixed paths: $LE_LIVE_DIR/${ENV_HOST}-*" >&2 - exit 1 + FALLBACK_KEY_FILE="" + FALLBACK_CERT_FILE="" + + if [[ -f "/var/www/ssl/litespeed.key" ]] && [[ -f "/var/www/ssl/litespeed.crt" ]]; then + FALLBACK_KEY_FILE="/var/www/ssl/litespeed.key" + FALLBACK_CERT_FILE="/var/www/ssl/litespeed.crt" + elif [[ -f "/usr/local/lsws/conf/server.key" ]] && [[ -f "/usr/local/lsws/conf/server.crt" ]]; then + FALLBACK_KEY_FILE="/usr/local/lsws/conf/server.key" + FALLBACK_CERT_FILE="/usr/local/lsws/conf/server.crt" + fi + + if [[ -n "$FALLBACK_KEY_FILE" ]] && [[ -n "$FALLBACK_CERT_FILE" ]]; then + LE_KEY_FILE="$FALLBACK_KEY_FILE" + LE_CERT_FILE="$FALLBACK_CERT_FILE" + CERT_SOURCE="Listener fallback" + echo "WARNING: No Let's Encrypt certificate available for '$ENV_HOST'. Using existing listener certificate files instead." >&2 + else + echo "FATAL: No usable certificate files were found for PMA gateway TLS." >&2 + echo " Checked Let's Encrypt candidates: ${DOMAIN_CANDIDATES[*]}" >&2 + echo " Checked LE exact path: $LE_LIVE_DIR/$ENV_HOST" >&2 + echo " Checked LE suffixed paths: $LE_LIVE_DIR/${ENV_HOST}-*" >&2 + echo " Checked listener fallback paths: /var/www/ssl/litespeed.{key,crt}, /usr/local/lsws/conf/server.{key,crt}" >&2 + exit 1 + fi fi # Check if the Let's Encrypt files exist at the determined paths @@ -268,7 +287,8 @@ if [[ ! -f "$LE_KEY_FILE" ]] || [[ ! -f "$LE_CERT_FILE" ]]; then echo " Cert: $LE_CERT_FILE" >&2 exit 1 fi -echo "INFO: Using Let's Encrypt certificate paths:" >&2 +echo "INFO: Using certificate source: $CERT_SOURCE" >&2 +echo "INFO: Using certificate paths:" >&2 echo " Key: $LE_KEY_FILE" >&2 echo " Cert: $LE_CERT_FILE" >&2