tony
/
mb-admin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fallback to listener cert when PMA certbot unavailable

main
Anthony 2026-02-26 22:06:02 +08:00
parent e59dbc9af0
commit 5dd63f99e7
1 changed files with 53 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
scripts/pma-gateway/create_pma_gateway.sh
View File

@ -116,6 +116,7 @@ NEEDS_RESTART=0
LE_LIVE_DIR="/etc/letsencrypt/live" LE_LIVE_DIR="/etc/letsencrypt/live"
LE_CERT_DIR="" LE_CERT_DIR=""
CERT_DOMAIN_USED="" CERT_DOMAIN_USED=""
CERT_SOURCE="Let's Encrypt"
# Find an existing certificate for the first matching candidate. # Find an existing certificate for the first matching candidate.
for candidate_host in "${DOMAIN_CANDIDATES[@]}"; do for candidate_host in "${DOMAIN_CANDIDATES[@]}"; do
@ -216,36 +217,35 @@ if [[ -z "$LE_CERT_DIR" ]]; then
fi fi
if [[ -z "$CERTBOT_CMD" ]]; then if [[ -z "$CERTBOT_CMD" ]]; then
echo "FATAL: certbot is not available and no existing Let's Encrypt certificate was found for '$ENV_HOST'." >&2 echo "WARNING: certbot is unavailable for on-demand issuance. Will try existing listener certificate files as fallback." >&2
exit 1
fi
WEBROOT_PATH="/var/www/webroot/ROOT"
ACME_CHALLENGE_DIR="$WEBROOT_PATH/.well-known/acme-challenge"
sudo mkdir -p "$ACME_CHALLENGE_DIR"
if [[ -n "$CONTACT_EMAIL" ]]; then
if ! sudo "$CERTBOT_CMD" certonly --webroot -w "$WEBROOT_PATH" -d "$ENV_HOST" --non-interactive --agree-tos --email "$CONTACT_EMAIL"; then
echo "FATAL: Failed to issue Let's Encrypt certificate for '$ENV_HOST' using contact email '$CONTACT_EMAIL'." >&2
exit 1
fi
else else
if ! sudo "$CERTBOT_CMD" certonly --webroot -w "$WEBROOT_PATH" -d "$ENV_HOST" --non-interactive --agree-tos --register-unsafely-without-email; then WEBROOT_PATH="/var/www/webroot/ROOT"
echo "FATAL: Failed to issue Let's Encrypt certificate for '$ENV_HOST' without contact email." >&2 ACME_CHALLENGE_DIR="$WEBROOT_PATH/.well-known/acme-challenge"
exit 1 sudo mkdir -p "$ACME_CHALLENGE_DIR"
fi
fi
# Re-check exact and suffixed certificate directories after issuance. if [[ -n "$CONTACT_EMAIL" ]]; then
if [[ -d "$LE_LIVE_DIR/$ENV_HOST" ]] && [[ -f "$LE_LIVE_DIR/$ENV_HOST/privkey.pem" ]] && [[ -f "$LE_LIVE_DIR/$ENV_HOST/fullchain.pem" ]]; then if ! sudo "$CERTBOT_CMD" certonly --webroot -w "$WEBROOT_PATH" -d "$ENV_HOST" --non-interactive --agree-tos --email "$CONTACT_EMAIL"; then
LE_CERT_DIR="$LE_LIVE_DIR/$ENV_HOST" echo "FATAL: Failed to issue Let's Encrypt certificate for '$ENV_HOST' using contact email '$CONTACT_EMAIL'." >&2
else exit 1
for dir in "$LE_LIVE_DIR/$ENV_HOST"-*/; do
if [[ -d "$dir" ]] && [[ -f "$dir/privkey.pem" ]] && [[ -f "$dir/fullchain.pem" ]]; then
LE_CERT_DIR="${dir%/}"
break
fi fi
done else
if ! sudo "$CERTBOT_CMD" certonly --webroot -w "$WEBROOT_PATH" -d "$ENV_HOST" --non-interactive --agree-tos --register-unsafely-without-email; then
echo "FATAL: Failed to issue Let's Encrypt certificate for '$ENV_HOST' without contact email." >&2
exit 1
fi
fi
# Re-check exact and suffixed certificate directories after issuance.
if [[ -d "$LE_LIVE_DIR/$ENV_HOST" ]] && [[ -f "$LE_LIVE_DIR/$ENV_HOST/privkey.pem" ]] && [[ -f "$LE_LIVE_DIR/$ENV_HOST/fullchain.pem" ]]; then
LE_CERT_DIR="$LE_LIVE_DIR/$ENV_HOST"
else
for dir in "$LE_LIVE_DIR/$ENV_HOST"-*/; do
if [[ -d "$dir" ]] && [[ -f "$dir/privkey.pem" ]] && [[ -f "$dir/fullchain.pem" ]]; then
LE_CERT_DIR="${dir%/}"
break
fi
done
fi
fi fi
fi fi
@ -254,11 +254,30 @@ if [[ -n "$LE_CERT_DIR" ]]; then
LE_KEY_FILE="$LE_CERT_DIR/privkey.pem" LE_KEY_FILE="$LE_CERT_DIR/privkey.pem"
LE_CERT_FILE="$LE_CERT_DIR/fullchain.pem" LE_CERT_FILE="$LE_CERT_DIR/fullchain.pem"
else else
echo "FATAL: Let's Encrypt certificate directory could not be found for ENV_HOST: $ENV_HOST" >&2 FALLBACK_KEY_FILE=""
echo " Checked candidates: ${DOMAIN_CANDIDATES[*]}" >&2 FALLBACK_CERT_FILE=""
echo " Checked specific path: $LE_LIVE_DIR/$ENV_HOST" >&2
echo " Checked suffixed paths: $LE_LIVE_DIR/${ENV_HOST}-*" >&2 if [[ -f "/var/www/ssl/litespeed.key" ]] && [[ -f "/var/www/ssl/litespeed.crt" ]]; then
exit 1 FALLBACK_KEY_FILE="/var/www/ssl/litespeed.key"
FALLBACK_CERT_FILE="/var/www/ssl/litespeed.crt"
elif [[ -f "/usr/local/lsws/conf/server.key" ]] && [[ -f "/usr/local/lsws/conf/server.crt" ]]; then
FALLBACK_KEY_FILE="/usr/local/lsws/conf/server.key"
FALLBACK_CERT_FILE="/usr/local/lsws/conf/server.crt"
fi
if [[ -n "$FALLBACK_KEY_FILE" ]] && [[ -n "$FALLBACK_CERT_FILE" ]]; then
LE_KEY_FILE="$FALLBACK_KEY_FILE"
LE_CERT_FILE="$FALLBACK_CERT_FILE"
CERT_SOURCE="Listener fallback"
echo "WARNING: No Let's Encrypt certificate available for '$ENV_HOST'. Using existing listener certificate files instead." >&2
else
echo "FATAL: No usable certificate files were found for PMA gateway TLS." >&2
echo " Checked Let's Encrypt candidates: ${DOMAIN_CANDIDATES[*]}" >&2
echo " Checked LE exact path: $LE_LIVE_DIR/$ENV_HOST" >&2
echo " Checked LE suffixed paths: $LE_LIVE_DIR/${ENV_HOST}-*" >&2
echo " Checked listener fallback paths: /var/www/ssl/litespeed.{key,crt}, /usr/local/lsws/conf/server.{key,crt}" >&2
exit 1
fi
fi fi
# Check if the Let's Encrypt files exist at the determined paths # Check if the Let's Encrypt files exist at the determined paths
@ -268,7 +287,8 @@ if [[ ! -f "$LE_KEY_FILE" ]] || [[ ! -f "$LE_CERT_FILE" ]]; then
echo " Cert: $LE_CERT_FILE" >&2 echo " Cert: $LE_CERT_FILE" >&2
exit 1 exit 1
fi fi
echo "INFO: Using Let's Encrypt certificate paths:" >&2 echo "INFO: Using certificate source: $CERT_SOURCE" >&2
echo "INFO: Using certificate paths:" >&2
echo " Key: $LE_KEY_FILE" >&2 echo " Key: $LE_KEY_FILE" >&2
echo " Cert: $LE_CERT_FILE" >&2 echo " Cert: $LE_CERT_FILE" >&2