From 6080d75210b6602bde713e32266d7b69a26f4d16 Mon Sep 17 00:00:00 2001
From: Anthony <tony@mightybox.io>
Date: Fri, 26 Sep 2025 00:30:06 +0800
Subject: [PATCH] Fix SSL issuance

---
 mbadmin.jps                        | 20 +++----
 scripts/ssl-manager/ssl_manager.sh | 86 ++++++++++++------------------
 2 files changed, 39 insertions(+), 67 deletions(-)

diff --git a/mbadmin.jps b/mbadmin.jps
index 0e2409d..3a927e6 100644
--- a/mbadmin.jps
+++ b/mbadmin.jps
@@ -108,12 +108,12 @@ onInstall:
           else
             echo "Skipping DNS plugin installation as Certbot wasn't installed";
           fi
-        # Install acme.sh
-        - if [ ! -f /root/.acme.sh/acme.sh ]; then
-            echo "Installing acme.sh...";
-            curl https://get.acme.sh | sh;
+        # Install Certbot DNS Bunny plugin
+        - if command -v certbot > /dev/null; then
+            echo "Installing Certbot DNS Bunny plugin...";
+            pip install certbot-dns-bunny || echo "Certbot DNS Bunny plugin installation failed but continuing";
           else
-            echo "acme.sh is already installed.";
+            echo "Skipping Certbot DNS Bunny plugin installation as Certbot wasn't installed";
           fi
 
 menu:
@@ -482,14 +482,6 @@ settings:
         type: text
         caption: Domain Name
         required: true
-      - name: email
-        type: text
-        caption: Email Address
-        required: true
-      - name: bunny_api_key
-        type: password
-        caption: BunnyDNS API Key
-        required: true
   sslRemoveConfig:
     submitUnchanged: true
     fields:
@@ -990,7 +982,7 @@ actions:
     - cmd[cp]:
         user: root
         commands:
-          - bash /home/litespeed/mbmanager/ssl-manager/ssl_manager.sh --dns-challenge --domain="${settings.domain}" --email="${settings.email}" --bunny-api-key="${settings.bunny_api_key}" --verbose
+          - bash /home/litespeed/mbmanager/ssl-manager/ssl_manager.sh --dns-challenge --domain="${settings.domain}" --verbose
     - return:
         type: info
         message: "SSL certificate issuance process via DNS challenge completed."
diff --git a/scripts/ssl-manager/ssl_manager.sh b/scripts/ssl-manager/ssl_manager.sh
index 53118f1..3eea73e 100644
--- a/scripts/ssl-manager/ssl_manager.sh
+++ b/scripts/ssl-manager/ssl_manager.sh
@@ -112,20 +112,6 @@ on_exit() {
 }
 trap 'rc=$?; SCRIPT_EXIT_STATUS=$rc; on_exit' EXIT
 
-install_acme_sh() {
-    if ! command -v "$HOME/.acme.sh/acme.sh" &>/dev/null; then
-        log "acme.sh not found. Installing..."
-        if curl https://get.acme.sh | sh; then
-            log_success "acme.sh installed successfully."
-        else
-            log_error "Failed to install acme.sh."
-            SCRIPT_EXIT_STATUS=1; return 1
-        fi
-    else
-        log "acme.sh is already installed."
-    fi
-}
-
 check_command() {
     local cmd="$1"
     local pkg="$2"
@@ -192,40 +178,40 @@ validate_http_access() {
 
 issue_certificate_dns() {
     local domain="$1"
-    local bunny_api_key="$2"
-    local email="$3"
+    local creds_file="/etc/letsencrypt/bunny.ini"
 
-    if [[ -z "$bunny_api_key" ]]; then
-        log_error "BunnyDNS API key is required for DNS challenge."
+    if [[ ! -f "$creds_file" ]]; then
+        log_error "DNS challenge credentials file not found at '$creds_file'."
+        log_error "Please create it with the following content:"
+        log_error "dns_bunny_api_key = your_api_key_here"
+        log_error "dns_bunny_account_email = your_email@example.com"
         SCRIPT_EXIT_STATUS=1; return 1
     fi
 
-    log "Issuing SSL certificate for domain '$domain' using DNS challenge..."
-    export BUNNY_API_KEY="$bunny_api_key"
-    
-    # Use acme.sh to issue the certificate
-    "$HOME/.acme.sh/acme.sh" --issue --dns dns_bunny -d "$domain" --accountemail "$email" || {
-        log_error "Failed to issue certificate for '$domain' using DNS challenge."
-        unset BUNNY_API_KEY
-        SCRIPT_EXIT_STATUS=1; return 1
-    }
-    
-    log_success "Certificate successfully issued for '$domain' using DNS challenge."
-    
-    # Install the certificate to the standard Let's Encrypt directory
-    local cert_path="$CERT_DIR/$domain"
-    sudo mkdir -p "$cert_path"
-    "$HOME/.acme.sh/acme.sh" --install-cert -d "$domain" \
-        --key-file       "$cert_path/privkey.pem" \
-        --fullchain-file "$cert_path/fullchain.pem" \
-        --reloadcmd      "sudo systemctl restart lsws" || {
-        log_error "Failed to install certificate for '$domain'."
-        unset BUNNY_API_KEY
-        SCRIPT_EXIT_STATUS=1; return 1
-    }
+    # Ensure permissions are correct for certbot
+    sudo chmod 600 "$creds_file"
 
-    log_success "Certificate successfully installed for '$domain'."
-    unset BUNNY_API_KEY
+    # Extract email from credentials file for the --email flag
+    local email
+    email=$(grep "dns_bunny_account_email" "$creds_file" | sed 's/.*= *//')
+
+    if [[ -z "$email" ]]; then
+        log_error "dns_bunny_account_email not set in '$creds_file'."
+        SCRIPT_EXIT_STATUS=1; return 1
+    fi
+
+    log "Issuing SSL certificate for domain '$domain' using certbot with DNS challenge..."
+    
+    sudo certbot certonly \
+        --dns-bunny \
+        --dns-bunny-credentials "$creds_file" \
+        -d "$domain" \
+        --non-interactive --agree-tos --email "$email" || {
+        log_error "Failed to issue certificate for '$domain' using certbot DNS challenge."
+        SCRIPT_EXIT_STATUS=1; return 1
+    }
+    
+    log_success "Certificate successfully issued for '$domain' by certbot."
 }
 
 issue_certificate() {
@@ -401,7 +387,6 @@ main() {
 
     # Parse parameters
     DNS_CHALLENGE=0
-    BUNNY_API_KEY=""
     for arg in "$@"; do
         case $arg in
             --public-ip=*) PUBLIC_IP="${arg#*=}"; log_verbose "Set public IP: $PUBLIC_IP";;
@@ -412,14 +397,13 @@ main() {
             --verbose) VERBOSE=1; log "Verbose mode enabled";;
             --update-listener) UPDATE_LISTENER=1; log "Updating listener certificate to LE for $PRIMARY_DOMAIN";;
             --dns-challenge) DNS_CHALLENGE=1; log "DNS challenge mode enabled";;
-            --bunny-api-key=*) BUNNY_API_KEY="${arg#*=}";;
             *) log_error "Invalid argument: $arg"; SCRIPT_EXIT_STATUS=1; exit 1;;
         esac
     done
 
     if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
-        [[ -z "$PRIMARY_DOMAIN" || -z "$EMAIL" ]] && {
-            log_error "Missing required parameters for DNS challenge. Provide --domain and --email."
+        [[ -z "$PRIMARY_DOMAIN" ]] && {
+            log_error "Missing required parameter for DNS challenge. Provide --domain."
             SCRIPT_EXIT_STATUS=1; exit 1
         }
     else
@@ -430,9 +414,9 @@ main() {
     fi
 
     validate_domain "$PRIMARY_DOMAIN" || { log_error "Invalid domain '$PRIMARY_DOMAIN'"; SCRIPT_EXIT_STATUS=1; exit 1; }
-    validate_email "$EMAIL" || { log_error "Invalid email '$EMAIL'"; SCRIPT_EXIT_STATUS=1; exit 1; }
 
     if [[ "$DNS_CHALLENGE" -eq 0 ]]; then
+        validate_email "$EMAIL" || { log_error "Invalid email '$EMAIL'"; SCRIPT_EXIT_STATUS=1; exit 1; }
         validate_ip "$PUBLIC_IP" || { log_error "Invalid IP '$PUBLIC_IP'"; SCRIPT_EXIT_STATUS=1; exit 1; }
         validate_dns "$PRIMARY_DOMAIN" "$PUBLIC_IP" || { log_error "DNS validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
         validate_http_access "$PRIMARY_DOMAIN" || { log_error "HTTP access validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
@@ -446,14 +430,10 @@ main() {
     check_command curl curl
     check_command openssl openssl
 
-    if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
-        install_acme_sh
-    fi
-
     create_default_backup
     for domain in "${DOMAINS[@]}"; do
         if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
-            issue_certificate_dns "$domain" "$BUNNY_API_KEY" "$EMAIL"
+            issue_certificate_dns "$domain"
         else
             issue_certificate "$domain" "$EMAIL"
         fi