Fix SSL issuance

2025-09-26 00:30:06 +08:00 · 2025-09-26 00:30:06 +08:00 · 6080d75210
parent bd57110ffa
commit 6080d75210
2 changed files with 39 additions and 67 deletions
--- a/mbadmin.jps
+++ b/mbadmin.jps
@ -108,12 +108,12 @@ onInstall:
          else
            echo "Skipping DNS plugin installation as Certbot wasn't installed";
          fi
-        # Install acme.sh
-        - if [ ! -f /root/.acme.sh/acme.sh ]; then
-            echo "Installing acme.sh...";
-            curl https://get.acme.sh | sh;
+        # Install Certbot DNS Bunny plugin
+        - if command -v certbot > /dev/null; then
+            echo "Installing Certbot DNS Bunny plugin...";
+            pip install certbot-dns-bunny || echo "Certbot DNS Bunny plugin installation failed but continuing";
          else
-            echo "acme.sh is already installed.";
+            echo "Skipping Certbot DNS Bunny plugin installation as Certbot wasn't installed";
          fi

 menu:
@ -482,14 +482,6 @@ settings:
        type: text
        caption: Domain Name
        required: true
-      - name: email
-        type: text
-        caption: Email Address
-        required: true
-      - name: bunny_api_key
-        type: password
-        caption: BunnyDNS API Key
-        required: true
  sslRemoveConfig:
    submitUnchanged: true
    fields:
@ -990,7 +982,7 @@ actions:
    - cmd[cp]:
        user: root
        commands:
-          - bash /home/litespeed/mbmanager/ssl-manager/ssl_manager.sh --dns-challenge --domain="${settings.domain}" --email="${settings.email}" --bunny-api-key="${settings.bunny_api_key}" --verbose
+          - bash /home/litespeed/mbmanager/ssl-manager/ssl_manager.sh --dns-challenge --domain="${settings.domain}" --verbose
    - return:
        type: info
        message: "SSL certificate issuance process via DNS challenge completed."
--- a/scripts/ssl-manager/ssl_manager.sh
+++ b/scripts/ssl-manager/ssl_manager.sh
@ -112,20 +112,6 @@ on_exit() {
 }
 trap 'rc=$?; SCRIPT_EXIT_STATUS=$rc; on_exit' EXIT

-install_acme_sh() {
-    if ! command -v "$HOME/.acme.sh/acme.sh" &>/dev/null; then
-        log "acme.sh not found. Installing..."
-        if curl https://get.acme.sh | sh; then
-            log_success "acme.sh installed successfully."
-        else
-            log_error "Failed to install acme.sh."
-            SCRIPT_EXIT_STATUS=1; return 1
-        fi
-    else
-        log "acme.sh is already installed."
-    fi
-}
-
 check_command() {
    local cmd="$1"
    local pkg="$2"
@ -192,40 +178,40 @@ validate_http_access() {

 issue_certificate_dns() {
    local domain="$1"
-    local bunny_api_key="$2"
-    local email="$3"
+    local creds_file="/etc/letsencrypt/bunny.ini"

-    if [[ -z "$bunny_api_key" ]]; then
-        log_error "BunnyDNS API key is required for DNS challenge."
+    if [[ ! -f "$creds_file" ]]; then
+        log_error "DNS challenge credentials file not found at '$creds_file'."
+        log_error "Please create it with the following content:"
+        log_error "dns_bunny_api_key = your_api_key_here"
+        log_error "dns_bunny_account_email = your_email@example.com"
        SCRIPT_EXIT_STATUS=1; return 1
    fi

-    log "Issuing SSL certificate for domain '$domain' using DNS challenge..."
-    export BUNNY_API_KEY="$bunny_api_key"
+    # Ensure permissions are correct for certbot
+    sudo chmod 600 "$creds_file"

-    # Use acme.sh to issue the certificate
-    "$HOME/.acme.sh/acme.sh" --issue --dns dns_bunny -d "$domain" --accountemail "$email" || {
-        log_error "Failed to issue certificate for '$domain' using DNS challenge."
-        unset BUNNY_API_KEY
+    # Extract email from credentials file for the --email flag
+    local email
+    email=$(grep "dns_bunny_account_email" "$creds_file" | sed 's/.*= *//')
+
+    if [[ -z "$email" ]]; then
+        log_error "dns_bunny_account_email not set in '$creds_file'."
+        SCRIPT_EXIT_STATUS=1; return 1
+    fi
+
+    log "Issuing SSL certificate for domain '$domain' using certbot with DNS challenge..."
+    
+    sudo certbot certonly \
+        --dns-bunny \
+        --dns-bunny-credentials "$creds_file" \
+        -d "$domain" \
+        --non-interactive --agree-tos --email "$email" || {
+        log_error "Failed to issue certificate for '$domain' using certbot DNS challenge."
        SCRIPT_EXIT_STATUS=1; return 1
    }
    
-    log_success "Certificate successfully issued for '$domain' using DNS challenge."
-    
-    # Install the certificate to the standard Let's Encrypt directory
-    local cert_path="$CERT_DIR/$domain"
-    sudo mkdir -p "$cert_path"
-    "$HOME/.acme.sh/acme.sh" --install-cert -d "$domain" \
-        --key-file       "$cert_path/privkey.pem" \
-        --fullchain-file "$cert_path/fullchain.pem" \
-        --reloadcmd      "sudo systemctl restart lsws" || {
-        log_error "Failed to install certificate for '$domain'."
-        unset BUNNY_API_KEY
-        SCRIPT_EXIT_STATUS=1; return 1
-    }
-
-    log_success "Certificate successfully installed for '$domain'."
-    unset BUNNY_API_KEY
+    log_success "Certificate successfully issued for '$domain' by certbot."
 }

 issue_certificate() {
@ -401,7 +387,6 @@ main() {

    # Parse parameters
    DNS_CHALLENGE=0
-    BUNNY_API_KEY=""
    for arg in "$@"; do
        case $arg in
            --public-ip=*) PUBLIC_IP="${arg#*=}"; log_verbose "Set public IP: $PUBLIC_IP";;
@ -412,14 +397,13 @@ main() {
            --verbose) VERBOSE=1; log "Verbose mode enabled";;
            --update-listener) UPDATE_LISTENER=1; log "Updating listener certificate to LE for $PRIMARY_DOMAIN";;
            --dns-challenge) DNS_CHALLENGE=1; log "DNS challenge mode enabled";;
-            --bunny-api-key=*) BUNNY_API_KEY="${arg#*=}";;
            *) log_error "Invalid argument: $arg"; SCRIPT_EXIT_STATUS=1; exit 1;;
        esac
    done

    if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
-        [[ -z "$PRIMARY_DOMAIN" || -z "$EMAIL" ]] && {
-            log_error "Missing required parameters for DNS challenge. Provide --domain and --email."
+        [[ -z "$PRIMARY_DOMAIN" ]] && {
+            log_error "Missing required parameter for DNS challenge. Provide --domain."
            SCRIPT_EXIT_STATUS=1; exit 1
        }
    else
@ -430,9 +414,9 @@ main() {
    fi

    validate_domain "$PRIMARY_DOMAIN" || { log_error "Invalid domain '$PRIMARY_DOMAIN'"; SCRIPT_EXIT_STATUS=1; exit 1; }
-    validate_email "$EMAIL" || { log_error "Invalid email '$EMAIL'"; SCRIPT_EXIT_STATUS=1; exit 1; }

    if [[ "$DNS_CHALLENGE" -eq 0 ]]; then
+        validate_email "$EMAIL" || { log_error "Invalid email '$EMAIL'"; SCRIPT_EXIT_STATUS=1; exit 1; }
        validate_ip "$PUBLIC_IP" || { log_error "Invalid IP '$PUBLIC_IP'"; SCRIPT_EXIT_STATUS=1; exit 1; }
        validate_dns "$PRIMARY_DOMAIN" "$PUBLIC_IP" || { log_error "DNS validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
        validate_http_access "$PRIMARY_DOMAIN" || { log_error "HTTP access validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
@ -446,14 +430,10 @@ main() {
    check_command curl curl
    check_command openssl openssl

-    if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
-        install_acme_sh
-    fi
-
    create_default_backup
    for domain in "${DOMAINS[@]}"; do
        if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
-            issue_certificate_dns "$domain" "$BUNNY_API_KEY" "$EMAIL"
+            issue_certificate_dns "$domain"
        else
            issue_certificate "$domain" "$EMAIL"
        fi