diff --git a/scripts/install-wordpress.sh b/scripts/install-wordpress.sh index e95f2bc..eba250e 100644 --- a/scripts/install-wordpress.sh +++ b/scripts/install-wordpress.sh @@ -771,87 +771,144 @@ fi # --- Let's Encrypt SSL Certificate Setup --- info "Setting up Let's Encrypt SSL certificate..." -# Install certbot if not present -if ! command_exists certbot; then - info "Installing certbot for Let's Encrypt certificate management..." - if command_exists apt-get; then - # Debian/Ubuntu - sudo apt-get update -qq - sudo apt-get install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via apt-get" - elif command_exists yum; then - # CentOS/RHEL 7 - sudo yum install -y epel-release - sudo yum install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via yum" - elif command_exists dnf; then - # CentOS/RHEL 8+/Fedora - sudo dnf install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via dnf" - else - warning "Package manager not detected. Please install certbot manually." - info "You can install certbot using: wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto" - fi +# Validate domain is properly set before proceeding +if [[ -z "$DOMAIN" ]]; then + error_exit "Domain variable is empty. Cannot proceed with SSL certificate generation." +fi +if [[ "$DOMAIN" == "localhost" || "$DOMAIN" == "localdomain" ]]; then + warning "Domain is '$DOMAIN' which is not suitable for SSL certificates. Skipping SSL setup." + info "You can manually configure SSL later or re-run with --domain=your-actual-domain.com" + # Skip SSL section entirely + SSL_SKIPPED=true else - success "Certbot is already installed." + info "Using domain for SSL certificate: $DOMAIN" + SSL_SKIPPED=false fi -# Generate SSL certificate -if command_exists certbot; then - info "Generating Let's Encrypt SSL certificate for domain: $DOMAIN" - - # Create a simple verification file for webroot authentication - WEBROOT_PATH="$WP_ROOT" - ACME_CHALLENGE_DIR="$WEBROOT_PATH/.well-known/acme-challenge" - sudo mkdir -p "$ACME_CHALLENGE_DIR" - sudo chown -R "${WEB_USER}:${WEB_GROUP}" "$WEBROOT_PATH/.well-known" - sudo chmod -R 755 "$WEBROOT_PATH/.well-known" - - # Try webroot method first (non-interactive) - info "Attempting SSL certificate generation using webroot method..." - if sudo certbot certonly \ - --webroot \ - --webroot-path="$WEBROOT_PATH" \ - --email="$WP_ADMIN_EMAIL" \ - --agree-tos \ - --non-interactive \ - --domains="$DOMAIN" \ - --expand; then - - success "SSL certificate generated successfully for $DOMAIN" - - # Set up automatic renewal - info "Setting up automatic SSL certificate renewal..." - - # Create renewal cron job if it doesn't exist - CRON_JOB="0 12 * * * /usr/bin/certbot renew --quiet --post-hook \"systemctl reload lshttpd || systemctl reload apache2 || systemctl reload nginx\"" - if ! sudo crontab -l 2>/dev/null | grep -q "certbot renew"; then - (sudo crontab -l 2>/dev/null; echo "$CRON_JOB") | sudo crontab - - success "Automatic SSL renewal configured (daily check at 12:00 PM)" +# Only proceed with SSL setup if domain is valid +if [[ "$SSL_SKIPPED" != "true" ]]; then + # Install certbot if not present + if ! command_exists certbot; then + info "Installing certbot for Let's Encrypt certificate management..." + if command_exists apt-get; then + # Debian/Ubuntu + sudo apt-get update -qq + sudo apt-get install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via apt-get" + elif command_exists yum; then + # CentOS/RHEL 7 + sudo yum install -y epel-release + sudo yum install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via yum" + elif command_exists dnf; then + # CentOS/RHEL 8+/Fedora + sudo dnf install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via dnf" else - info "SSL renewal cron job already exists." + warning "Package manager not detected. Please install certbot manually." + info "You can install certbot using: wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto" fi - - # For LiteSpeed, we need to restart the service to pick up new certificates - info "Restarting LiteSpeed web server to apply SSL certificate..." - if sudo systemctl is-active lshttpd &>/dev/null; then - sudo systemctl restart lshttpd || warning "Failed to restart lshttpd service" - success "LiteSpeed restarted successfully" - elif sudo systemctl is-active litespeed &>/dev/null; then - sudo systemctl restart litespeed || warning "Failed to restart litespeed service" - success "LiteSpeed restarted successfully" - else - warning "LiteSpeed service not detected or not running. You may need to manually configure SSL in LiteSpeed admin panel." - info "SSL certificate location: /etc/letsencrypt/live/$DOMAIN/" - info "Certificate file: /etc/letsencrypt/live/$DOMAIN/fullchain.pem" - info "Private key file: /etc/letsencrypt/live/$DOMAIN/privkey.pem" - fi - else - warning "SSL certificate generation failed. You can manually run:" - warning "sudo certbot --webroot -w '$WP_ROOT' -d '$DOMAIN' --email '$WP_ADMIN_EMAIL' --agree-tos" - info "Or configure SSL manually in your web server control panel." + success "Certbot is already installed." + fi + + # Generate SSL certificate + if command_exists certbot; then + info "Generating Let's Encrypt SSL certificate for domain: $DOMAIN" + + # Create a simple verification file for webroot authentication + WEBROOT_PATH="$WP_ROOT" + ACME_CHALLENGE_DIR="$WEBROOT_PATH/.well-known/acme-challenge" + sudo mkdir -p "$ACME_CHALLENGE_DIR" + sudo chown -R "${WEB_USER}:${WEB_GROUP}" "$WEBROOT_PATH/.well-known" + sudo chmod -R 755 "$WEBROOT_PATH/.well-known" + + # Try webroot method first (non-interactive) + info "Attempting SSL certificate generation using webroot method..." + # Check if certificate already exists + if [[ -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]]; then + info "SSL certificate already exists for $DOMAIN. Checking if renewal is needed..." + if sudo certbot renew --cert-name="$DOMAIN" --dry-run 2>/dev/null; then + info "Existing SSL certificate is valid and not due for renewal." + SSL_SUCCESS=true + else + info "Existing certificate needs renewal. Attempting to renew..." + if sudo certbot renew --cert-name="$DOMAIN" --force-renewal 2>/dev/null; then + SSL_SUCCESS=true + else + warning "Failed to renew existing SSL certificate." + SSL_SUCCESS=false + fi + fi + else + # Generate new certificate + if sudo certbot certonly \ + --webroot \ + --webroot-path="$WEBROOT_PATH" \ + --email="$WP_ADMIN_EMAIL" \ + --agree-tos \ + --non-interactive \ + --domains="$DOMAIN"; then + SSL_SUCCESS=true + else + SSL_SUCCESS=false + fi + fi + + if [[ "$SSL_SUCCESS" == "true" ]]; then + success "SSL certificate is ready for $DOMAIN" + + # Set up automatic renewal + info "Setting up automatic SSL certificate renewal..." + + # Create renewal cron job if it doesn't exist + CRON_JOB="0 12 * * * /usr/bin/certbot renew --quiet --post-hook \"systemctl reload lshttpd || systemctl reload apache2 || systemctl reload nginx\"" + if ! sudo crontab -l 2>/dev/null | grep -q "certbot renew"; then + if (sudo crontab -l 2>/dev/null; echo "$CRON_JOB") | sudo crontab - 2>/dev/null; then + success "Automatic SSL renewal configured (daily check at 12:00 PM)" + else + warning "Failed to configure automatic SSL renewal cron job" + fi + else + info "SSL renewal cron job already exists." + fi + + # For LiteSpeed, we need to restart the service to pick up new certificates + info "Restarting LiteSpeed web server to apply SSL certificate..." + LITESPEED_RESTARTED=false + if sudo systemctl is-active lshttpd &>/dev/null; then + if sudo systemctl restart lshttpd 2>/dev/null; then + success "LiteSpeed (lshttpd) restarted successfully" + LITESPEED_RESTARTED=true + else + warning "Failed to restart lshttpd service" + fi + elif sudo systemctl is-active litespeed &>/dev/null; then + if sudo systemctl restart litespeed 2>/dev/null; then + success "LiteSpeed (litespeed) restarted successfully" + LITESPEED_RESTARTED=true + else + warning "Failed to restart litespeed service" + fi + else + warning "LiteSpeed service not detected or not running." + fi + + if [[ "$LITESPEED_RESTARTED" != "true" ]]; then + warning "LiteSpeed service restart failed or not attempted. You may need to manually configure SSL in LiteSpeed admin panel." + info "SSL certificate location: /etc/letsencrypt/live/$DOMAIN/" + info "Certificate file: /etc/letsencrypt/live/$DOMAIN/fullchain.pem" + info "Private key file: /etc/letsencrypt/live/$DOMAIN/privkey.pem" + fi + + else + warning "SSL certificate generation failed. You can manually run:" + warning "sudo certbot --webroot -w '$WP_ROOT' -d '$DOMAIN' --email '$WP_ADMIN_EMAIL' --agree-tos" + info "Or configure SSL manually in your web server control panel." + fi + else + warning "Certbot not available. SSL certificate not generated." + info "Please install certbot manually and run: sudo certbot --webroot -w '$WP_ROOT' -d '$DOMAIN'" fi else - warning "Certbot not available. SSL certificate not generated." - info "Please install certbot manually and run: sudo certbot --webroot -w '$WP_ROOT' -d '$DOMAIN'" + info "SSL certificate setup skipped due to invalid domain." fi # --- Final Summary ---