tony
/
mb-admin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix LE cert issue

main
Anthony 2025-06-25 00:25:49 +08:00
parent cd0bf962db
commit 794a7ea758
1 changed files with 130 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

203
scripts/install-wordpress.sh
View File

@ -771,87 +771,144 @@ fi
# --- Let's Encrypt SSL Certificate Setup --- # --- Let's Encrypt SSL Certificate Setup ---
info "Setting up Let's Encrypt SSL certificate..." info "Setting up Let's Encrypt SSL certificate..."
# Install certbot if not present # Validate domain is properly set before proceeding
if ! command_exists certbot; then if [[ -z "$DOMAIN" ]]; then
info "Installing certbot for Let's Encrypt certificate management..." error_exit "Domain variable is empty. Cannot proceed with SSL certificate generation."
if command_exists apt-get; then fi
# Debian/Ubuntu if [[ "$DOMAIN" == "localhost" || "$DOMAIN" == "localdomain" ]]; then
sudo apt-get update -qq warning "Domain is '$DOMAIN' which is not suitable for SSL certificates. Skipping SSL setup."
sudo apt-get install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via apt-get" info "You can manually configure SSL later or re-run with --domain=your-actual-domain.com"
elif command_exists yum; then # Skip SSL section entirely
# CentOS/RHEL 7 SSL_SKIPPED=true
sudo yum install -y epel-release
sudo yum install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via yum"
elif command_exists dnf; then
# CentOS/RHEL 8+/Fedora
sudo dnf install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via dnf"
else
warning "Package manager not detected. Please install certbot manually."
info "You can install certbot using: wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto"
fi
else else
success "Certbot is already installed." info "Using domain for SSL certificate: $DOMAIN"
SSL_SKIPPED=false
fi fi
# Generate SSL certificate # Only proceed with SSL setup if domain is valid
if command_exists certbot; then if [[ "$SSL_SKIPPED" != "true" ]]; then
info "Generating Let's Encrypt SSL certificate for domain: $DOMAIN" # Install certbot if not present
if ! command_exists certbot; then
# Create a simple verification file for webroot authentication info "Installing certbot for Let's Encrypt certificate management..."
WEBROOT_PATH="$WP_ROOT" if command_exists apt-get; then
ACME_CHALLENGE_DIR="$WEBROOT_PATH/.well-known/acme-challenge" # Debian/Ubuntu
sudo mkdir -p "$ACME_CHALLENGE_DIR" sudo apt-get update -qq
sudo chown -R "${WEB_USER}:${WEB_GROUP}" "$WEBROOT_PATH/.well-known" sudo apt-get install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via apt-get"
sudo chmod -R 755 "$WEBROOT_PATH/.well-known" elif command_exists yum; then
# CentOS/RHEL 7
# Try webroot method first (non-interactive) sudo yum install -y epel-release
info "Attempting SSL certificate generation using webroot method..." sudo yum install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via yum"
if sudo certbot certonly \ elif command_exists dnf; then
--webroot \ # CentOS/RHEL 8+/Fedora
--webroot-path="$WEBROOT_PATH" \ sudo dnf install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via dnf"
--email="$WP_ADMIN_EMAIL" \
--agree-tos \
--non-interactive \
--domains="$DOMAIN" \
--expand; then
success "SSL certificate generated successfully for $DOMAIN"
# Set up automatic renewal
info "Setting up automatic SSL certificate renewal..."
# Create renewal cron job if it doesn't exist
CRON_JOB="0 12 * * * /usr/bin/certbot renew --quiet --post-hook \"systemctl reload lshttpd || systemctl reload apache2 || systemctl reload nginx\""
if ! sudo crontab -l 2>/dev/null | grep -q "certbot renew"; then
(sudo crontab -l 2>/dev/null; echo "$CRON_JOB") | sudo crontab -
success "Automatic SSL renewal configured (daily check at 12:00 PM)"
else else
info "SSL renewal cron job already exists." warning "Package manager not detected. Please install certbot manually."
info "You can install certbot using: wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto"
fi fi
# For LiteSpeed, we need to restart the service to pick up new certificates
info "Restarting LiteSpeed web server to apply SSL certificate..."
if sudo systemctl is-active lshttpd &>/dev/null; then
sudo systemctl restart lshttpd || warning "Failed to restart lshttpd service"
success "LiteSpeed restarted successfully"
elif sudo systemctl is-active litespeed &>/dev/null; then
sudo systemctl restart litespeed || warning "Failed to restart litespeed service"
success "LiteSpeed restarted successfully"
else
warning "LiteSpeed service not detected or not running. You may need to manually configure SSL in LiteSpeed admin panel."
info "SSL certificate location: /etc/letsencrypt/live/$DOMAIN/"
info "Certificate file: /etc/letsencrypt/live/$DOMAIN/fullchain.pem"
info "Private key file: /etc/letsencrypt/live/$DOMAIN/privkey.pem"
fi
else else
warning "SSL certificate generation failed. You can manually run:" success "Certbot is already installed."
warning "sudo certbot --webroot -w '$WP_ROOT' -d '$DOMAIN' --email '$WP_ADMIN_EMAIL' --agree-tos" fi
info "Or configure SSL manually in your web server control panel."
# Generate SSL certificate
if command_exists certbot; then
info "Generating Let's Encrypt SSL certificate for domain: $DOMAIN"
# Create a simple verification file for webroot authentication
WEBROOT_PATH="$WP_ROOT"
ACME_CHALLENGE_DIR="$WEBROOT_PATH/.well-known/acme-challenge"
sudo mkdir -p "$ACME_CHALLENGE_DIR"
sudo chown -R "${WEB_USER}:${WEB_GROUP}" "$WEBROOT_PATH/.well-known"
sudo chmod -R 755 "$WEBROOT_PATH/.well-known"
# Try webroot method first (non-interactive)
info "Attempting SSL certificate generation using webroot method..."
# Check if certificate already exists
if [[ -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]]; then
info "SSL certificate already exists for $DOMAIN. Checking if renewal is needed..."
if sudo certbot renew --cert-name="$DOMAIN" --dry-run 2>/dev/null; then
info "Existing SSL certificate is valid and not due for renewal."
SSL_SUCCESS=true
else
info "Existing certificate needs renewal. Attempting to renew..."
if sudo certbot renew --cert-name="$DOMAIN" --force-renewal 2>/dev/null; then
SSL_SUCCESS=true
else
warning "Failed to renew existing SSL certificate."
SSL_SUCCESS=false
fi
fi
else
# Generate new certificate
if sudo certbot certonly \
--webroot \
--webroot-path="$WEBROOT_PATH" \
--email="$WP_ADMIN_EMAIL" \
--agree-tos \
--non-interactive \
--domains="$DOMAIN"; then
SSL_SUCCESS=true
else
SSL_SUCCESS=false
fi
fi
if [[ "$SSL_SUCCESS" == "true" ]]; then
success "SSL certificate is ready for $DOMAIN"
# Set up automatic renewal
info "Setting up automatic SSL certificate renewal..."
# Create renewal cron job if it doesn't exist
CRON_JOB="0 12 * * * /usr/bin/certbot renew --quiet --post-hook \"systemctl reload lshttpd || systemctl reload apache2 || systemctl reload nginx\""
if ! sudo crontab -l 2>/dev/null | grep -q "certbot renew"; then
if (sudo crontab -l 2>/dev/null; echo "$CRON_JOB") | sudo crontab - 2>/dev/null; then
success "Automatic SSL renewal configured (daily check at 12:00 PM)"
else
warning "Failed to configure automatic SSL renewal cron job"
fi
else
info "SSL renewal cron job already exists."
fi
# For LiteSpeed, we need to restart the service to pick up new certificates
info "Restarting LiteSpeed web server to apply SSL certificate..."
LITESPEED_RESTARTED=false
if sudo systemctl is-active lshttpd &>/dev/null; then
if sudo systemctl restart lshttpd 2>/dev/null; then
success "LiteSpeed (lshttpd) restarted successfully"
LITESPEED_RESTARTED=true
else
warning "Failed to restart lshttpd service"
fi
elif sudo systemctl is-active litespeed &>/dev/null; then
if sudo systemctl restart litespeed 2>/dev/null; then
success "LiteSpeed (litespeed) restarted successfully"
LITESPEED_RESTARTED=true
else
warning "Failed to restart litespeed service"
fi
else
warning "LiteSpeed service not detected or not running."
fi
if [[ "$LITESPEED_RESTARTED" != "true" ]]; then
warning "LiteSpeed service restart failed or not attempted. You may need to manually configure SSL in LiteSpeed admin panel."
info "SSL certificate location: /etc/letsencrypt/live/$DOMAIN/"
info "Certificate file: /etc/letsencrypt/live/$DOMAIN/fullchain.pem"
info "Private key file: /etc/letsencrypt/live/$DOMAIN/privkey.pem"
fi
else
warning "SSL certificate generation failed. You can manually run:"
warning "sudo certbot --webroot -w '$WP_ROOT' -d '$DOMAIN' --email '$WP_ADMIN_EMAIL' --agree-tos"
info "Or configure SSL manually in your web server control panel."
fi
else
warning "Certbot not available. SSL certificate not generated."
info "Please install certbot manually and run: sudo certbot --webroot -w '$WP_ROOT' -d '$DOMAIN'"
fi fi
else else
warning "Certbot not available. SSL certificate not generated." info "SSL certificate setup skipped due to invalid domain."
info "Please install certbot manually and run: sudo certbot --webroot -w '$WP_ROOT' -d '$DOMAIN'"
fi fi
# --- Final Summary --- # --- Final Summary ---