Fix LE cert issue

2025-06-25 00:25:49 +08:00 · 2025-06-25 00:25:49 +08:00 · 794a7ea758
parent cd0bf962db
commit 794a7ea758
1 changed files with 130 additions and 73 deletions
--- a/scripts/install-wordpress.sh
+++ b/scripts/install-wordpress.sh
@ -771,87 +771,144 @@ fi
 # --- Let's Encrypt SSL Certificate Setup ---
 info "Setting up Let's Encrypt SSL certificate..."

-# Install certbot if not present
-if ! command_exists certbot; then
-    info "Installing certbot for Let's Encrypt certificate management..."
-    if command_exists apt-get; then
-        # Debian/Ubuntu
-        sudo apt-get update -qq
-        sudo apt-get install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via apt-get"
-    elif command_exists yum; then
-        # CentOS/RHEL 7
-        sudo yum install -y epel-release
-        sudo yum install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via yum"
-    elif command_exists dnf; then
-        # CentOS/RHEL 8+/Fedora
-        sudo dnf install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via dnf"
-    else
-        warning "Package manager not detected. Please install certbot manually."
-        info "You can install certbot using: wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto"
-    fi
+# Validate domain is properly set before proceeding
+if [[ -z "$DOMAIN" ]]; then
+    error_exit "Domain variable is empty. Cannot proceed with SSL certificate generation."
+fi
+if [[ "$DOMAIN" == "localhost" || "$DOMAIN" == "localdomain" ]]; then
+    warning "Domain is '$DOMAIN' which is not suitable for SSL certificates. Skipping SSL setup."
+    info "You can manually configure SSL later or re-run with --domain=your-actual-domain.com"
+    # Skip SSL section entirely
+    SSL_SKIPPED=true
 else
-    success "Certbot is already installed."
+    info "Using domain for SSL certificate: $DOMAIN"
+    SSL_SKIPPED=false
 fi

-# Generate SSL certificate
-if command_exists certbot; then
-    info "Generating Let's Encrypt SSL certificate for domain: $DOMAIN"
-    
-    # Create a simple verification file for webroot authentication
-    WEBROOT_PATH="$WP_ROOT"
-    ACME_CHALLENGE_DIR="$WEBROOT_PATH/.well-known/acme-challenge"
-    sudo mkdir -p "$ACME_CHALLENGE_DIR"
-    sudo chown -R "${WEB_USER}:${WEB_GROUP}" "$WEBROOT_PATH/.well-known"
-    sudo chmod -R 755 "$WEBROOT_PATH/.well-known"
-    
-    # Try webroot method first (non-interactive)
-    info "Attempting SSL certificate generation using webroot method..."
-    if sudo certbot certonly \
-        --webroot \
-        --webroot-path="$WEBROOT_PATH" \
-        --email="$WP_ADMIN_EMAIL" \
-        --agree-tos \
-        --non-interactive \
-        --domains="$DOMAIN" \
-        --expand; then
-        
-        success "SSL certificate generated successfully for $DOMAIN"
-        
-        # Set up automatic renewal
-        info "Setting up automatic SSL certificate renewal..."
-        
-        # Create renewal cron job if it doesn't exist
-        CRON_JOB="0 12 * * * /usr/bin/certbot renew --quiet --post-hook \"systemctl reload lshttpd || systemctl reload apache2 || systemctl reload nginx\""
-        if ! sudo crontab -l 2>/dev/null | grep -q "certbot renew"; then
-            (sudo crontab -l 2>/dev/null; echo "$CRON_JOB") | sudo crontab -
-            success "Automatic SSL renewal configured (daily check at 12:00 PM)"
+# Only proceed with SSL setup if domain is valid
+if [[ "$SSL_SKIPPED" != "true" ]]; then
+    # Install certbot if not present
+    if ! command_exists certbot; then
+        info "Installing certbot for Let's Encrypt certificate management..."
+        if command_exists apt-get; then
+            # Debian/Ubuntu
+            sudo apt-get update -qq
+            sudo apt-get install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via apt-get"
+        elif command_exists yum; then
+            # CentOS/RHEL 7
+            sudo yum install -y epel-release
+            sudo yum install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via yum"
+        elif command_exists dnf; then
+            # CentOS/RHEL 8+/Fedora
+            sudo dnf install -y certbot python3-certbot-apache || error_exit "Failed to install certbot via dnf"
        else
-            info "SSL renewal cron job already exists."
+            warning "Package manager not detected. Please install certbot manually."
+            info "You can install certbot using: wget https://dl.eff.org/certbot-auto && chmod a+x certbot-auto"
        fi
-        
-        # For LiteSpeed, we need to restart the service to pick up new certificates
-        info "Restarting LiteSpeed web server to apply SSL certificate..."
-        if sudo systemctl is-active lshttpd &>/dev/null; then
-            sudo systemctl restart lshttpd || warning "Failed to restart lshttpd service"
-            success "LiteSpeed restarted successfully"
-        elif sudo systemctl is-active litespeed &>/dev/null; then
-            sudo systemctl restart litespeed || warning "Failed to restart litespeed service"  
-            success "LiteSpeed restarted successfully"
-        else
-            warning "LiteSpeed service not detected or not running. You may need to manually configure SSL in LiteSpeed admin panel."
-            info "SSL certificate location: /etc/letsencrypt/live/$DOMAIN/"
-            info "Certificate file: /etc/letsencrypt/live/$DOMAIN/fullchain.pem"
-            info "Private key file: /etc/letsencrypt/live/$DOMAIN/privkey.pem"
-        fi
-        
    else
-        warning "SSL certificate generation failed. You can manually run:"
-        warning "sudo certbot --webroot -w '$WP_ROOT' -d '$DOMAIN' --email '$WP_ADMIN_EMAIL' --agree-tos"
-        info "Or configure SSL manually in your web server control panel."
+        success "Certbot is already installed."
+    fi
+
+    # Generate SSL certificate
+    if command_exists certbot; then
+        info "Generating Let's Encrypt SSL certificate for domain: $DOMAIN"
+        
+        # Create a simple verification file for webroot authentication
+        WEBROOT_PATH="$WP_ROOT"
+        ACME_CHALLENGE_DIR="$WEBROOT_PATH/.well-known/acme-challenge"
+        sudo mkdir -p "$ACME_CHALLENGE_DIR"
+        sudo chown -R "${WEB_USER}:${WEB_GROUP}" "$WEBROOT_PATH/.well-known"
+        sudo chmod -R 755 "$WEBROOT_PATH/.well-known"
+        
+        # Try webroot method first (non-interactive)
+        info "Attempting SSL certificate generation using webroot method..."
+        # Check if certificate already exists
+        if [[ -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]]; then
+            info "SSL certificate already exists for $DOMAIN. Checking if renewal is needed..."
+            if sudo certbot renew --cert-name="$DOMAIN" --dry-run 2>/dev/null; then
+                info "Existing SSL certificate is valid and not due for renewal."
+                SSL_SUCCESS=true
+            else
+                info "Existing certificate needs renewal. Attempting to renew..."
+                if sudo certbot renew --cert-name="$DOMAIN" --force-renewal 2>/dev/null; then
+                    SSL_SUCCESS=true
+                else
+                    warning "Failed to renew existing SSL certificate."
+                    SSL_SUCCESS=false
+                fi
+            fi
+        else
+            # Generate new certificate
+            if sudo certbot certonly \
+                --webroot \
+                --webroot-path="$WEBROOT_PATH" \
+                --email="$WP_ADMIN_EMAIL" \
+                --agree-tos \
+                --non-interactive \
+                --domains="$DOMAIN"; then
+                SSL_SUCCESS=true
+            else
+                SSL_SUCCESS=false
+            fi
+        fi
+        
+        if [[ "$SSL_SUCCESS" == "true" ]]; then
+            success "SSL certificate is ready for $DOMAIN"
+            
+            # Set up automatic renewal
+            info "Setting up automatic SSL certificate renewal..."
+            
+            # Create renewal cron job if it doesn't exist
+            CRON_JOB="0 12 * * * /usr/bin/certbot renew --quiet --post-hook \"systemctl reload lshttpd || systemctl reload apache2 || systemctl reload nginx\""
+            if ! sudo crontab -l 2>/dev/null | grep -q "certbot renew"; then
+                if (sudo crontab -l 2>/dev/null; echo "$CRON_JOB") | sudo crontab - 2>/dev/null; then
+                    success "Automatic SSL renewal configured (daily check at 12:00 PM)"
+                else
+                    warning "Failed to configure automatic SSL renewal cron job"
+                fi
+            else
+                info "SSL renewal cron job already exists."
+            fi
+            
+            # For LiteSpeed, we need to restart the service to pick up new certificates
+            info "Restarting LiteSpeed web server to apply SSL certificate..."
+            LITESPEED_RESTARTED=false
+            if sudo systemctl is-active lshttpd &>/dev/null; then
+                if sudo systemctl restart lshttpd 2>/dev/null; then
+                    success "LiteSpeed (lshttpd) restarted successfully"
+                    LITESPEED_RESTARTED=true
+                else
+                    warning "Failed to restart lshttpd service"
+                fi
+            elif sudo systemctl is-active litespeed &>/dev/null; then
+                if sudo systemctl restart litespeed 2>/dev/null; then
+                    success "LiteSpeed (litespeed) restarted successfully"
+                    LITESPEED_RESTARTED=true
+                else
+                    warning "Failed to restart litespeed service"
+                fi
+            else
+                warning "LiteSpeed service not detected or not running."
+            fi
+            
+            if [[ "$LITESPEED_RESTARTED" != "true" ]]; then
+                warning "LiteSpeed service restart failed or not attempted. You may need to manually configure SSL in LiteSpeed admin panel."
+                info "SSL certificate location: /etc/letsencrypt/live/$DOMAIN/"
+                info "Certificate file: /etc/letsencrypt/live/$DOMAIN/fullchain.pem"
+                info "Private key file: /etc/letsencrypt/live/$DOMAIN/privkey.pem"
+            fi
+            
+        else
+            warning "SSL certificate generation failed. You can manually run:"
+            warning "sudo certbot --webroot -w '$WP_ROOT' -d '$DOMAIN' --email '$WP_ADMIN_EMAIL' --agree-tos"
+            info "Or configure SSL manually in your web server control panel."
+        fi
+    else
+        warning "Certbot not available. SSL certificate not generated."
+        info "Please install certbot manually and run: sudo certbot --webroot -w '$WP_ROOT' -d '$DOMAIN'"
    fi
 else
-    warning "Certbot not available. SSL certificate not generated."
-    info "Please install certbot manually and run: sudo certbot --webroot -w '$WP_ROOT' -d '$DOMAIN'"
+    info "SSL certificate setup skipped due to invalid domain."
 fi

 # --- Final Summary ---