diff --git a/mbadmin.jps b/mbadmin.jps index 8de038d..903abda 100644 --- a/mbadmin.jps +++ b/mbadmin.jps @@ -32,6 +32,9 @@ onInstall: # Download CA trust repair script - curl -OL https://deploy.mightybox.io/tony/mb-admin/raw/branch/main/scripts/fix-cert-trust.sh - if [ ! -f fix-cert-trust.sh ]; then echo "Failed to download fix-cert-trust.sh"; exit 1; fi + # Download self-signed certificate generator + - curl -OL https://deploy.mightybox.io/tony/mb-admin/raw/branch/main/scripts/generate-self-signed-cert.sh + - if [ ! -f generate-self-signed-cert.sh ]; then echo "Failed to download generate-self-signed-cert.sh"; exit 1; fi # Download LiteSpeed scripts with verification - curl -OL https://deploy.mightybox.io/tony/mb-admin/raw/branch/main/scripts/check_litespeed.php - if [ ! -f check_litespeed.php ]; then echo "Failed to download check_litespeed.php"; exit 1; fi @@ -257,6 +260,12 @@ menu: action: fix_cert_trust settings: fixCertTrustConfig successText: "Certificate trust repair completed for '${settings.domain}'." + - confirmText: Generate a temporary self-signed certificate for this domain? + loadingText: Generating self-signed certificate... + caption: Generate Self-Signed Cert (Staging) + action: gen_self_signed + settings: selfSignedConfig + successText: "Self-signed certificate generated for '${settings.domain}'." - confirmText: Check if the domain is resolving to the expected IP address? loadingText: Checking Domain... caption: Check Domain IP @@ -461,6 +470,21 @@ settings: type: text caption: Keys Directory default: "/var/lib/jelastic/keys" + selfSignedConfig: + submitUnchanged: true + fields: + - name: domain + type: text + caption: Domain Name + required: true + - name: days + type: text + caption: Validity (days) + default: "30" + - name: keys_dir + type: text + caption: Keys Directory + default: "/var/lib/jelastic/keys" redisObjectCacheConfig: submitUnchanged: true fields: @@ -933,6 +957,14 @@ actions: - return: type: info message: "${response.out}" + gen_self_signed: + - cmd[cp]: + user: root + commands: + - bash /home/litespeed/mbmanager/scripts/generate-self-signed-cert.sh "${settings.domain}" "${settings.days}" "${settings.keys_dir}" + - return: + type: info + message: "${response.out}" diagnose_litespeed_config: - cmd[cp]: user: root diff --git a/scripts/generate-self-signed-cert.sh b/scripts/generate-self-signed-cert.sh new file mode 100644 index 0000000..8c53e84 --- /dev/null +++ b/scripts/generate-self-signed-cert.sh @@ -0,0 +1,78 @@ +#!/bin/bash +set -euo pipefail + +# Generate a temporary self-signed TLS certificate for a domain. +# Intended for staging environments on AlmaLinux/RHEL/CentOS. +# +# Usage: generate-self-signed-cert.sh [days] [keys_dir] +# domain FQDN, e.g. example.staging.local +# days Validity in days (default: 30) +# keys_dir Directory to write keys/certs (default: /var/lib/jelastic/keys) + +DOMAIN="${1:-}" +DAYS="${2:-30}" +KEYS_DIR="${3:-/var/lib/jelastic/keys}" + +if [[ -z "$DOMAIN" ]]; then + echo "Usage: $0 [days] [keys_dir]" >&2 + exit 1 +fi + +if ! command -v openssl >/dev/null 2>&1; then + echo "[ERROR] openssl not found. Please install openssl." >&2 + exit 2 +fi + +mkdir -p "$KEYS_DIR" +cd "$KEYS_DIR" + +KEY_FILE="${DOMAIN}.key" +CRT_FILE="${DOMAIN}.cer" +CHAIN_FILE="${DOMAIN}.fullchain.pem" + +echo "[INFO] Generating RSA key (${KEY_FILE})…" +openssl genrsa -out "$KEY_FILE" 2048 >/dev/null 2>&1 + +TMP_CONF=$(mktemp) +cat >"$TMP_CONF" </dev/null 2>&1 +rm -f "$TMP_CONF" + +# Build a fullchain (for self-signed, it's just the leaf repeated for compatibility) +cat "$CRT_FILE" > "$CHAIN_FILE" + +# Maintain generic filenames used by other tooling +cp -f "$CRT_FILE" cert.pem +cp -f "$CHAIN_FILE" fullchain.pem +cp -f "$CRT_FILE" ca.cer + +chmod 0644 "$CRT_FILE" "$CHAIN_FILE" cert.pem fullchain.pem ca.cer +chmod 0600 "$KEY_FILE" + +echo "[SUCCESS] Self-signed certificate created:" +echo " Key: $KEYS_DIR/$KEY_FILE" +echo " Cert: $KEYS_DIR/$CRT_FILE" +echo " Fullchain: $KEYS_DIR/$CHAIN_FILE" +echo "[NOTE] Apply/reload your web server to use the new certificate." + +exit 0 +