diff --git a/scripts/pma-gateway/create_pma_gateway.sh b/scripts/pma-gateway/create_pma_gateway.sh index a5c0771..8b888bb 100644 --- a/scripts/pma-gateway/create_pma_gateway.sh +++ b/scripts/pma-gateway/create_pma_gateway.sh @@ -37,14 +37,37 @@ if [[ "$CONTACT_EMAIL" == *'${'* ]]; then CONTACT_EMAIL="" fi -# Prefer explicit cert domain and fallback to Jelastic environment domain. -if [[ -z "$CERT_DOMAIN" ]]; then - if [[ -n "${JELASTIC_ENV_DOMAIN:-}" ]]; then - CERT_DOMAIN="$JELASTIC_ENV_DOMAIN" - else - CERT_DOMAIN=$(hostname -f) - CERT_DOMAIN=${CERT_DOMAIN#node*-} # strip nodeXXXX- +# Build domain candidates in priority order: +# 1) explicit --cert-domain +# 2) JELASTIC_ENV_DOMAIN +# 3) hostname-derived domain +HOSTNAME_DOMAIN=$(hostname -f) +HOSTNAME_DOMAIN=${HOSTNAME_DOMAIN#node*-} + +DOMAIN_CANDIDATES=() +SEEN_DOMAINS="|" +for candidate in "$CERT_DOMAIN" "${JELASTIC_ENV_DOMAIN:-}" "$HOSTNAME_DOMAIN"; do + if [[ -n "$candidate" ]] && [[ "$SEEN_DOMAINS" != *"|$candidate|"* ]]; then + DOMAIN_CANDIDATES+=("$candidate") + SEEN_DOMAINS="${SEEN_DOMAINS}${candidate}|" fi +done + +# Never use legacy *.sites.mightybox.dev domains for PMA gateway certificates. +FILTERED_DOMAINS=() +for candidate in "${DOMAIN_CANDIDATES[@]}"; do + if [[ "$candidate" == *.sites.mightybox.dev ]]; then + echo "WARNING: Skipping legacy domain candidate '$candidate' for PMA gateway SSL." >&2 + continue + fi + FILTERED_DOMAINS+=("$candidate") +done +DOMAIN_CANDIDATES=("${FILTERED_DOMAINS[@]}") + +if [[ "${#DOMAIN_CANDIDATES[@]}" -eq 0 ]]; then + echo "FATAL: No valid non-legacy environment domain candidate found for PMA gateway certificate resolution." >&2 + echo " Provide --cert-domain with the current default environment domain." >&2 + exit 1 fi # Fallback for email when not explicitly passed. @@ -52,7 +75,7 @@ if [[ -z "$CONTACT_EMAIL" ]] && [[ -n "${JELASTIC_USER_EMAIL:-}" ]]; then CONTACT_EMAIL="$JELASTIC_USER_EMAIL" fi -ENV_HOST="$CERT_DOMAIN" +ENV_HOST="${DOMAIN_CANDIDATES[0]}" PMADB_DIR="/usr/share/phpMyAdmin" GATEWAY_FILE="$PMADB_DIR/access-db-$SLUG.php" @@ -78,30 +101,42 @@ token="$base.$mac" VHOST_CONFIG="/usr/share/phpMyAdmin/vhost.conf" NEEDS_RESTART=0 -# --- Let's Encrypt certificate resolution for ENV_HOST --- +# --- Let's Encrypt certificate resolution for domain candidates --- LE_LIVE_DIR="/etc/letsencrypt/live" LE_CERT_DIR="" +CERT_DOMAIN_USED="" -# Attempt exact match first. -if [[ -d "$LE_LIVE_DIR/$ENV_HOST" ]] && [[ -f "$LE_LIVE_DIR/$ENV_HOST/privkey.pem" ]] && [[ -f "$LE_LIVE_DIR/$ENV_HOST/fullchain.pem" ]]; then - LE_CERT_DIR="$LE_LIVE_DIR/$ENV_HOST" - echo "INFO: Found exact Let's Encrypt cert directory: $LE_CERT_DIR" >&2 -fi +# Find an existing certificate for the first matching candidate. +for candidate_host in "${DOMAIN_CANDIDATES[@]}"; do + if [[ -d "$LE_LIVE_DIR/$candidate_host" ]] && [[ -f "$LE_LIVE_DIR/$candidate_host/privkey.pem" ]] && [[ -f "$LE_LIVE_DIR/$candidate_host/fullchain.pem" ]]; then + LE_CERT_DIR="$LE_LIVE_DIR/$candidate_host" + CERT_DOMAIN_USED="$candidate_host" + echo "INFO: Found exact Let's Encrypt cert directory for '$candidate_host': $LE_CERT_DIR" >&2 + break + fi -# Then try certbot-suffixed directories (e.g., domain-0001). -if [[ -z "$LE_CERT_DIR" ]]; then - for dir in "$LE_LIVE_DIR/$ENV_HOST"-*/; do + for dir in "$LE_LIVE_DIR/$candidate_host"-*/; do if [[ -d "$dir" ]] && [[ -f "$dir/privkey.pem" ]] && [[ -f "$dir/fullchain.pem" ]]; then LE_CERT_DIR="${dir%/}" - echo "INFO: Found suffixed Let's Encrypt cert directory: $LE_CERT_DIR" >&2 + CERT_DOMAIN_USED="$candidate_host" + echo "INFO: Found suffixed Let's Encrypt cert directory for '$candidate_host': $LE_CERT_DIR" >&2 break fi done + + if [[ -n "$LE_CERT_DIR" ]]; then + break + fi +done + +if [[ -n "$CERT_DOMAIN_USED" ]]; then + ENV_HOST="$CERT_DOMAIN_USED" fi -# If no cert exists yet, attempt one-time issuance for ENV_HOST. +# If no cert exists yet, attempt one-time issuance for highest-priority candidate. if [[ -z "$LE_CERT_DIR" ]]; then - echo "WARNING: No Let's Encrypt certificate found for '$ENV_HOST'. Attempting to issue one now..." >&2 + ENV_HOST="${DOMAIN_CANDIDATES[0]}" + echo "WARNING: No Let's Encrypt certificate found for domain candidates (${DOMAIN_CANDIDATES[*]}). Attempting to issue one for '$ENV_HOST' now..." >&2 CERTBOT_CMD="" if command -v certbot >/dev/null 2>&1; then @@ -110,6 +145,24 @@ if [[ -z "$LE_CERT_DIR" ]]; then CERTBOT_CMD="/opt/certbot/certbot-auto" fi + if [[ -z "$CERTBOT_CMD" ]]; then + echo "WARNING: certbot is not available. Attempting to install certbot..." >&2 + if command -v dnf >/dev/null 2>&1; then + sudo dnf install -y --setopt=install_weak_deps=False certbot >/dev/null 2>&1 || true + elif command -v yum >/dev/null 2>&1; then + sudo yum install -y certbot >/dev/null 2>&1 || true + elif command -v apt-get >/dev/null 2>&1; then + sudo apt-get update -qq >/dev/null 2>&1 || true + sudo apt-get install -y certbot >/dev/null 2>&1 || true + fi + + if command -v certbot >/dev/null 2>&1; then + CERTBOT_CMD="certbot" + elif [[ -x "/opt/certbot/certbot-auto" ]]; then + CERTBOT_CMD="/opt/certbot/certbot-auto" + fi + fi + if [[ -z "$CERTBOT_CMD" ]]; then echo "FATAL: certbot is not available and no existing Let's Encrypt certificate was found for '$ENV_HOST'." >&2 exit 1 @@ -150,6 +203,7 @@ if [[ -n "$LE_CERT_DIR" ]]; then LE_CERT_FILE="$LE_CERT_DIR/fullchain.pem" else echo "FATAL: Let's Encrypt certificate directory could not be found for ENV_HOST: $ENV_HOST" >&2 + echo " Checked candidates: ${DOMAIN_CANDIDATES[*]}" >&2 echo " Checked specific path: $LE_LIVE_DIR/$ENV_HOST" >&2 echo " Checked suffixed paths: $LE_LIVE_DIR/${ENV_HOST}-*" >&2 exit 1