From bd57110ffa0339c2bb7f2f64dc34181b474ab293 Mon Sep 17 00:00:00 2001
From: Anthony <tony@mightybox.io>
Date: Thu, 25 Sep 2025 19:31:34 +0800
Subject: [PATCH] New SSL without Public IP

---
 mbadmin.jps                        |  36 +++++++++
 scripts/OLDdbPreparation.sh        | 116 -----------------------------
 scripts/ssl-manager/ssl_manager.sh |  89 ++++++++++++++++++++--
 3 files changed, 117 insertions(+), 124 deletions(-)
 delete mode 100644 scripts/OLDdbPreparation.sh

diff --git a/mbadmin.jps b/mbadmin.jps
index 6b99d92..0e2409d 100644
--- a/mbadmin.jps
+++ b/mbadmin.jps
@@ -108,6 +108,13 @@ onInstall:
           else
             echo "Skipping DNS plugin installation as Certbot wasn't installed";
           fi
+        # Install acme.sh
+        - if [ ! -f /root/.acme.sh/acme.sh ]; then
+            echo "Installing acme.sh...";
+            curl https://get.acme.sh | sh;
+          else
+            echo "acme.sh is already installed.";
+          fi
 
 menu:
   - confirmText: Are you sure you want to execute this WP-CLI command?
@@ -262,6 +269,12 @@ menu:
     action: issue_ssl_cert
     settings: sslCertConfig
     successText: "SSL certificate for '${settings.domain}' has been issued successfully."
+  - confirmText: Are you sure you want to issue an SSL certificate for this domain using DNS challenge?
+    loadingText: Issuing SSL Certificate via DNS...
+    caption: Issue SSL Certificate (DNS)
+    action: issue_ssl_cert_dns
+    settings: sslCertDnsConfig
+    successText: "SSL certificate for '${settings.domain}' has been issued successfully via DNS challenge."
   - confirmText: Rebuild fullchain and refresh system CA trust for this domain?
     loadingText: Fixing certificate trust...
     caption: Fix Certificate Trust
@@ -462,6 +475,21 @@ settings:
         type: text
         caption: Email Address
         required: true
+  sslCertDnsConfig:
+    submitUnchanged: true
+    fields:
+      - name: domain
+        type: text
+        caption: Domain Name
+        required: true
+      - name: email
+        type: text
+        caption: Email Address
+        required: true
+      - name: bunny_api_key
+        type: password
+        caption: BunnyDNS API Key
+        required: true
   sslRemoveConfig:
     submitUnchanged: true
     fields:
@@ -958,6 +986,14 @@ actions:
     - return:
         type: info
         message: "SSL certificate issuance process completed."
+  issue_ssl_cert_dns:
+    - cmd[cp]:
+        user: root
+        commands:
+          - bash /home/litespeed/mbmanager/ssl-manager/ssl_manager.sh --dns-challenge --domain="${settings.domain}" --email="${settings.email}" --bunny-api-key="${settings.bunny_api_key}" --verbose
+    - return:
+        type: info
+        message: "SSL certificate issuance process via DNS challenge completed."
   check_domain_ip:
     - cmd[cp]:
         user: root
diff --git a/scripts/OLDdbPreparation.sh b/scripts/OLDdbPreparation.sh
deleted file mode 100644
index d41cba4..0000000
--- a/scripts/OLDdbPreparation.sh
+++ /dev/null
@@ -1,116 +0,0 @@
-#!/bin/bash
-
-# Source the utility script
-source "$(dirname "$0")/utils.sh"
-
-# Automatically generate a new secure password for the root user
-new_root_password=$(openssl rand -base64 12)
-
-# Generate random database name, user, and password for the new database
-DB_NAME="db_$(openssl rand -hex 4)"
-DB_USER="user_$(openssl rand -hex 4)"
-DB_PASSWORD="$(openssl rand -base64 12)"
-DB_HOST="127.0.0.1" # Change if your database is hosted elsewhere
-
-echo "New root password will be: $new_root_password"
-echo "New database credentials:"
-echo "Database Name: $DB_NAME"
-echo "Database User: $DB_USER"
-echo "Database Password: $DB_PASSWORD"
-
-echo "Attempting to stop the MariaDB service..."
-# Stop the MariaDB service
-sudo systemctl stop mariadb
-
-echo "Starting MariaDB in safe mode..."
-# Start MariaDB in safe mode with no networking and no grants
-sudo mysqld_safe --skip-grant-tables --skip-networking &
-
-# Wait for MariaDB to fully start in safe mode
-sleep 5
-
-echo "Resetting the root password..."
-# Reset the root password in safe mode
-sudo mysql -u root <<EOF
-FLUSH PRIVILEGES;
-ALTER USER 'root'@'localhost' IDENTIFIED BY '$new_root_password';
-ALTER USER 'root'@'127.0.0.1' IDENTIFIED BY '$new_root_password';
-FLUSH PRIVILEGES;
-EOF
-
-# Check if the password reset was successful
-if [ $? -eq 0 ]; then
-    echo "Root password reset successful."
-else
-    echo "Failed to reset the root password. Exiting."
-    sudo pkill -f mariadbd
-    sudo pkill -f mysqld_safe
-    exit 1
-fi
-
-echo "Stopping the MariaDB safe mode process..."
-# Terminate the MariaDB safe mode processes
-sudo pkill -f mysqld_safe
-sleep 2
-sudo pkill -f mariadbd
-sleep 2
-
-echo "Starting the MariaDB service normally..."
-# Start the MariaDB service normally
-sudo systemctl start mariadb
-
-# Check if MariaDB started successfully
-if sudo systemctl is-active --quiet mariadb; then
-    echo "MariaDB service is running. Root password has been reset to '$new_root_password'."
-else
-    echo "Failed to start MariaDB service. Please check the service status manually."
-    exit 1
-fi
-
-# Introduce a delay to allow MariaDB to fully initialize
-sleep 5
-
-# Create MySQL database and user with the new root password
-echo "Creating MySQL database and user with the new root password..."
-mysql -u root -p"$new_root_password" <<EOF
-CREATE DATABASE ${DB_NAME};
-CREATE USER '${DB_USER}'@'${DB_HOST}' IDENTIFIED BY '${DB_PASSWORD}';
-GRANT ALL PRIVILEGES ON ${DB_NAME}.* TO '${DB_USER}'@'${DB_HOST}' IDENTIFIED BY '${DB_PASSWORD}';
-FLUSH PRIVILEGES;
-EOF
-
-# Check if the database and user creation was successful
-if [ $? -eq 0 ]; then
-    echo "Database ${DB_NAME} and user ${DB_USER} created successfully with the specified password."
-else
-    echo "Failed to create database or user. Please check the MySQL status manually."
-    exit 1
-fi
-
-# Backup the wp-config.php file before making changes
-WP_CONFIG="/var/www/webroot/ROOT/wp-config.php"
-
-if [ ! -f "$WP_CONFIG" ]; then
-    echo "Error: wp-config.php not found at $WP_CONFIG. Please ensure WordPress is installed correctly."
-    exit 1
-fi
-
-sudo cp $WP_CONFIG $WP_CONFIG.bak
-
-echo "Updating wp-config.php with new database credentials..."
-
-# Update wp-config.php with new database credentials using the reusable function
-search_and_replace "define( *'DB_NAME', '.*' *);" "define('DB_NAME', '${DB_NAME}');" "$WP_CONFIG"
-search_and_replace "define( *'DB_USER', '.*' *);" "define('DB_USER', '${DB_USER}');" "$WP_CONFIG"
-search_and_replace "define( *'DB_PASSWORD', '.*' *);" "define('DB_PASSWORD', '${DB_PASSWORD}');" "$WP_CONFIG"
-search_and_replace "define( *'DB_HOST', '.*' *);" "define('DB_HOST', '${DB_HOST}');" "$WP_CONFIG"
-
-# Check if wp-config.php was updated successfully
-if grep -q "define( *'DB_NAME', '${DB_NAME}' *);" "$WP_CONFIG" && \
-   grep -q "define( *'DB_USER', '${DB_USER}' *);" "$WP_CONFIG" && \
-   grep -q "define( *'DB_PASSWORD', '${DB_PASSWORD}' *);" "$WP_CONFIG"; then
-    echo "wp-config.php updated successfully with new database credentials."
-else
-    echo "Failed to update wp-config.php. Please check the file manually."
-    exit 1
-fi
diff --git a/scripts/ssl-manager/ssl_manager.sh b/scripts/ssl-manager/ssl_manager.sh
index a668e55..53118f1 100644
--- a/scripts/ssl-manager/ssl_manager.sh
+++ b/scripts/ssl-manager/ssl_manager.sh
@@ -112,6 +112,20 @@ on_exit() {
 }
 trap 'rc=$?; SCRIPT_EXIT_STATUS=$rc; on_exit' EXIT
 
+install_acme_sh() {
+    if ! command -v "$HOME/.acme.sh/acme.sh" &>/dev/null; then
+        log "acme.sh not found. Installing..."
+        if curl https://get.acme.sh | sh; then
+            log_success "acme.sh installed successfully."
+        else
+            log_error "Failed to install acme.sh."
+            SCRIPT_EXIT_STATUS=1; return 1
+        fi
+    else
+        log "acme.sh is already installed."
+    fi
+}
+
 check_command() {
     local cmd="$1"
     local pkg="$2"
@@ -176,6 +190,44 @@ validate_http_access() {
     [[ "$(curl -s "http://$1/.well-known/acme-challenge/test-token")" == "$token" ]]
 }
 
+issue_certificate_dns() {
+    local domain="$1"
+    local bunny_api_key="$2"
+    local email="$3"
+
+    if [[ -z "$bunny_api_key" ]]; then
+        log_error "BunnyDNS API key is required for DNS challenge."
+        SCRIPT_EXIT_STATUS=1; return 1
+    fi
+
+    log "Issuing SSL certificate for domain '$domain' using DNS challenge..."
+    export BUNNY_API_KEY="$bunny_api_key"
+    
+    # Use acme.sh to issue the certificate
+    "$HOME/.acme.sh/acme.sh" --issue --dns dns_bunny -d "$domain" --accountemail "$email" || {
+        log_error "Failed to issue certificate for '$domain' using DNS challenge."
+        unset BUNNY_API_KEY
+        SCRIPT_EXIT_STATUS=1; return 1
+    }
+    
+    log_success "Certificate successfully issued for '$domain' using DNS challenge."
+    
+    # Install the certificate to the standard Let's Encrypt directory
+    local cert_path="$CERT_DIR/$domain"
+    sudo mkdir -p "$cert_path"
+    "$HOME/.acme.sh/acme.sh" --install-cert -d "$domain" \
+        --key-file       "$cert_path/privkey.pem" \
+        --fullchain-file "$cert_path/fullchain.pem" \
+        --reloadcmd      "sudo systemctl restart lsws" || {
+        log_error "Failed to install certificate for '$domain'."
+        unset BUNNY_API_KEY
+        SCRIPT_EXIT_STATUS=1; return 1
+    }
+
+    log_success "Certificate successfully installed for '$domain'."
+    unset BUNNY_API_KEY
+}
+
 issue_certificate() {
     if [[ -f "$CERT_DIR/$1/fullchain.pem" ]]; then
         log_success "Certificate already exists for '$1'. Skipping issuance."
@@ -348,6 +400,8 @@ main() {
     log "Starting SSL Manager V2.0.4"
 
     # Parse parameters
+    DNS_CHALLENGE=0
+    BUNNY_API_KEY=""
     for arg in "$@"; do
         case $arg in
             --public-ip=*) PUBLIC_IP="${arg#*=}"; log_verbose "Set public IP: $PUBLIC_IP";;
@@ -357,21 +411,32 @@ main() {
             --vhost=*) VHOST_NAME="${arg#*=}"; log_verbose "Set vhost name: $VHOST_NAME";;
             --verbose) VERBOSE=1; log "Verbose mode enabled";;
             --update-listener) UPDATE_LISTENER=1; log "Updating listener certificate to LE for $PRIMARY_DOMAIN";;
+            --dns-challenge) DNS_CHALLENGE=1; log "DNS challenge mode enabled";;
+            --bunny-api-key=*) BUNNY_API_KEY="${arg#*=}";;
             *) log_error "Invalid argument: $arg"; SCRIPT_EXIT_STATUS=1; exit 1;;
         esac
     done
 
-    [[ -z "$PRIMARY_DOMAIN" || -z "$PUBLIC_IP" || -z "$EMAIL" ]] && {
-        log_error "Missing required parameters. Provide --domains, --public-ip, and --email."
-        SCRIPT_EXIT_STATUS=1; exit 1
-    }
+    if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
+        [[ -z "$PRIMARY_DOMAIN" || -z "$EMAIL" ]] && {
+            log_error "Missing required parameters for DNS challenge. Provide --domain and --email."
+            SCRIPT_EXIT_STATUS=1; exit 1
+        }
+    else
+        [[ -z "$PRIMARY_DOMAIN" || -z "$PUBLIC_IP" || -z "$EMAIL" ]] && {
+            log_error "Missing required parameters. Provide --domains, --public-ip, and --email."
+            SCRIPT_EXIT_STATUS=1; exit 1
+        }
+    fi
 
     validate_domain "$PRIMARY_DOMAIN" || { log_error "Invalid domain '$PRIMARY_DOMAIN'"; SCRIPT_EXIT_STATUS=1; exit 1; }
-    validate_ip "$PUBLIC_IP" || { log_error "Invalid IP '$PUBLIC_IP'"; SCRIPT_EXIT_STATUS=1; exit 1; }
     validate_email "$EMAIL" || { log_error "Invalid email '$EMAIL'"; SCRIPT_EXIT_STATUS=1; exit 1; }
 
-    validate_dns "$PRIMARY_DOMAIN" "$PUBLIC_IP" || { log_error "DNS validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
-    validate_http_access "$PRIMARY_DOMAIN" || { log_error "HTTP access validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
+    if [[ "$DNS_CHALLENGE" -eq 0 ]]; then
+        validate_ip "$PUBLIC_IP" || { log_error "Invalid IP '$PUBLIC_IP'"; SCRIPT_EXIT_STATUS=1; exit 1; }
+        validate_dns "$PRIMARY_DOMAIN" "$PUBLIC_IP" || { log_error "DNS validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
+        validate_http_access "$PRIMARY_DOMAIN" || { log_error "HTTP access validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
+    fi
 
     log_verbose "Checking dependencies..."
     check_command xmllint libxml2
@@ -381,9 +446,17 @@ main() {
     check_command curl curl
     check_command openssl openssl
 
+    if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
+        install_acme_sh
+    fi
+
     create_default_backup
     for domain in "${DOMAINS[@]}"; do
-        issue_certificate "$domain" "$EMAIL"
+        if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
+            issue_certificate_dns "$domain" "$BUNNY_API_KEY" "$EMAIL"
+        else
+            issue_certificate "$domain" "$EMAIL"
+        fi
         update_httpd_config "$domain" "$PUBLIC_IP"
         cleanup_xml "$domain"
     done