New SSL without Public IP

2025-09-25 19:31:34 +08:00 · 2025-09-25 19:31:34 +08:00 · bd57110ffa
parent 87bc4168ba
commit bd57110ffa
3 changed files with 117 additions and 124 deletions
--- a/mbadmin.jps
+++ b/mbadmin.jps
@ -108,6 +108,13 @@ onInstall:
          else
            echo "Skipping DNS plugin installation as Certbot wasn't installed";
          fi
        # Install acme.sh
        - if [ ! -f /root/.acme.sh/acme.sh ]; then
            echo "Installing acme.sh...";
            curl https://get.acme.sh | sh;
          else
            echo "acme.sh is already installed.";
          fi
 menu:
  - confirmText: Are you sure you want to execute this WP-CLI command?
@ -262,6 +269,12 @@ menu:
    action: issue_ssl_cert
    settings: sslCertConfig
    successText: "SSL certificate for '${settings.domain}' has been issued successfully."
  - confirmText: Are you sure you want to issue an SSL certificate for this domain using DNS challenge?
    loadingText: Issuing SSL Certificate via DNS...
    caption: Issue SSL Certificate (DNS)
    action: issue_ssl_cert_dns
    settings: sslCertDnsConfig
    successText: "SSL certificate for '${settings.domain}' has been issued successfully via DNS challenge."
  - confirmText: Rebuild fullchain and refresh system CA trust for this domain?
    loadingText: Fixing certificate trust...
    caption: Fix Certificate Trust
@ -462,6 +475,21 @@ settings:
        type: text
        caption: Email Address
        required: true
  sslCertDnsConfig:
    submitUnchanged: true
    fields:
      - name: domain
        type: text
        caption: Domain Name
        required: true
      - name: email
        type: text
        caption: Email Address
        required: true
      - name: bunny_api_key
        type: password
        caption: BunnyDNS API Key
        required: true
  sslRemoveConfig:
    submitUnchanged: true
    fields:
@ -958,6 +986,14 @@ actions:
    - return:
        type: info
        message: "SSL certificate issuance process completed."
  issue_ssl_cert_dns:
    - cmd[cp]:
        user: root
        commands:
          - bash /home/litespeed/mbmanager/ssl-manager/ssl_manager.sh --dns-challenge --domain="${settings.domain}" --email="${settings.email}" --bunny-api-key="${settings.bunny_api_key}" --verbose
    - return:
        type: info
        message: "SSL certificate issuance process via DNS challenge completed."
  check_domain_ip:
    - cmd[cp]:
        user: root
--- a/scripts/OLDdbPreparation.sh
+++ b/scripts/OLDdbPreparation.sh
@ -1,116 +0,0 @@
 #!/bin/bash
 # Source the utility script
 source "$(dirname "$0")/utils.sh"
 # Automatically generate a new secure password for the root user
 new_root_password=$(openssl rand -base64 12)
 # Generate random database name, user, and password for the new database
 DB_NAME="db_$(openssl rand -hex 4)"
 DB_USER="user_$(openssl rand -hex 4)"
 DB_PASSWORD="$(openssl rand -base64 12)"
 DB_HOST="127.0.0.1" # Change if your database is hosted elsewhere
 echo "New root password will be: $new_root_password"
 echo "New database credentials:"
 echo "Database Name: $DB_NAME"
 echo "Database User: $DB_USER"
 echo "Database Password: $DB_PASSWORD"
 echo "Attempting to stop the MariaDB service..."
 # Stop the MariaDB service
 sudo systemctl stop mariadb
 echo "Starting MariaDB in safe mode..."
 # Start MariaDB in safe mode with no networking and no grants
 sudo mysqld_safe --skip-grant-tables --skip-networking &
 # Wait for MariaDB to fully start in safe mode
 sleep 5
 echo "Resetting the root password..."
 # Reset the root password in safe mode
 sudo mysql -u root <<EOF
 FLUSH PRIVILEGES;
 ALTER USER 'root'@'localhost' IDENTIFIED BY '$new_root_password';
 ALTER USER 'root'@'127.0.0.1' IDENTIFIED BY '$new_root_password';
 FLUSH PRIVILEGES;
 EOF
 # Check if the password reset was successful
 if [ $? -eq 0 ]; then
    echo "Root password reset successful."
 else
    echo "Failed to reset the root password. Exiting."
    sudo pkill -f mariadbd
    sudo pkill -f mysqld_safe
    exit 1
 fi
 echo "Stopping the MariaDB safe mode process..."
 # Terminate the MariaDB safe mode processes
 sudo pkill -f mysqld_safe
 sleep 2
 sudo pkill -f mariadbd
 sleep 2
 echo "Starting the MariaDB service normally..."
 # Start the MariaDB service normally
 sudo systemctl start mariadb
 # Check if MariaDB started successfully
 if sudo systemctl is-active --quiet mariadb; then
    echo "MariaDB service is running. Root password has been reset to '$new_root_password'."
 else
    echo "Failed to start MariaDB service. Please check the service status manually."
    exit 1
 fi
 # Introduce a delay to allow MariaDB to fully initialize
 sleep 5
 # Create MySQL database and user with the new root password
 echo "Creating MySQL database and user with the new root password..."
 mysql -u root -p"$new_root_password" <<EOF
 CREATE DATABASE ${DB_NAME};
 CREATE USER '${DB_USER}'@'${DB_HOST}' IDENTIFIED BY '${DB_PASSWORD}';
 GRANT ALL PRIVILEGES ON ${DB_NAME}.* TO '${DB_USER}'@'${DB_HOST}' IDENTIFIED BY '${DB_PASSWORD}';
 FLUSH PRIVILEGES;
 EOF
 # Check if the database and user creation was successful
 if [ $? -eq 0 ]; then
    echo "Database ${DB_NAME} and user ${DB_USER} created successfully with the specified password."
 else
    echo "Failed to create database or user. Please check the MySQL status manually."
    exit 1
 fi
 # Backup the wp-config.php file before making changes
 WP_CONFIG="/var/www/webroot/ROOT/wp-config.php"
 if [ ! -f "$WP_CONFIG" ]; then
    echo "Error: wp-config.php not found at $WP_CONFIG. Please ensure WordPress is installed correctly."
    exit 1
 fi
 sudo cp $WP_CONFIG $WP_CONFIG.bak
 echo "Updating wp-config.php with new database credentials..."
 # Update wp-config.php with new database credentials using the reusable function
 search_and_replace "define( *'DB_NAME', '.*' *);" "define('DB_NAME', '${DB_NAME}');" "$WP_CONFIG"
 search_and_replace "define( *'DB_USER', '.*' *);" "define('DB_USER', '${DB_USER}');" "$WP_CONFIG"
 search_and_replace "define( *'DB_PASSWORD', '.*' *);" "define('DB_PASSWORD', '${DB_PASSWORD}');" "$WP_CONFIG"
 search_and_replace "define( *'DB_HOST', '.*' *);" "define('DB_HOST', '${DB_HOST}');" "$WP_CONFIG"
 # Check if wp-config.php was updated successfully
 if grep -q "define( *'DB_NAME', '${DB_NAME}' *);" "$WP_CONFIG" && \
   grep -q "define( *'DB_USER', '${DB_USER}' *);" "$WP_CONFIG" && \
   grep -q "define( *'DB_PASSWORD', '${DB_PASSWORD}' *);" "$WP_CONFIG"; then
    echo "wp-config.php updated successfully with new database credentials."
 else
    echo "Failed to update wp-config.php. Please check the file manually."
    exit 1
 fi
--- a/scripts/ssl-manager/ssl_manager.sh
+++ b/scripts/ssl-manager/ssl_manager.sh
@ -112,6 +112,20 @@ on_exit() {
 }
 trap 'rc=$?; SCRIPT_EXIT_STATUS=$rc; on_exit' EXIT
 install_acme_sh() {
    if ! command -v "$HOME/.acme.sh/acme.sh" &>/dev/null; then
        log "acme.sh not found. Installing..."
        if curl https://get.acme.sh | sh; then
            log_success "acme.sh installed successfully."
        else
            log_error "Failed to install acme.sh."
            SCRIPT_EXIT_STATUS=1; return 1
        fi
    else
        log "acme.sh is already installed."
    fi
 }
 check_command() {
    local cmd="$1"
    local pkg="$2"
@ -176,6 +190,44 @@ validate_http_access() {
    [[ "$(curl -s "http://$1/.well-known/acme-challenge/test-token")" == "$token" ]]
 }
 issue_certificate_dns() {
    local domain="$1"
    local bunny_api_key="$2"
    local email="$3"
    if [[ -z "$bunny_api_key" ]]; then
        log_error "BunnyDNS API key is required for DNS challenge."
        SCRIPT_EXIT_STATUS=1; return 1
    fi
    log "Issuing SSL certificate for domain '$domain' using DNS challenge..."
    export BUNNY_API_KEY="$bunny_api_key"
    # Use acme.sh to issue the certificate
    "$HOME/.acme.sh/acme.sh" --issue --dns dns_bunny -d "$domain" --accountemail "$email" || {
        log_error "Failed to issue certificate for '$domain' using DNS challenge."
        unset BUNNY_API_KEY
        SCRIPT_EXIT_STATUS=1; return 1
    }
    log_success "Certificate successfully issued for '$domain' using DNS challenge."
    # Install the certificate to the standard Let's Encrypt directory
    local cert_path="$CERT_DIR/$domain"
    sudo mkdir -p "$cert_path"
    "$HOME/.acme.sh/acme.sh" --install-cert -d "$domain" \
        --key-file       "$cert_path/privkey.pem" \
        --fullchain-file "$cert_path/fullchain.pem" \
        --reloadcmd      "sudo systemctl restart lsws" || {
        log_error "Failed to install certificate for '$domain'."
        unset BUNNY_API_KEY
        SCRIPT_EXIT_STATUS=1; return 1
    }
    log_success "Certificate successfully installed for '$domain'."
    unset BUNNY_API_KEY
 }
 issue_certificate() {
    if [[ -f "$CERT_DIR/$1/fullchain.pem" ]]; then
        log_success "Certificate already exists for '$1'. Skipping issuance."
@ -348,6 +400,8 @@ main() {
    log "Starting SSL Manager V2.0.4"
    # Parse parameters
    DNS_CHALLENGE=0
    BUNNY_API_KEY=""
    for arg in "$@"; do
        case $arg in
            --public-ip=*) PUBLIC_IP="${arg#*=}"; log_verbose "Set public IP: $PUBLIC_IP";;
@ -357,21 +411,32 @@ main() {
            --vhost=*) VHOST_NAME="${arg#*=}"; log_verbose "Set vhost name: $VHOST_NAME";;
            --verbose) VERBOSE=1; log "Verbose mode enabled";;
            --update-listener) UPDATE_LISTENER=1; log "Updating listener certificate to LE for $PRIMARY_DOMAIN";;
            --dns-challenge) DNS_CHALLENGE=1; log "DNS challenge mode enabled";;
            --bunny-api-key=*) BUNNY_API_KEY="${arg#*=}";;
            *) log_error "Invalid argument: $arg"; SCRIPT_EXIT_STATUS=1; exit 1;;
        esac
    done
-    [[ -z "$PRIMARY_DOMAIN" || -z "$PUBLIC_IP" || -z "$EMAIL" ]] && {
+    if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
-        log_error "Missing required parameters. Provide --domains, --public-ip, and --email."
+        [[ -z "$PRIMARY_DOMAIN" || -z "$EMAIL" ]] && {
-        SCRIPT_EXIT_STATUS=1; exit 1
+            log_error "Missing required parameters for DNS challenge. Provide --domain and --email."
-    }
+            SCRIPT_EXIT_STATUS=1; exit 1
        }
    else
        [[ -z "$PRIMARY_DOMAIN" || -z "$PUBLIC_IP" || -z "$EMAIL" ]] && {
            log_error "Missing required parameters. Provide --domains, --public-ip, and --email."
            SCRIPT_EXIT_STATUS=1; exit 1
        }
    fi
    validate_domain "$PRIMARY_DOMAIN" || { log_error "Invalid domain '$PRIMARY_DOMAIN'"; SCRIPT_EXIT_STATUS=1; exit 1; }
    validate_ip "$PUBLIC_IP" || { log_error "Invalid IP '$PUBLIC_IP'"; SCRIPT_EXIT_STATUS=1; exit 1; }
    validate_email "$EMAIL" || { log_error "Invalid email '$EMAIL'"; SCRIPT_EXIT_STATUS=1; exit 1; }
-    validate_dns "$PRIMARY_DOMAIN" "$PUBLIC_IP" || { log_error "DNS validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
+    if [[ "$DNS_CHALLENGE" -eq 0 ]]; then
-    validate_http_access "$PRIMARY_DOMAIN" || { log_error "HTTP access validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
+        validate_ip "$PUBLIC_IP" || { log_error "Invalid IP '$PUBLIC_IP'"; SCRIPT_EXIT_STATUS=1; exit 1; }
        validate_dns "$PRIMARY_DOMAIN" "$PUBLIC_IP" || { log_error "DNS validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
        validate_http_access "$PRIMARY_DOMAIN" || { log_error "HTTP access validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
    fi
    log_verbose "Checking dependencies..."
    check_command xmllint libxml2
@ -381,9 +446,17 @@ main() {
    check_command curl curl
    check_command openssl openssl
    if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
        install_acme_sh
    fi
    create_default_backup
    for domain in "${DOMAINS[@]}"; do
-        issue_certificate "$domain" "$EMAIL"
+        if [[ "$DNS_CHALLENGE" -eq 1 ]]; then
            issue_certificate_dns "$domain" "$BUNNY_API_KEY" "$EMAIL"
        else
            issue_certificate "$domain" "$EMAIL"
        fi
        update_httpd_config "$domain" "$PUBLIC_IP"
        cleanup_xml "$domain"
    done