tony
/
mb-admin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: tony:a0feb8d70d2098d4f4c59f5481e86cc584250557
Branches Tags
tony:main
..
compare: tony:a733c0697266709d9a26391ef9bcf2acfd64967e
Branches Tags
tony:main

2 Commits
a0feb8d70d ... a733c06972

Author SHA1 Message Date
Anthony a733c06972 Updated 2025-03-28 00:36:52 +08:00
Anthony 16768aa322 Optimize idempotent in editing httpd, also optimized listener 2025-03-28 00:26:05 +08:00
4 changed files with 707 additions and 406 deletions
Show Stats Expand all files Collapse all files

87
mbadmin.jps
View File

@ -1,6 +1,6 @@
type: update
id: mbadmin
version: '2.5'
version: '2.6'
name: MB Administration
description: Mighty Box Control Panel Administration
@ -34,6 +34,8 @@ onInstall:
- cd /home/litespeed/mbmanager/ssl-manager
- curl -OL https://deploy-proxy.mightybox.io/tony/mb-admin/raw/branch/main/scripts/ssl-manager/ssl_manager.sh
- curl -OL https://deploy-proxy.mightybox.io/tony/mb-admin/raw/branch/main/scripts/ssl-manager/ipchecker.sh
- curl -OL https://deploy-proxy.mightybox.io/tony/mb-admin/raw/branch/main/scripts/ssl-manager/ssl_remover.sh
- curl -OL https://deploy-proxy.mightybox.io/tony/mb-admin/raw/branch/main/scripts/ssl-manager/xmlchecker.sh
- chmod +x /home/litespeed/mbmanager/ssl-manager/*.sh
# Install Certbot for AlmaLinux
- dnf install -y certbot
@ -143,12 +145,6 @@ menu:
action: remove_ssl_cert
settings: sslRemoveConfig
successText: "${response.out}"
- confirmText: Are you sure you want to clean up certificate references?
loadingText: Cleaning certificate references...
caption: Clean Certificate References
action: clean_cert_references
settings: cleanCertConfig
successText: "Certificate references cleaned successfully for ${settings.domain}"
- confirmText: Are you sure you want to diagnose LiteSpeed configuration?
loadingText: Analyzing configuration...
caption: Diagnose LiteSpeed Config
@ -589,10 +585,10 @@ actions:
- cmd[cp]:
user: root
commands:
- bash /home/litespeed/mbmanager/ssl-manager/ssl_manager.sh --public-ip="${settings.public_ip}" --domain="${settings.domain}" --email="${settings.email}"
- bash /home/litespeed/mbmanager/ssl-manager/ssl_manager.sh --public-ip="${settings.public_ip}" --domain="${settings.domain}" --email="${settings.email}" --verbose
- return:
type: info
message: "SSL certificate for '${settings.domain}' has been issued successfully."
message: "SSL certificate issuance process completed."
check_domain_ip:
- cmd[cp]:
user: root
@ -605,82 +601,15 @@ actions:
- cmd[cp]:
user: root
commands:
- bash /home/litespeed/mbmanager/ssl-manager/ssl_remover.sh --domains="${settings.domains}" ${EMAIL:+--email="${EMAIL}"}
- bash /home/litespeed/mbmanager/ssl-manager/ssl_remover.sh --domains="${settings.domains}" --verbose ${EMAIL:+--email="${EMAIL}"}
- return:
type: info
message: "${response.out}"
message: "SSL certificate removal process completed."
diagnose_litespeed_config:
- cmd[cp]:
user: root
commands:
- |
CONF_FILE="/var/www/conf/httpd_config.xml"
echo "Analyzing LiteSpeed configuration tags..."
echo "-----------------------------------"
num_n=$(grep -c '<n>' "${CONF_FILE}")
num_n_close=$(grep -c '</n>' "${CONF_FILE}")
num_name=$(grep -c '<name>' "${CONF_FILE}")
num_name_close=$(grep -c '</name>' "${CONF_FILE}")
echo "Number of <n> tags: $num_n"
echo "Number of </n> tags: $num_n_close"
echo "Number of <name> tags: $num_name"
echo "Number of </name> tags: $num_name_close"
echo "-----------------------------------"
echo "First 5 instances of <n> tags:"
grep -n '<n>' "${CONF_FILE}" | head -5
echo "-----------------------------------"
echo "Testing sed command effectiveness:"
cp "${CONF_FILE}" /tmp/test_config.xml
sed -i 's#<n>#<name>#g' /tmp/test_config.xml
sed -i 's#</n>#</name>#g' /tmp/test_config.xml
new_num_n=$(grep -c '<n>' /tmp/test_config.xml)
new_num_n_close=$(grep -c '</n>' /tmp/test_config.xml)
echo "After sed, remaining <n> tags: $new_num_n"
echo "After sed, remaining </n> tags: $new_num_n_close"
echo "-----------------------------------"
- return:
type: info
message: "${response.out}"
clean_cert_references:
- cmd[cp]:
user: root
commands:
- |
DOMAIN="${settings.domain}"
CONF_FILE="/var/www/conf/httpd_config.xml"
BACKUP_FILE="${CONF_FILE}.bak.$(date +%Y%m%d%H%M%S)"
# Create backup
cp "${CONF_FILE}" "${BACKUP_FILE}"
echo "Created backup at ${BACKUP_FILE}"
# Clean up process
TEMP_FILE=$(mktemp)
awk -v domain="${DOMAIN}" '
BEGIN { in_listener = 0; is_shared = 0; }
/<listener>/ { in_listener = 1; print; next; }
in_listener && (/<name>HTTPS<\/name>/ || /<name>HTTPS-ipv6<\/name>/) {
is_shared = 1; print; next;
}
in_listener && is_shared && /<keyFile>.*live\/'"${DOMAIN}"'\/.*<\/keyFile>/ {
print " <keyFile>/var/www/conf/default.key</keyFile>"; next;
}
in_listener && is_shared && /<certFile>.*live\/'"${DOMAIN}"'\/.*<\/certFile>/ {
print " <certFile>/var/www/conf/default.crt</certFile>"; next;
}
/<\/listener>/ { in_listener = 0; is_shared = 0; print; next; }
{ print; }
' "${CONF_FILE}" > "${TEMP_FILE}"
if grep -q "<httpServerConfig>" "${TEMP_FILE}"; then
cat "${TEMP_FILE}" > "${CONF_FILE}"
rm -f "${TEMP_FILE}"
systemctl restart lsws
else
echo "ERROR: Invalid config generated"
rm -f "${TEMP_FILE}"
exit 1
fi
- bash /home/litespeed/mbmanager/ssl-manager/xmlchecker.sh --verbose
- return:
type: info
message: "${response.out}"

572
scripts/ssl-manager/ssl_manager.sh
View File

@ -3,285 +3,465 @@
# Script Name: ssl_manager.sh
# Description: Automates SSL certificate issuance and updates LiteSpeed's httpd_config.xml.
# Ensures robust backups, validation, and error-free updates.
# Version: 2.0.1 (Optimized and Error-Free)
# Author: Anthony Garces (tony@mightybox.io) | Gemini Assistance
# Version: 2.0.4 (Idempotent, Clean Exit Messages)
# Author: Anthony Garces (tony@mightybox.io)
# Date: 2025-03-26
# Exit Codes:
# 0: Success (certificate issued and configuration updated)
# 1: General Error (e.g., failed to issue certificate, XML validation failed)
# 2: Backup/Restore Error (e.g., failed to create or restore backup)
# 3: Restart Error (e.g., LiteSpeed service failed to restart)
# ==============================================================================
set -euo pipefail
# === Configuration ===
CONF_FILE="/var/www/conf/httpd_config.xml"
DEFAULT_CONF="/var/www/conf/httpd_config.default.xml"
SERVER_ROOT="/var/www"
LOG_DIR="/var/log/mb-ssl"
CERT_DIR="/etc/letsencrypt/live"
PUBLIC_IP="" # Placeholder for public IP address
DOMAINS=() # Placeholder for domains (array)
EMAIL="" # Placeholder for email address
PUBLIC_IP=""
DOMAINS=()
EMAIL=""
VERBOSE=0
# - Internal Variables -
BACKUP_FILE="${LOG_DIR}/httpd_config_backup_$(date +%Y%m%d%H%M%S).xml"
XML_ERROR_LOG="${LOG_DIR}/xml-edit-error.log"
SCRIPT_LOG="${LOG_DIR}/ssl_manager.log"
ERROR_LOG="${LOG_DIR}/ssl_manager-error.log"
DEBUG_LOG="${LOG_DIR}/ssl_manager-debug.log"
BACKUP_FILE="${LOG_DIR}/httpd_config_backup_$(date +%Y%m%d%H%M%S).xml"
SCRIPT_EXIT_STATUS=0
# === Cleanup Trap ===
trap 'log "Script interrupted. Cleaning up temporary files..."; sudo rm -f "$BACKUP_FILE"' EXIT
setup_logging() {
# Create log directory if it doesn't exist
sudo mkdir -p "$LOG_DIR" || { echo "❌ ERROR: Cannot create log directory '$LOG_DIR'. Check permissions."; exit 1; }
# Set proper permissions
sudo chown -R "$(whoami)":"$(id -gn)" "$LOG_DIR"
sudo chmod 755 "$LOG_DIR"
# Create log files with proper permissions
touch "$SCRIPT_LOG" "$ERROR_LOG" "$DEBUG_LOG"
chmod 644 "$SCRIPT_LOG" "$ERROR_LOG" "$DEBUG_LOG"
# Add log rotation if log files are too large (>10MB)
for log_file in "$SCRIPT_LOG" "$ERROR_LOG" "$DEBUG_LOG"; do
if [ -f "$log_file" ] && [ "$(stat -f%z "$log_file" 2>/dev/null || stat -c%s "$log_file")" -gt 10485760 ]; then
mv "$log_file" "${log_file}.$(date +%Y%m%d)"
touch "$log_file"
chmod 644 "$log_file"
gzip "${log_file}.$(date +%Y%m%d)"
fi
done
}
# === Functions ===
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | sudo tee -a "$SCRIPT_LOG"
local level="INFO"
local message="$1"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
# Log to main log file
echo "[$timestamp] [$level] $message" | sudo tee -a "$SCRIPT_LOG"
# Log errors to error log file
if [[ "$message" == *"ERROR"* ]] || [[ "$message" == *"❌"* ]]; then
echo "[$timestamp] [$level] $message" | sudo tee -a "$ERROR_LOG"
fi
}
log_verbose() {
[[ "$VERBOSE" -eq 1 ]] && log "[VERBOSE] $1"
if [[ "$VERBOSE" -eq 1 ]]; then
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] [DEBUG] $1" | sudo tee -a "$DEBUG_LOG"
fi
}
log_error() {
local message="$1"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] [ERROR] $message" | sudo tee -a "$ERROR_LOG" "$SCRIPT_LOG"
}
log_success() {
local message="$1"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] [SUCCESS] $message" | sudo tee -a "$SCRIPT_LOG"
}
on_exit() {
if [[ $SCRIPT_EXIT_STATUS -ne 0 ]]; then
log_error "Script ended with error. Exit Code: $SCRIPT_EXIT_STATUS"
log_error "Backup file retained: $BACKUP_FILE"
else
sudo rm -f "$BACKUP_FILE"
log_success "Script completed successfully. Backup cleaned."
fi
exit $SCRIPT_EXIT_STATUS
}
trap 'on_exit' EXIT
check_command() {
local cmd="$1"
local apt_pkg="$2"
if ! command -v "$cmd" &>/dev/null; then
log "⚠ Required command '$cmd' not found. Attempting to install package '$apt_pkg'..."
log "Required command '$cmd' not found. Attempting to install package '$apt_pkg'..."
if sudo yum install -y "$apt_pkg"; then
log "✔ Successfully installed '$apt_pkg'."
log_success "Successfully installed '$apt_pkg'"
else
log "❌ ERROR: Failed to install '$apt_pkg'. Exiting."
exit 1
log_error "Failed to install '$apt_pkg'"
SCRIPT_EXIT_STATUS=1; return 1
fi
fi
}
validate_domain() {
local domain="$1"
if [[ "$domain" =~ ^([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}$ ]]; then
return 0
else
return 1
fi
}
validate_ip() {
local ip="$1"
if [[ "$ip" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
return 0
else
return 1
fi
}
validate_email() {
local email="$1"
if [[ "$email" =~ ^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$ ]]; then
return 0
else
return 1
fi
}
validate_domain() { [[ "$1" =~ ^([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}$ ]]; }
validate_ip() { [[ "$1" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; }
validate_email() { [[ "$1" =~ ^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$ ]]; }
create_default_backup() {
if [[ ! -f "$DEFAULT_CONF" ]]; then
log "Creating initial backup of '$CONF_FILE' as '$DEFAULT_CONF'..."
if sudo cp -a "$CONF_FILE" "$DEFAULT_CONF"; then
log "✔ Initial backup created: '$DEFAULT_CONF'."
sudo cp -a "$CONF_FILE" "$DEFAULT_CONF" || {
log_error "FATAL: Failed to create initial backup '$DEFAULT_CONF'"
SCRIPT_EXIT_STATUS=2; return 1
}
log_success "Created initial backup successfully"
else
log "❌ FATAL: Failed to create initial backup '$DEFAULT_CONF'. Exiting."
exit 2
fi
else
log "Info: Default backup '$DEFAULT_CONF' already exists. Skipping creation."
log "Default backup '$DEFAULT_CONF' already exists. Skipping creation."
fi
}
validate_xml() {
local file_to_validate="$1"
log_verbose "Validating XML structure of '$file_to_validate'..."
if sudo xmllint --noout "$file_to_validate" 2>/dev/null; then
log_verbose "✔ XML structure of '$file_to_validate' is valid."
return 0
else
log "❌ ERROR: XML structure of '$file_to_validate' is invalid."
log_verbose "Validating XML structure of '$1'..."
sudo xmllint --noout "$1" 2>/dev/null || {
log_error "Invalid XML structure in '$1'"
SCRIPT_EXIT_STATUS=1
return 1
fi
}
log_verbose "XML validation passed for '$1'"
}
validate_dns() {
local domain="$1"
local expected_ip="$2"
log "Validating DNS resolution for '$domain'..."
local resolved_ip
resolved_ip=$(dig +short "$domain" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | head -n1)
if [[ "$resolved_ip" == "$expected_ip" ]]; then
log "✔ Domain '$domain' resolves to the expected IP '$expected_ip'."
return 0
else
log "❌ ERROR: Domain '$domain' does NOT resolve to the expected IP ('$expected_ip'). Resolved to '$resolved_ip'."
return 1
fi
resolved_ip=$(dig +short "$1" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | head -n1)
[[ "$resolved_ip" == "$2" ]]
}
validate_http_access() {
local domain="$1"
log "Validating HTTP access for '$domain'..."
local token
token=$(openssl rand -hex 16)
echo "$token" > "/var/www/webroot/ROOT/.well-known/acme-challenge/test-token"
local response
response=$(curl -s "http://$domain/.well-known/acme-challenge/test-token")
if [[ "$response" == "$token" ]]; then
log "✔ HTTP access verified for '$domain'."
return 0
else
log "❌ ERROR: HTTP access check failed for '$domain'. Response: '$response'."
return 1
fi
[[ "$(curl -s "http://$1/.well-known/acme-challenge/test-token")" == "$token" ]]
}
issue_certificate() {
local domain="$1"
local email="$2"
log "Issuing SSL certificate for domain '$domain' with email '$email'..."
if sudo certbot certonly --standalone --preferred-challenges http -d "$domain" --non-interactive --agree-tos --email "$email"; then
log "✔ SSL certificate issued successfully for '$domain'."
else
log "❌ ERROR: Failed to issue SSL certificate for '$domain'."
exit 1
if [[ -f "$CERT_DIR/$1/fullchain.pem" ]]; then
log_success "Certificate already exists for '$1'. Skipping issuance."
return
fi
log "Issuing SSL certificate for domain '$1' with email '$2'..."
sudo certbot certonly --standalone --preferred-challenges http -d "$1" --non-interactive --agree-tos --email "$2" || {
log_error "Failed to issue certificate for '$1'"
SCRIPT_EXIT_STATUS=1; return 1
}
log_success "Certificate successfully issued for '$1'"
}
update_httpd_config() {
local domain="$1"
local ip="$2"
log "Updating httpd_config.xml for domain '$domain' with IP '$ip'..."
local listener_name="HTTPS-$domain"
local vhost_name="Jelastic"
# Create a backup of the current configuration
log "Creating timestamped backup of '$CONF_FILE' as '$BACKUP_FILE'..."
if sudo cp -a "$CONF_FILE" "$BACKUP_FILE"; then
log "✔ Backup created: '$BACKUP_FILE'."
else
log "❌ ERROR: Failed to create backup of '$CONF_FILE'. Exiting."
exit 2
log "Checking if listener exists for '$listener_name'..."
local existing
existing=$(xmlstarlet sel -t -v "/httpServerConfig/listenerList/listener[name='$listener_name']/name" "$CONF_FILE" 2>/dev/null || true)
if [[ -n "$existing" ]]; then
log "Listener '$listener_name' already exists. Checking for vhost mapping..."
local vhost_map_exists
vhost_map_exists=$(xmlstarlet sel -t -v "/httpServerConfig/listenerList/listener[name='$listener_name']/vhostMapList/vhostMap/domain" "$CONF_FILE" 2>/dev/null || true)
if [[ -z "$vhost_map_exists" ]]; then
log "Adding vhostMapList to existing listener for '$listener_name'..."
sudo cp -a "$CONF_FILE" "$BACKUP_FILE"
# Create a temporary XML file with the new vhostMapList
local temp_xml=$(mktemp)
cat > "$temp_xml" << EOF
<?xml version="1.0"?>
<vhostMapList>
<vhostMap>
<vhost>$vhost_name</vhost>
<domain>$domain</domain>
</vhostMap>
</vhostMapList>
EOF
# First validate the temporary XML
if ! xmllint --noout "$temp_xml" 2>/dev/null; then
log_error "Invalid temporary XML structure"
rm -f "$temp_xml"
SCRIPT_EXIT_STATUS=1
return 1
fi
# Update the listener configuration using xmlstarlet
log "Adding listener for domain '$domain' with IP '$ip'..."
# Insert the vhostMapList into the existing listener
sudo xmlstarlet ed -L \
-s "//listenerList" -t elem -n "listener" \
-s "//listener[last()]" -t elem -n "name" -v "$domain" \
-s "//listener[last()]" -t elem -n "address" -v "$ip:443" \
-s "//listener[last()]" -t elem -n "secure" -v "1" \
-s "//listener[last()]" -t elem -n "keyFile" -v "/etc/letsencrypt/live/$domain/privkey.pem" \
-s "//listener[last()]" -t elem -n "certFile" -v "/etc/letsencrypt/live/$domain/fullchain.pem" \
"$CONF_FILE"
-i "/httpServerConfig/listenerList/listener[name='$listener_name']" \
-t elem -n "vhostMapList" \
-v "$(xmlstarlet sel -t -c "//vhostMapList/*" "$temp_xml")" \
"$CONF_FILE" || {
rm -f "$temp_xml"
log_error "Failed to insert vhostMapList"
SCRIPT_EXIT_STATUS=1
return 1
}
# Validate the updated configuration
if validate_xml "$CONF_FILE"; then
log "✔ Updated configuration is valid."
else
log "❌ ERROR: Updated configuration is invalid. Restoring backup..."
rm -f "$temp_xml"
# Validate the modified config
if ! xmllint --noout "$CONF_FILE" 2>/dev/null; then
log_error "Invalid XML structure after modification. Restoring backup..."
sudo cp -a "$BACKUP_FILE" "$CONF_FILE"
log "✔ Backup restored: '$CONF_FILE'."
exit 1
SCRIPT_EXIT_STATUS=1
return 1
fi
log_success "Successfully added vhostMapList to existing listener"
else
log_success "vhostMap already present. No update needed."
fi
return
fi
log "Updating httpd_config.xml for domain '$domain' with IP '$ip'..."
sudo cp -a "$CONF_FILE" "$BACKUP_FILE"
# Create a temporary XML file with the new listener configuration
local temp_xml=$(mktemp)
cat > "$temp_xml" << EOF
<?xml version="1.0"?>
<listener>
<name>$listener_name</name>
<address>*:443</address>
<secure>1</secure>
<keyFile>/etc/letsencrypt/live/$domain/privkey.pem</keyFile>
<certFile>/etc/letsencrypt/live/$domain/fullchain.pem</certFile>
<vhostMapList>
<vhostMap>
<vhost>$vhost_name</vhost>
<domain>$domain</domain>
</vhostMap>
</vhostMapList>
</listener>
EOF
# First validate the temporary XML
if ! xmllint --noout "$temp_xml" 2>/dev/null; then
log_error "Invalid temporary XML structure"
rm -f "$temp_xml"
SCRIPT_EXIT_STATUS=1
return 1
fi
# Insert the new listener into the configuration using a different approach
sudo xmlstarlet ed -L \
-s "//listenerList" \
-t elem -n "listener" \
"$CONF_FILE" || {
rm -f "$temp_xml"
log_error "Failed to create new listener element"
SCRIPT_EXIT_STATUS=1
return 1
}
# Now add each element individually
sudo xmlstarlet ed -L \
-s "//listenerList/listener[last()]" \
-t elem -n "name" \
-v "$listener_name" \
"$CONF_FILE" || {
rm -f "$temp_xml"
log_error "Failed to add name element"
SCRIPT_EXIT_STATUS=1
return 1
}
sudo xmlstarlet ed -L \
-s "//listenerList/listener[last()]" \
-t elem -n "address" \
-v "*:443" \
"$CONF_FILE" || {
rm -f "$temp_xml"
log_error "Failed to add address element"
SCRIPT_EXIT_STATUS=1
return 1
}
sudo xmlstarlet ed -L \
-s "//listenerList/listener[last()]" \
-t elem -n "secure" \
-v "1" \
"$CONF_FILE" || {
rm -f "$temp_xml"
log_error "Failed to add secure element"
SCRIPT_EXIT_STATUS=1
return 1
}
sudo xmlstarlet ed -L \
-s "//listenerList/listener[last()]" \
-t elem -n "keyFile" \
-v "/etc/letsencrypt/live/$domain/privkey.pem" \
"$CONF_FILE" || {
rm -f "$temp_xml"
log_error "Failed to add keyFile element"
SCRIPT_EXIT_STATUS=1
return 1
}
sudo xmlstarlet ed -L \
-s "//listenerList/listener[last()]" \
-t elem -n "certFile" \
-v "/etc/letsencrypt/live/$domain/fullchain.pem" \
"$CONF_FILE" || {
rm -f "$temp_xml"
log_error "Failed to add certFile element"
SCRIPT_EXIT_STATUS=1
return 1
}
# Add vhostMapList and its children
sudo xmlstarlet ed -L \
-s "//listenerList/listener[last()]" \
-t elem -n "vhostMapList" \
"$CONF_FILE" || {
rm -f "$temp_xml"
log_error "Failed to add vhostMapList element"
SCRIPT_EXIT_STATUS=1
return 1
}
sudo xmlstarlet ed -L \
-s "//listenerList/listener[last()]/vhostMapList" \
-t elem -n "vhostMap" \
"$CONF_FILE" || {
rm -f "$temp_xml"
log_error "Failed to add vhostMap element"
SCRIPT_EXIT_STATUS=1
return 1
}
sudo xmlstarlet ed -L \
-s "//listenerList/listener[last()]/vhostMapList/vhostMap" \
-t elem -n "vhost" \
-v "$vhost_name" \
"$CONF_FILE" || {
rm -f "$temp_xml"
log_error "Failed to add vhost element"
SCRIPT_EXIT_STATUS=1
return 1
}
sudo xmlstarlet ed -L \
-s "//listenerList/listener[last()]/vhostMapList/vhostMap" \
-t elem -n "domain" \
-v "$domain" \
"$CONF_FILE" || {
rm -f "$temp_xml"
log_error "Failed to add domain element"
SCRIPT_EXIT_STATUS=1
return 1
}
rm -f "$temp_xml"
# Validate the modified config
if ! xmllint --noout "$CONF_FILE" 2>/dev/null; then
log_error "Invalid XML structure after modification. Restoring backup..."
sudo cp -a "$BACKUP_FILE" "$CONF_FILE"
SCRIPT_EXIT_STATUS=1
return 1
fi
log_success "Listener + vhostMap added for '$listener_name'"
}
cleanup_xml() {
local domain="$1"
log "Cleaning up XML structure..."
sudo cp -a "$CONF_FILE" "$BACKUP_FILE"
# Remove any incorrectly placed vhostMapList elements
sudo xmlstarlet ed -L \
-d "//listenerList/vhostMapList[not(parent::listener)]" \
"$CONF_FILE" || {
log_error "Failed to clean up XML structure"
SCRIPT_EXIT_STATUS=1
return 1
}
# Validate the cleaned config
if ! xmllint --noout "$CONF_FILE" 2>/dev/null; then
log_error "Invalid XML structure after cleanup. Restoring backup..."
sudo cp -a "$BACKUP_FILE" "$CONF_FILE"
SCRIPT_EXIT_STATUS=1
return 1
fi
log_success "XML structure cleaned up successfully"
}
restart_litespeed() {
log "Restarting LiteSpeed server..."
if sudo systemctl restart lsws; then
log "✔ LiteSpeed server restarted successfully."
else
log "❌ ERROR: Failed to restart LiteSpeed server. Restoring backup..."
sudo systemctl restart lsws || {
log_error "Failed to restart LiteSpeed. Restoring backup..."
sudo cp -a "$BACKUP_FILE" "$CONF_FILE"
log "✔ Backup restored: '$CONF_FILE'."
exit 3
fi
SCRIPT_EXIT_STATUS=3
return 1
}
log_success "LiteSpeed server restarted successfully"
}
# === Main Script Logic ===
log "Starting SSL Manager V2.0.1..."
main() {
# Setup logging first
setup_logging
log "Starting SSL Manager V2.0.4"
# Ensure log directory exists
sudo mkdir -p "$LOG_DIR" || { log "❌ ERROR: Cannot create log directory '$LOG_DIR'. Check permissions."; exit 1; }
sudo touch "$SCRIPT_LOG" "$XML_ERROR_LOG"
sudo chown "$(whoami)":"$(id -gn)" "$SCRIPT_LOG" "$XML_ERROR_LOG" 2>/dev/null || log_verbose "Info: Could not change ownership of log files (may require sudo)."
# Argument Parsing
for arg in "$@"; do
# Parse parameters
for arg in "$@"; do
case $arg in
--public-ip=*)
PUBLIC_IP="${arg#*=}"
;;
--domains=*)
IFS=',' read -ra DOMAINS <<< "${arg#*=}"
PRIMARY_DOMAIN="${DOMAINS[0]}"
;;
--email=*)
EMAIL="${arg#*=}"
;;
--verbose)
VERBOSE=1
log "Verbose mode enabled."
;;
*)
log "Invalid argument: $arg"
exit 1
;;
--public-ip=*) PUBLIC_IP="${arg#*=}"; log_verbose "Set public IP: $PUBLIC_IP";;
--domain=*) PRIMARY_DOMAIN="${arg#*=}"; DOMAINS=("$PRIMARY_DOMAIN"); log_verbose "Set primary domain: $PRIMARY_DOMAIN";;
--domains=*) IFS=',' read -ra DOMAINS <<< "${arg#*=}"; PRIMARY_DOMAIN="${DOMAINS[0]}"; log_verbose "Set domains: ${DOMAINS[*]}";;
--email=*) EMAIL="${arg#*=}"; log_verbose "Set email: $EMAIL";;
--verbose) VERBOSE=1; log "Verbose mode enabled";;
*) log_error "Invalid argument: $arg"; SCRIPT_EXIT_STATUS=1; exit 1;;
esac
done
done
# Input Validation
if [[ -z "$PRIMARY_DOMAIN" || -z "$PUBLIC_IP" || -z "$EMAIL" ]]; then
log "❌ ERROR: Missing required parameters. Provide --domains, --public-ip, and --email."
exit 1
fi
[[ -z "$PRIMARY_DOMAIN" || -z "$PUBLIC_IP" || -z "$EMAIL" ]] && {
log_error "Missing required parameters. Provide --domains, --public-ip, and --email."
SCRIPT_EXIT_STATUS=1; exit 1
}
if ! validate_domain "$PRIMARY_DOMAIN"; then
log "❌ ERROR: Invalid domain '$PRIMARY_DOMAIN'."
exit 1
fi
validate_domain "$PRIMARY_DOMAIN" || { log_error "Invalid domain '$PRIMARY_DOMAIN'"; SCRIPT_EXIT_STATUS=1; exit 1; }
validate_ip "$PUBLIC_IP" || { log_error "Invalid IP '$PUBLIC_IP'"; SCRIPT_EXIT_STATUS=1; exit 1; }
validate_email "$EMAIL" || { log_error "Invalid email '$EMAIL'"; SCRIPT_EXIT_STATUS=1; exit 1; }
if ! validate_ip "$PUBLIC_IP"; then
log "❌ ERROR: Invalid IP address '$PUBLIC_IP'."
exit 1
fi
validate_dns "$PRIMARY_DOMAIN" "$PUBLIC_IP" || { log_error "DNS validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
validate_http_access "$PRIMARY_DOMAIN" || { log_error "HTTP access validation failed"; SCRIPT_EXIT_STATUS=1; exit 1; }
if ! validate_email "$EMAIL"; then
log "❌ ERROR: Invalid email address '$EMAIL'."
exit 1
fi
log_verbose "Checking dependencies..."
check_command xmllint libxml2-utils
check_command xmlstarlet xmlstarlet
check_command certbot certbot
# Validate DNS and HTTP Access
if ! validate_dns "$PRIMARY_DOMAIN" "$PUBLIC_IP"; then
log "❌ ERROR: DNS validation failed. Exiting."
exit 1
fi
create_default_backup
issue_certificate "$PRIMARY_DOMAIN" "$EMAIL"
if ! validate_http_access "$PRIMARY_DOMAIN"; then
log "❌ ERROR: HTTP access validation failed. Exiting."
exit 1
fi
for domain in "${DOMAINS[@]}"; do
update_httpd_config "$domain" "$PUBLIC_IP"
cleanup_xml "$domain"
done
# Dependency Checks
log_verbose "Checking dependencies..."
check_command "xmllint" "libxml2-utils"
check_command "xmlstarlet" "xmlstarlet"
check_command "certbot" "certbot"
restart_litespeed
# Create Default Backup
create_default_backup
log_success "SSL Manager completed successfully"
SCRIPT_EXIT_STATUS=0
}
# Issue SSL Certificate
issue_certificate "$PRIMARY_DOMAIN" "$EMAIL"
# Update httpd_config.xml
update_httpd_config "$PRIMARY_DOMAIN" "$PUBLIC_IP"
# Restart LiteSpeed
restart_litespeed
log "✅ SSL Manager completed successfully. Certificate issued and configuration updated."
exit 0
# === Entry Point ===
main "$@"

162
scripts/ssl-manager/ssl_remover.sh
View File

@ -4,7 +4,7 @@
# Description: Removes SSL certificates and cleans up LiteSpeed configurations.
# Ensures safe removal of listeners, virtual hosts, and certificates.
# Version: 2.0.0 (Professional-Grade Optimized)
# Author: Gemini (Based on user request and feedback)
# Author: Anthony Garces (tony@mightybox.io)
# Date: 2025-03-26
# Exit Codes:
# 0: Success (SSL removed and configuration cleaned up)
@ -20,15 +20,65 @@ BACKUP_DIR="/var/www/conf/backups"
LOG_DIR="/var/log/mb-ssl"
CERT_DIR="/etc/letsencrypt/live"
SCRIPT_LOG="${LOG_DIR}/ssl-remover.log"
ERROR_LOG="${LOG_DIR}/ssl-remover-error.log"
DEBUG_LOG="${LOG_DIR}/ssl-remover-debug.log"
VERBOSE=0
# === Functions ===
setup_logging() {
# Create log directory if it doesn't exist
sudo mkdir -p "$LOG_DIR" || { echo "❌ ERROR: Cannot create log directory '$LOG_DIR'. Check permissions."; exit 1; }
# Set proper permissions
sudo chown -R "$(whoami)":"$(id -gn)" "$LOG_DIR"
sudo chmod 755 "$LOG_DIR"
# Create log files with proper permissions
touch "$SCRIPT_LOG" "$ERROR_LOG" "$DEBUG_LOG"
chmod 644 "$SCRIPT_LOG" "$ERROR_LOG" "$DEBUG_LOG"
# Add log rotation if log files are too large (>10MB)
for log_file in "$SCRIPT_LOG" "$ERROR_LOG" "$DEBUG_LOG"; do
if [ -f "$log_file" ] && [ "$(stat -f%z "$log_file" 2>/dev/null || stat -c%s "$log_file")" -gt 10485760 ]; then
mv "$log_file" "${log_file}.$(date +%Y%m%d)"
touch "$log_file"
chmod 644 "$log_file"
gzip "${log_file}.$(date +%Y%m%d)"
fi
done
}
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$SCRIPT_LOG"
local level="INFO"
local message="$1"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
# Log to main log file
echo "[$timestamp] [$level] $message" | tee -a "$SCRIPT_LOG"
# Log errors to error log file
if [[ "$message" == *"ERROR"* ]] || [[ "$message" == *"❌"* ]]; then
echo "[$timestamp] [$level] $message" >> "$ERROR_LOG"
fi
}
log_verbose() {
[[ "$VERBOSE" -eq 1 ]] && log "[VERBOSE] $1"
if [[ "$VERBOSE" -eq 1 ]]; then
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] [DEBUG] $1" | tee -a "$DEBUG_LOG"
fi
}
log_error() {
local message="$1"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] [ERROR] $message" | tee -a "$ERROR_LOG" "$SCRIPT_LOG"
}
log_success() {
local message="$1"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] [SUCCESS] $message" | tee -a "$SCRIPT_LOG"
}
send_email() {
@ -80,12 +130,15 @@ remove_certificate() {
log "Checking for certificate for domain '$domain'..."
if certbot certificates | grep -q "Domains: $domain"; then
log "Removing certificate for '$domain'..."
log "Found certificate for '$domain'. Proceeding with removal..."
if certbot delete --cert-name "$domain" --non-interactive; then
# Remove all certificate files
rm -rf "/etc/letsencrypt/live/$domain"*
log "Certificate successfully removed for '$domain'."
rm -rf "/etc/letsencrypt/archive/$domain"*
log_success "Certificate successfully removed for '$domain'"
log_verbose "Removed certificate files from /etc/letsencrypt/live/$domain and /etc/letsencrypt/archive/$domain"
else
log "❌ ERROR: Failed to remove certificate for '$domain'."
log_error "Failed to remove certificate for '$domain'"
return 1
fi
else
@ -95,28 +148,56 @@ remove_certificate() {
cleanup_listeners() {
local domain="$1"
log "Cleaning up listeners and configurations for '$domain'..."
local listener_name="HTTPS-$domain"
log "Starting cleanup for listener '$listener_name'..."
# Remove listener for the domain
sudo xmlstarlet ed -L \
-d "//listener[name='HTTPS-$domain']" \
"$CONF_FILE"
# First backup the config
local backup_file="${BACKUP_DIR}/httpd_config.pre-removal-$(date +%Y%m%d%H%M%S).xml"
cp "$CONF_FILE" "$backup_file" || {
log_error "Failed to create backup before cleanup"
return 1
}
log_verbose "Created backup at: $backup_file"
# Remove vhostMap entries
# Remove the entire listener element with all its children
sudo xmlstarlet ed -L \
-d "//vhostMap[domain='$domain']" \
"$CONF_FILE"
-d "//listenerList/listener[name='$listener_name']" \
"$CONF_FILE" || {
log_error "Failed to remove listener '$listener_name'"
cp "$backup_file" "$CONF_FILE"
return 1
}
log_verbose "Removed listener element: $listener_name"
# Remove related virtual host
local vhost_name="${domain//./_}"
sudo xmlstarlet ed -L \
-d "//virtualHost[name='$vhost_name']" \
"$CONF_FILE"
# Validate XML after removal
if ! xmllint --noout "$CONF_FILE" 2>/dev/null; then
log_error "Invalid XML structure after listener removal. Restoring backup..."
cp "$backup_file" "$CONF_FILE"
return 1
fi
log_verbose "XML validation passed after listener removal"
# Cleanup empty listenerList tags
# Clean up any orphaned vhostMapList elements
sudo xmlstarlet ed -L \
-d "//listenerList[count(*)=0]" \
"$CONF_FILE"
-d "//vhostMapList[not(parent::listener)]" \
"$CONF_FILE" || {
log_error "Failed to clean up orphaned vhostMapList"
cp "$backup_file" "$CONF_FILE"
return 1
}
log_verbose "Cleaned up orphaned vhostMapList elements"
# Validate XML after cleanup
if ! xmllint --noout "$CONF_FILE" 2>/dev/null; then
log_error "Invalid XML structure after cleanup. Restoring backup..."
cp "$backup_file" "$CONF_FILE"
return 1
fi
log_verbose "XML validation passed after cleanup"
log_success "Successfully removed listener '$listener_name' and cleaned up XML structure"
rm -f "$backup_file"
return 0
}
validate_xml() {
@ -144,21 +225,27 @@ main() {
declare -a DOMAINS
EMAIL=""
# Setup logging first
setup_logging
log "Starting SSL Removal Process"
# Parse parameters
while [[ $# -gt 0 ]]; do
case "$1" in
--domains=*)
IFS=',' read -ra DOMAINS <<< "${1#*=}"
log_verbose "Parsed domains: ${DOMAINS[*]}"
;;
--email=*)
EMAIL="${1#*=}"
log_verbose "Set email notification to: $EMAIL"
;;
--verbose)
VERBOSE=1
log "Verbose mode enabled."
log "Verbose mode enabled"
;;
*)
log "Invalid parameter: $1"
log_error "Invalid parameter: $1"
exit 1
;;
esac
@ -167,40 +254,39 @@ main() {
# Validate input
if [[ ${#DOMAINS[@]} -eq 0 ]]; then
log "❌ ERROR: --domains parameter is required."
log_error "--domains parameter is required"
exit 1
fi
# Ensure log directory exists
mkdir -p "$LOG_DIR" || { log "❌ ERROR: Cannot create log directory '$LOG_DIR'. Check permissions."; exit 1; }
touch "$SCRIPT_LOG"
chmod 0644 "$SCRIPT_LOG"
# Backup configuration
backup_config
# Process each domain
for domain in "${DOMAINS[@]}"; do
log "Processing domain: $domain"
# Validate domain format
if ! validate_domain "$domain"; then
log "❌ ERROR: Invalid domain '$domain'. Skipping."
log_error "Invalid domain '$domain'. Skipping."
continue
fi
# Remove certificate
remove_certificate "$domain"
# Remove certificate first
if ! remove_certificate "$domain"; then
log "⚠ Warning: Failed to remove certificate for '$domain'. Continuing with cleanup..."
fi
# Clean up listeners and configurations
cleanup_listeners "$domain"
if ! cleanup_listeners "$domain"; then
log_error "Failed to clean up listeners for '$domain'"
continue
fi
done
# Validate XML configuration
# Validate final XML configuration
if validate_xml; then
restart_litespeed
log_success "SSL Removal completed successfully for domains: ${DOMAINS[*]}"
send_email "SSL Removal Complete" "Successfully removed SSL for domains: ${DOMAINS[*]}"
else
log_error "SSL removed but configuration validation failed for domains: ${DOMAINS[*]}"
send_email "SSL Removal Warning" "SSL removed but configuration validation failed for domains: ${DOMAINS[*]}"
exit 1
fi

250
scripts/ssl-manager/xmlchecker.sh
View File

@ -22,13 +22,19 @@ SERVER_ROOT="/var/www" # Server root directory
LOG_DIR="/var/log/mb-ssl" # Log directory
MAJOR_CHANGE_THRESHOLD=20 # Lines changed to trigger "major recovery" warning
# Log files
SCRIPT_LOG="${LOG_DIR}/xmlchecker.log"
ERROR_LOG="${LOG_DIR}/xmlchecker-error.log"
DEBUG_LOG="${LOG_DIR}/xmlchecker-debug.log"
BACKUP_FILE="${LOG_DIR}/httpd_config_$(date +%Y%m%d_%H%M%S).bak" # Timestamped backup
# SSL Remover script path
SSL_REMOVER="/home/litespeed/mbmanager/ssl-manager/ssl_remover.sh"
# - Internal Variables -
TMP_FILE="/tmp/test_config_$(date +%s).xml" # Temporary copy of original/cleaned file
RECOVERY_TMP_FILE="/tmp/recovery_test_config_$(date +%s).xml" # Holds output of xmllint --recover
MINIMAL_TMP="/tmp/minimal_config_$(date +%s).xml" # Temporary minimal config file
BACKUP_FILE="${LOG_DIR}/httpd_config_$(date +%Y%m%d_%H%M%S).bak" # Timestamped backup
XML_ERROR_LOG="${LOG_DIR}/xml-parse-error.log"
SCRIPT_LOG="${LOG_DIR}/config_fixer.log"
VERBOSE=0
INITIAL_FILE_VALID=0 # Flag: 1 if CONF_FILE was valid before fixes
RECOVERY_PRODUCED_VALID_XML=0 # Flag: 1 if xmllint --recover output was valid XML
@ -39,12 +45,60 @@ APPLIED_CONFIG_SOURCE="none" # Tracks what was finally applied
trap 'log "Script interrupted. Cleaning up temporary files..."; sudo rm -f "$TMP_FILE" "$RECOVERY_TMP_FILE" "$MINIMAL_TMP"' EXIT
# === Functions ===
setup_logging() {
# Create log directory if it doesn't exist
sudo mkdir -p "$LOG_DIR" || { echo "❌ ERROR: Cannot create log directory '$LOG_DIR'. Check permissions."; exit 1; }
# Set proper permissions
sudo chown -R "$(whoami)":"$(id -gn)" "$LOG_DIR"
sudo chmod 755 "$LOG_DIR"
# Create log files with proper permissions
touch "$SCRIPT_LOG" "$ERROR_LOG" "$DEBUG_LOG"
chmod 644 "$SCRIPT_LOG" "$ERROR_LOG" "$DEBUG_LOG"
# Add log rotation if log files are too large (>10MB)
for log_file in "$SCRIPT_LOG" "$ERROR_LOG" "$DEBUG_LOG"; do
if [ -f "$log_file" ] && [ "$(stat -f%z "$log_file" 2>/dev/null || stat -c%s "$log_file")" -gt 10485760 ]; then
mv "$log_file" "${log_file}.$(date +%Y%m%d)"
touch "$log_file"
chmod 644 "$log_file"
gzip "${log_file}.$(date +%Y%m%d)"
fi
done
}
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | sudo tee -a "$SCRIPT_LOG"
local level="INFO"
local message="$1"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
# Log to main log file
echo "[$timestamp] [$level] $message" | sudo tee -a "$SCRIPT_LOG"
# Log errors to error log file
if [[ "$message" == *"ERROR"* ]] || [[ "$message" == *"❌"* ]]; then
echo "[$timestamp] [$level] $message" | sudo tee -a "$ERROR_LOG"
fi
}
log_verbose() {
[[ "$VERBOSE" -eq 1 ]] && log "[VERBOSE] $1"
if [[ "$VERBOSE" -eq 1 ]]; then
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] [DEBUG] $1" | sudo tee -a "$DEBUG_LOG"
fi
}
log_error() {
local message="$1"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] [ERROR] $message" | sudo tee -a "$ERROR_LOG" "$SCRIPT_LOG"
}
log_success() {
local message="$1"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] [SUCCESS] $message" | sudo tee -a "$SCRIPT_LOG"
}
check_command() {
@ -61,6 +115,70 @@ check_command() {
fi
}
validate_listener_certificates() {
local file_to_check="$1"
log "Validating listener certificates in '$file_to_check'..."
local invalid_listeners=()
# Get all HTTPS listeners
local listeners
listeners=$(sudo xmlstarlet sel -Q -t -v "//listenerList/listener[contains(name, 'HTTPS-')]/name" "$file_to_check" 2>/dev/null || echo "")
for listener in $listeners; do
local domain="${listener#HTTPS-}"
local key_file=$(sudo xmlstarlet sel -Q -t -v "//listenerList/listener[name='$listener']/keyFile" "$file_to_check" 2>/dev/null || echo "")
local cert_file=$(sudo xmlstarlet sel -Q -t -v "//listenerList/listener[name='$listener']/certFile" "$file_to_check" 2>/dev/null || echo "")
# Check if certificate files exist
if [[ ! -f "$key_file" ]] || [[ ! -f "$cert_file" ]]; then
log "⚠ Found invalid listener '$listener' with missing certificate files"
log_verbose "Key file missing: $key_file"
log_verbose "Cert file missing: $cert_file"
invalid_listeners+=("$domain")
fi
# Check if certificate is still valid
if [[ -f "$cert_file" ]]; then
local cert_expiry
cert_expiry=$(openssl x509 -enddate -noout -in "$cert_file" | cut -d= -f2)
local expiry_date
expiry_date=$(date -d "$cert_expiry" +%s)
local current_date
current_date=$(date +%s)
if [[ $expiry_date -lt $current_date ]]; then
log "⚠ Found expired certificate for listener '$listener'"
log_verbose "Certificate expired on: $cert_expiry"
invalid_listeners+=("$domain")
fi
fi
done
# If we found invalid listeners, clean them up
if [[ ${#invalid_listeners[@]} -gt 0 ]]; then
log "Found ${#invalid_listeners[@]} invalid listener(s). Cleaning up..."
for domain in "${invalid_listeners[@]}"; do
log "Cleaning up invalid listener for domain: $domain"
if [[ -f "$SSL_REMOVER" ]]; then
log "Running SSL remover for domain: $domain"
sudo bash "$SSL_REMOVER" --domains="$domain" --verbose || {
log_error "Failed to clean up invalid listener for domain: $domain"
}
else
log_error "SSL remover script not found at: $SSL_REMOVER"
# Fallback to manual cleanup
sudo xmlstarlet ed -L \
-d "//listenerList/listener[name='HTTPS-$domain']" \
"$file_to_check" || {
log_error "Failed to remove invalid listener for domain: $domain"
}
fi
done
fi
return ${#invalid_listeners[@]}
}
perform_semantic_checks() {
local file_to_check="$1"
log_verbose "Performing semantic checks on '$file_to_check'..."
@ -68,41 +186,25 @@ perform_semantic_checks() {
# Check for critical elements
if ! sudo xmlstarlet sel -t -c "//virtualHostList" "$file_to_check" &>/dev/null; then
log "Warning: <virtualHostList> is missing in '$file_to_check'."
log_error "Missing <virtualHostList> in '$file_to_check'"
semantic_errors=$((semantic_errors + 1))
fi
if ! sudo xmlstarlet sel -t -c "//listenerList" "$file_to_check" &>/dev/null; then
log "Warning: <listenerList> is missing in '$file_to_check'."
log_error "Missing <listenerList> in '$file_to_check'"
semantic_errors=$((semantic_errors + 1))
fi
# Validate listener certificates
local listeners
listeners=$(sudo xmlstarlet sel -Q -t -v "//listenerList/listener/name" "$file_to_check" 2>/dev/null || echo "")
for listener in $listeners; do
local key_file=$(sudo xmlstarlet sel -Q -t -v "//listenerList/listener[name='$listener']/keyFile" "$file_to_check" 2>/dev/null || echo "")
local cert_file=$(sudo xmlstarlet sel -Q -t -v "//listenerList/listener[name='$listener']/certFile" "$file_to_check" 2>/dev/null || echo "")
# Resolve paths
key_file=$(echo "$key_file" | sed "s|\$SERVER_ROOT|$SERVER_ROOT|g")
cert_file=$(echo "$cert_file" | sed "s|\$SERVER_ROOT|$SERVER_ROOT|g")
if [[ -n "$key_file" && ! -e "$key_file" ]]; then
log "Warning: Listener '$listener' has invalid keyFile path: '$key_file'"
if ! validate_listener_certificates "$file_to_check"; then
semantic_errors=$((semantic_errors + 1))
fi
if [[ -n "$cert_file" && ! -e "$cert_file" ]]; then
log "Warning: Listener '$listener' has invalid certFile path: '$cert_file'"
semantic_errors=$((semantic_errors + 1))
fi
done
# Return result
if [[ "$semantic_errors" -eq 0 ]]; then
log_verbose "Semantic checks passed for '$file_to_check'."
log_success "Semantic checks passed for '$file_to_check'"
return 0
else
log "⚠ Semantic Check: Found $semantic_errors potential issue(s) in '$file_to_check'. Review warnings."
log_error "Found $semantic_errors semantic issue(s) in '$file_to_check'"
return 1
fi
}
@ -189,84 +291,88 @@ apply_and_restart() {
}
# === Main Script Logic ===
log "Starting XML config check/fix V1.8.0 for $CONF_FILE"
sudo mkdir -p "$LOG_DIR" || { log "❌ ERROR: Cannot create log directory '$LOG_DIR'. Check permissions."; exit 1; }
sudo touch "$SCRIPT_LOG" "$XML_ERROR_LOG"
sudo chown "$(whoami)":"$(id -gn)" "$SCRIPT_LOG" "$XML_ERROR_LOG" 2>/dev/null || log_verbose "Info: Could not change ownership of log files (may require sudo)."
main() {
# Setup logging first
setup_logging
log "Starting XML config check/fix V1.8.0 for $CONF_FILE"
# Argument Parsing
if [[ "${1:-}" == "--verbose" ]]; then
# Argument Parsing
if [[ "${1:-}" == "--verbose" ]]; then
VERBOSE=1
log "Verbose mode enabled."
fi
log "Verbose mode enabled"
fi
# Dependency Checks
log_verbose "Checking dependencies..."
check_command "xmllint" "libxml2-utils"
check_command "xmlstarlet" "xmlstarlet"
# Dependency Checks
log_verbose "Checking dependencies..."
check_command "xmllint" "libxml2-utils"
check_command "xmlstarlet" "xmlstarlet"
# Backup Original File
log "Backing up '$CONF_FILE' to '$BACKUP_FILE'..."
sudo cp -a "$CONF_FILE" "$BACKUP_FILE"
# Backup Original File
log "Backing up '$CONF_FILE' to '$BACKUP_FILE'..."
sudo cp -a "$CONF_FILE" "$BACKUP_FILE"
# Initial Validation
log_verbose "Running initial xmllint validation on '$CONF_FILE'..."
if sudo xmllint --noout "$CONF_FILE" 2>"$XML_ERROR_LOG"; then
log "Initial Check: '$CONF_FILE' is valid XML."
# Initial Validation
log_verbose "Running initial xmllint validation on '$CONF_FILE'..."
if sudo xmllint --noout "$CONF_FILE" 2>/dev/null; then
log_success "Initial Check: '$CONF_FILE' is valid XML"
INITIAL_FILE_VALID=1
else
log "Initial Check: '$CONF_FILE' is invalid XML. Will attempt recovery/cleanup."
fi
else
log_error "Initial Check: '$CONF_FILE' is invalid XML. Will attempt recovery/cleanup"
fi
# Recovery Attempt
if [[ "$INITIAL_FILE_VALID" -eq 0 ]]; then
# Recovery Attempt
if [[ "$INITIAL_FILE_VALID" -eq 0 ]]; then
log "Attempting automatic recovery with 'xmllint --recover'..."
sudo rm -f "$RECOVERY_TMP_FILE"
if xmllint --recover "$CONF_FILE" 2>/dev/null > "$RECOVERY_TMP_FILE"; then
if sudo xmllint --noout "$RECOVERY_TMP_FILE" 2>/dev/null; then
log "'xmllint --recover' produced structurally valid XML output."
log_success "'xmllint --recover' produced structurally valid XML output"
RECOVERY_PRODUCED_VALID_XML=1
else
log "'xmllint --recover' ran but the output is STILL invalid XML. Discarding recovery."
log_error "'xmllint --recover' ran but the output is STILL invalid XML. Discarding recovery"
sudo rm -f "$RECOVERY_TMP_FILE"
fi
else
log "'xmllint --recover' command failed or produced errors. Discarding recovery."
log_error "'xmllint --recover' command failed or produced errors. Discarding recovery"
sudo rm -f "$RECOVERY_TMP_FILE"
fi
fi
fi
# Final Validation and Decision
FINAL_CONFIG_SOURCE_FILE=""
FINAL_CONFIG_SOURCE_DESC=""
FINAL_EXIT_CODE=0
log_verbose "Running final validation and decision logic..."
# Final Validation and Decision
FINAL_CONFIG_SOURCE_FILE=""
FINAL_CONFIG_SOURCE_DESC=""
FINAL_EXIT_CODE=0
log_verbose "Running final validation and decision logic..."
# Check 1: Is the original (potentially cleaned) temp file valid now?
if [[ "$INITIAL_FILE_VALID" -eq 1 ]]; then
# Check 1: Is the original (potentially cleaned) temp file valid now?
if [[ "$INITIAL_FILE_VALID" -eq 1 ]]; then
FINAL_CONFIG_SOURCE_FILE="$CONF_FILE"
FINAL_CONFIG_SOURCE_DESC="original"
elif [[ "$RECOVERY_PRODUCED_VALID_XML" -eq 1 ]]; then
elif [[ "$RECOVERY_PRODUCED_VALID_XML" -eq 1 ]]; then
FINAL_CONFIG_SOURCE_FILE="$RECOVERY_TMP_FILE"
FINAL_CONFIG_SOURCE_DESC="recovered"
else
log "❌ FATAL: Neither original nor recovered file is valid. Falling back to default or minimal config."
else
log_error "Neither original nor recovered file is valid. Falling back to default or minimal config"
FINAL_EXIT_CODE=2
fi
fi
# Apply and Restart
if [[ -n "$FINAL_CONFIG_SOURCE_FILE" ]]; then
# Apply and Restart
if [[ -n "$FINAL_CONFIG_SOURCE_FILE" ]]; then
if apply_and_restart "$FINAL_CONFIG_SOURCE_FILE" "$FINAL_CONFIG_SOURCE_DESC"; then
log "Script completed successfully. Applied: $FINAL_CONFIG_SOURCE_DESC."
log_success "Script completed successfully. Applied: $FINAL_CONFIG_SOURCE_DESC"
exit "$FINAL_EXIT_CODE"
else
log "❌ FATAL: Failed to apply and restart using $FINAL_CONFIG_SOURCE_DESC config."
log_error "Failed to apply and restart using $FINAL_CONFIG_SOURCE_DESC config"
exit 1
fi
else
log "❌ FATAL: No valid configuration file found. Exiting."
else
log_error "No valid configuration file found. Exiting"
exit 1
fi
fi
}
# === Entry Point ===
main "$@"
# === Fallback Logic ===
log "Attempting fallback sequence..."