#!/bin/bash set -euo pipefail # Fix/refresh system CA trust and reconstruct a proper fullchain for a given domain on AlmaLinux/RHEL/CentOS. # Usage: fix-cert-trust.sh [keys_dir] # - domain: FQDN of site (e.g., example.com) # - keys_dir: directory containing cert/key files. Default: /var/lib/jelastic/keys DOMAIN="${1:-}" KEYS_DIR="${2:-/var/lib/jelastic/keys}" if [[ -z "$DOMAIN" ]]; then echo "Usage: $0 [keys_dir]" >&2 exit 1 fi echo "[INFO] Refreshing system CA trust (update-ca-trust)…" if command -v update-ca-trust >/dev/null 2>&1; then sudo update-ca-trust || true else echo "[WARNING] update-ca-trust not available; skipping." fi echo "[INFO] Looking for certificate files in: $KEYS_DIR" CERT_PEM="$KEYS_DIR/cert.pem" CHAIN_PEM="$KEYS_DIR/fullchain.pem" CA_CER="$KEYS_DIR/ca.cer" DOMAIN_CRT="$KEYS_DIR/${DOMAIN}.cer" OUT_FULLCHAIN="$KEYS_DIR/${DOMAIN}.fullchain.pem" if [[ ! -f "$CERT_PEM" && ! -f "$DOMAIN_CRT" ]]; then echo "[ERROR] Could not find leaf certificate (cert.pem or ${DOMAIN}.cer) in $KEYS_DIR" >&2 exit 2 fi # Prefer domain-specific cert, fallback to cert.pem LEAF_CERT="$DOMAIN_CRT" [[ -f "$LEAF_CERT" ]] || LEAF_CERT="$CERT_PEM" # Determine chain source CHAIN_SRC="" if [[ -f "$CHAIN_PEM" ]]; then CHAIN_SRC="$CHAIN_PEM" elif [[ -f "$CA_CER" ]]; then CHAIN_SRC="$CA_CER" else echo "[WARNING] No chain file found (fullchain.pem/ca.cer). Creating fullchain from leaf only." fi echo "[INFO] Writing reconstructed fullchain to: $OUT_FULLCHAIN" { cat "$LEAF_CERT" [[ -n "$CHAIN_SRC" ]] && echo && cat "$CHAIN_SRC" } > "$OUT_FULLCHAIN" chmod 0644 "$OUT_FULLCHAIN" echo "[SUCCESS] Fullchain rebuilt at $OUT_FULLCHAIN" echo "[INFO] Detecting system CA bundle for PHP/cURL/WP-CLI" for candidate in \ /etc/pki/tls/certs/ca-bundle.crt \ /etc/ssl/certs/ca-bundle.crt \ /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem do if [[ -f "$candidate" ]]; then echo "[SUCCESS] System CA bundle: $candidate" exit 0 fi done echo "[WARNING] Could not locate system CA bundle automatically. Ensure ca-certificates are installed." exit 0