74 lines
2.1 KiB
Bash
74 lines
2.1 KiB
Bash
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
# Fix/refresh system CA trust and reconstruct a proper fullchain for a given domain on AlmaLinux/RHEL/CentOS.
|
|
# Usage: fix-cert-trust.sh <domain> [keys_dir]
|
|
# - domain: FQDN of site (e.g., example.com)
|
|
# - keys_dir: directory containing cert/key files. Default: /var/lib/jelastic/keys
|
|
|
|
DOMAIN="${1:-}"
|
|
KEYS_DIR="${2:-/var/lib/jelastic/keys}"
|
|
|
|
if [[ -z "$DOMAIN" ]]; then
|
|
echo "Usage: $0 <domain> [keys_dir]" >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "[INFO] Refreshing system CA trust (update-ca-trust)…"
|
|
if command -v update-ca-trust >/dev/null 2>&1; then
|
|
sudo update-ca-trust || true
|
|
else
|
|
echo "[WARNING] update-ca-trust not available; skipping."
|
|
fi
|
|
|
|
echo "[INFO] Looking for certificate files in: $KEYS_DIR"
|
|
CERT_PEM="$KEYS_DIR/cert.pem"
|
|
CHAIN_PEM="$KEYS_DIR/fullchain.pem"
|
|
CA_CER="$KEYS_DIR/ca.cer"
|
|
DOMAIN_CRT="$KEYS_DIR/${DOMAIN}.cer"
|
|
OUT_FULLCHAIN="$KEYS_DIR/${DOMAIN}.fullchain.pem"
|
|
|
|
if [[ ! -f "$CERT_PEM" && ! -f "$DOMAIN_CRT" ]]; then
|
|
echo "[ERROR] Could not find leaf certificate (cert.pem or ${DOMAIN}.cer) in $KEYS_DIR" >&2
|
|
exit 2
|
|
fi
|
|
|
|
# Prefer domain-specific cert, fallback to cert.pem
|
|
LEAF_CERT="$DOMAIN_CRT"
|
|
[[ -f "$LEAF_CERT" ]] || LEAF_CERT="$CERT_PEM"
|
|
|
|
# Determine chain source
|
|
CHAIN_SRC=""
|
|
if [[ -f "$CHAIN_PEM" ]]; then
|
|
CHAIN_SRC="$CHAIN_PEM"
|
|
elif [[ -f "$CA_CER" ]]; then
|
|
CHAIN_SRC="$CA_CER"
|
|
else
|
|
echo "[WARNING] No chain file found (fullchain.pem/ca.cer). Creating fullchain from leaf only."
|
|
fi
|
|
|
|
echo "[INFO] Writing reconstructed fullchain to: $OUT_FULLCHAIN"
|
|
{
|
|
cat "$LEAF_CERT"
|
|
[[ -n "$CHAIN_SRC" ]] && echo && cat "$CHAIN_SRC"
|
|
} > "$OUT_FULLCHAIN"
|
|
|
|
chmod 0644 "$OUT_FULLCHAIN"
|
|
echo "[SUCCESS] Fullchain rebuilt at $OUT_FULLCHAIN"
|
|
|
|
echo "[INFO] Detecting system CA bundle for PHP/cURL/WP-CLI"
|
|
for candidate in \
|
|
/etc/pki/tls/certs/ca-bundle.crt \
|
|
/etc/ssl/certs/ca-bundle.crt \
|
|
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
|
|
do
|
|
if [[ -f "$candidate" ]]; then
|
|
echo "[SUCCESS] System CA bundle: $candidate"
|
|
exit 0
|
|
fi
|
|
done
|
|
|
|
echo "[WARNING] Could not locate system CA bundle automatically. Ensure ca-certificates are installed."
|
|
exit 0
|
|
|