mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-05-08 14:36:13 +00:00
Fix SSL domain setup on reinstall: reuse existing certs and avoid false success/failure logs (#4004)
* perf: replace /dev/urandom | tr with openssl rand to fix CPU spike * fix: add cron to default package installation and improve SSL certificate handling * Reworked `--installcert` success criteria, cleanup behavior adjusted.
This commit is contained in:
Yunheng Liu
95
install.sh
95
install.sh
@@ -79,26 +79,26 @@ install_base() {
|
||||
apt-get update && apt-get install -y -q cron curl tar tzdata socat ca-certificates openssl
|
||||
;;
|
||||
fedora | amzn | virtuozzo | rhel | almalinux | rocky | ol)
|
||||
dnf -y update && dnf install -y -q curl tar tzdata socat ca-certificates openssl
|
||||
dnf -y update && dnf install -y -q cronie curl tar tzdata socat ca-certificates openssl
|
||||
;;
|
||||
centos)
|
||||
if [[ "${VERSION_ID}" =~ ^7 ]]; then
|
||||
yum -y update && yum install -y curl tar tzdata socat ca-certificates openssl
|
||||
yum -y update && yum install -y cronie curl tar tzdata socat ca-certificates openssl
|
||||
else
|
||||
dnf -y update && dnf install -y -q curl tar tzdata socat ca-certificates openssl
|
||||
dnf -y update && dnf install -y -q cronie curl tar tzdata socat ca-certificates openssl
|
||||
fi
|
||||
;;
|
||||
arch | manjaro | parch)
|
||||
pacman -Syu && pacman -Syu --noconfirm curl tar tzdata socat ca-certificates openssl
|
||||
pacman -Syu && pacman -Syu --noconfirm cronie curl tar tzdata socat ca-certificates openssl
|
||||
;;
|
||||
opensuse-tumbleweed | opensuse-leap)
|
||||
zypper refresh && zypper -q install -y curl tar timezone socat ca-certificates openssl
|
||||
zypper refresh && zypper -q install -y cron curl tar timezone socat ca-certificates openssl
|
||||
;;
|
||||
alpine)
|
||||
apk update && apk add curl tar tzdata socat ca-certificates openssl
|
||||
apk update && apk add dcron curl tar tzdata socat ca-certificates openssl
|
||||
;;
|
||||
*)
|
||||
apt-get update && apt-get install -y -q curl tar tzdata socat ca-certificates openssl
|
||||
apt-get update && apt-get install -y -q cron curl tar tzdata socat ca-certificates openssl
|
||||
;;
|
||||
esac
|
||||
}
|
||||
@@ -379,15 +379,15 @@ ssl_cert_issue() {
|
||||
break
|
||||
done
|
||||
echo -e "${green}Your domain is: ${domain}, checking it...${plain}"
|
||||
SSL_ISSUED_DOMAIN="${domain}"
|
||||
|
||||
# check if there already exists a certificate
|
||||
local currentCert=$(~/.acme.sh/acme.sh --list | tail -1 | awk '{print $1}')
|
||||
if [ "${currentCert}" == "${domain}" ]; then
|
||||
local certInfo=$(~/.acme.sh/acme.sh --list)
|
||||
echo -e "${red}System already has certificates for this domain. Cannot issue again.${plain}"
|
||||
echo -e "${yellow}Current certificate details:${plain}"
|
||||
echo "$certInfo"
|
||||
return 1
|
||||
# detect existing certificate and reuse it if present
|
||||
local cert_exists=0
|
||||
if ~/.acme.sh/acme.sh --list 2>/dev/null | awk '{print $1}' | grep -Fxq "${domain}"; then
|
||||
cert_exists=1
|
||||
local certInfo=$(~/.acme.sh/acme.sh --list 2>/dev/null | grep -F "${domain}")
|
||||
echo -e "${yellow}Existing certificate found for ${domain}, will reuse it.${plain}"
|
||||
[[ -n "${certInfo}" ]] && echo "$certInfo"
|
||||
else
|
||||
echo -e "${green}Your domain is ready for issuing certificates now...${plain}"
|
||||
fi
|
||||
@@ -414,16 +414,20 @@ ssl_cert_issue() {
|
||||
echo -e "${yellow}Stopping panel temporarily...${plain}"
|
||||
systemctl stop x-ui 2>/dev/null || rc-service x-ui stop 2>/dev/null
|
||||
|
||||
# issue the certificate
|
||||
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force
|
||||
~/.acme.sh/acme.sh --issue -d ${domain} --listen-v6 --standalone --httpport ${WebPort} --force
|
||||
if [ $? -ne 0 ]; then
|
||||
echo -e "${red}Issuing certificate failed, please check logs.${plain}"
|
||||
rm -rf ~/.acme.sh/${domain}
|
||||
systemctl start x-ui 2>/dev/null || rc-service x-ui start 2>/dev/null
|
||||
return 1
|
||||
if [[ ${cert_exists} -eq 0 ]]; then
|
||||
# issue the certificate
|
||||
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force
|
||||
~/.acme.sh/acme.sh --issue -d ${domain} --listen-v6 --standalone --httpport ${WebPort} --force
|
||||
if [ $? -ne 0 ]; then
|
||||
echo -e "${red}Issuing certificate failed, please check logs.${plain}"
|
||||
rm -rf ~/.acme.sh/${domain}
|
||||
systemctl start x-ui 2>/dev/null || rc-service x-ui start 2>/dev/null
|
||||
return 1
|
||||
else
|
||||
echo -e "${green}Issuing certificate succeeded, installing certificates...${plain}"
|
||||
fi
|
||||
else
|
||||
echo -e "${green}Issuing certificate succeeded, installing certificates...${plain}"
|
||||
echo -e "${green}Using existing certificate, installing certificates...${plain}"
|
||||
fi
|
||||
|
||||
# Setup reload command
|
||||
@@ -453,17 +457,27 @@ ssl_cert_issue() {
|
||||
fi
|
||||
|
||||
# install the certificate
|
||||
~/.acme.sh/acme.sh --installcert -d ${domain} \
|
||||
local installOutput=""
|
||||
installOutput=$(~/.acme.sh/acme.sh --installcert -d ${domain} \
|
||||
--key-file /root/cert/${domain}/privkey.pem \
|
||||
--fullchain-file /root/cert/${domain}/fullchain.pem --reloadcmd "${reloadCmd}"
|
||||
--fullchain-file /root/cert/${domain}/fullchain.pem --reloadcmd "${reloadCmd}" 2>&1)
|
||||
local installRc=$?
|
||||
echo "${installOutput}"
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
local installWroteFiles=0
|
||||
if echo "${installOutput}" | grep -q "Installing key to:" && echo "${installOutput}" | grep -q "Installing full chain to:"; then
|
||||
installWroteFiles=1
|
||||
fi
|
||||
|
||||
if [[ -f "/root/cert/${domain}/privkey.pem" && -f "/root/cert/${domain}/fullchain.pem" && ( ${installRc} -eq 0 || ${installWroteFiles} -eq 1 ) ]]; then
|
||||
echo -e "${green}Installing certificate succeeded, enabling auto renew...${plain}"
|
||||
else
|
||||
echo -e "${red}Installing certificate failed, exiting.${plain}"
|
||||
rm -rf ~/.acme.sh/${domain}
|
||||
if [[ ${cert_exists} -eq 0 ]]; then
|
||||
rm -rf ~/.acme.sh/${domain}
|
||||
fi
|
||||
systemctl start x-ui 2>/dev/null || rc-service x-ui start 2>/dev/null
|
||||
return 1
|
||||
else
|
||||
echo -e "${green}Installing certificate succeeded, enabling auto renew...${plain}"
|
||||
fi
|
||||
|
||||
# enable auto-renew
|
||||
@@ -536,14 +550,21 @@ prompt_and_setup_ssl() {
|
||||
1)
|
||||
# User chose Let's Encrypt domain option
|
||||
echo -e "${green}Using Let's Encrypt for domain certificate...${plain}"
|
||||
ssl_cert_issue
|
||||
# Extract the domain that was used from the certificate
|
||||
local cert_domain=$(~/.acme.sh/acme.sh --list 2>/dev/null | tail -1 | awk '{print $1}')
|
||||
if [[ -n "${cert_domain}" ]]; then
|
||||
SSL_HOST="${cert_domain}"
|
||||
echo -e "${green}✓ SSL certificate configured successfully with domain: ${cert_domain}${plain}"
|
||||
if ssl_cert_issue; then
|
||||
local cert_domain="${SSL_ISSUED_DOMAIN}"
|
||||
if [[ -z "${cert_domain}" ]]; then
|
||||
cert_domain=$(~/.acme.sh/acme.sh --list 2>/dev/null | tail -1 | awk '{print $1}')
|
||||
fi
|
||||
|
||||
if [[ -n "${cert_domain}" ]]; then
|
||||
SSL_HOST="${cert_domain}"
|
||||
echo -e "${green}✓ SSL certificate configured successfully with domain: ${cert_domain}${plain}"
|
||||
else
|
||||
echo -e "${yellow}SSL setup may have completed, but domain extraction failed${plain}"
|
||||
SSL_HOST="${server_ip}"
|
||||
fi
|
||||
else
|
||||
echo -e "${yellow}SSL setup may have completed, but domain extraction failed${plain}"
|
||||
echo -e "${red}SSL certificate setup failed for domain mode.${plain}"
|
||||
SSL_HOST="${server_ip}"
|
||||
fi
|
||||
;;
|
||||
|
||||
Reference in New Issue
Block a user