From 142ca3c670e75ac6e2bfcc748e11da620a8e4024 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Pedro=20Toledo?= <joao.goncalves@itguys.com.br>
Date: Tue, 27 Jan 2026 09:20:47 -0300
Subject: [PATCH] feat(ssl): fix bootstrap loop with self-signed generation
 fallback

---
 scripts/pre-flight.sh |  5 +++++
 scripts/renew_ssl.sh  | 16 ++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/scripts/pre-flight.sh b/scripts/pre-flight.sh
index db404bb..e2a4d7b 100644
--- a/scripts/pre-flight.sh
+++ b/scripts/pre-flight.sh
@@ -103,4 +103,9 @@ echo "*/5 * * * * /scripts/git_sync.sh >> /var/log/nginx/git_sync.log 2>&1" >> /
 crond -b -l 8
 
 echo "[Pre-Flight] Checks complete. Starting NGINX..."
+
+# Background: Trigger SSL renewal again in 60s
+# This catches the fresh snakeoil certs (1 day expire) and renews them using the NOW RUNNING Nginx.
+(sleep 60 && /scripts/renew_ssl.sh >> /var/log/nginx/ssl_bootstrap.log 2>&1) &
+
 exec "$@"
diff --git a/scripts/renew_ssl.sh b/scripts/renew_ssl.sh
index b28837b..8b75c97 100644
--- a/scripts/renew_ssl.sh
+++ b/scripts/renew_ssl.sh
@@ -65,6 +65,22 @@ for conf in /etc/nginx/conf.d/*.conf; do
                 echo "[SSL-Renew] Certbot failed for $DOMAIN."
              fi
         fi
+    else
+        echo "[SSL-Renew] CRT Not Found for $DOMAIN. Generating Self-Signed Bootstrap Cert..."
+        
+        # Ensure dir exists
+        mkdir -p "$(dirname "$CRT_FILE")"
+        
+        KEY_FILE=$(grep -E "\s*ssl_certificate_key\s+" "$conf" | sed -r 's/.*ssl_certificate_key\s+(.*);/\1/' | head -n 1)
+        mkdir -p "$(dirname "$KEY_FILE")"
+        
+        # Generate minimal self-signed cert valid for 1 day (forces renewal next run)
+        openssl req -x509 -nodes -days 1 -newkey rsa:2048 \
+          -keyout "$KEY_FILE" \
+          -out "$CRT_FILE" \
+          -subj "/C=BR/ST=SP/L=Bootstrap/O=ITGuys/CN=$DOMAIN"
+          
+        echo "[SSL-Renew] Bootstrap Cert created. Nginx should be able to start."
     fi
 done