feat(ssl): fix bootstrap loop with self-signed generation fallback

scripts/pre-flight.sh

@@ -103,4 +103,9 @@ echo "*/5 * * * * /scripts/git_sync.sh >> /var/log/nginx/git_sync.log 2>&1" >> /
 crond -b -l 8
 
 echo "[Pre-Flight] Checks complete. Starting NGINX..."
+
+# Background: Trigger SSL renewal again in 60s
+# This catches the fresh snakeoil certs (1 day expire) and renews them using the NOW RUNNING Nginx.
+(sleep 60 && /scripts/renew_ssl.sh >> /var/log/nginx/ssl_bootstrap.log 2>&1) &
+
 exec "$@"

scripts/renew_ssl.sh

@@ -65,6 +65,22 @@ for conf in /etc/nginx/conf.d/*.conf; do
                 echo "[SSL-Renew] Certbot failed for $DOMAIN."
              fi
         fi
+    else
+        echo "[SSL-Renew] CRT Not Found for $DOMAIN. Generating Self-Signed Bootstrap Cert..."
+        
+        # Ensure dir exists
+        mkdir -p "$(dirname "$CRT_FILE")"
+        
+        KEY_FILE=$(grep -E "\s*ssl_certificate_key\s+" "$conf" | sed -r 's/.*ssl_certificate_key\s+(.*);/\1/' | head -n 1)
+        mkdir -p "$(dirname "$KEY_FILE")"
+        
+        # Generate minimal self-signed cert valid for 1 day (forces renewal next run)
+        openssl req -x509 -nodes -days 1 -newkey rsa:2048 \
+          -keyout "$KEY_FILE" \
+          -out "$CRT_FILE" \
+          -subj "/C=BR/ST=SP/L=Bootstrap/O=ITGuys/CN=$DOMAIN"
+          
+        echo "[SSL-Renew] Bootstrap Cert created. Nginx should be able to start."
     fi
 done