feat(ssl): fix bootstrap loop with self-signed generation fallback

2026-01-27 09:20:47 -03:00 · 2026-01-27 09:20:47 -03:00 · 142ca3c670
parent acabd1a271
commit 142ca3c670
2 changed files with 21 additions and 0 deletions
--- a/scripts/pre-flight.sh
+++ b/scripts/pre-flight.sh
@ -103,4 +103,9 @@ echo "*/5 * * * * /scripts/git_sync.sh >> /var/log/nginx/git_sync.log 2>&1" >> /
 crond -b -l 8

 echo "[Pre-Flight] Checks complete. Starting NGINX..."
+
+# Background: Trigger SSL renewal again in 60s
+# This catches the fresh snakeoil certs (1 day expire) and renews them using the NOW RUNNING Nginx.
+(sleep 60 && /scripts/renew_ssl.sh >> /var/log/nginx/ssl_bootstrap.log 2>&1) &
+
 exec "$@"
--- a/scripts/renew_ssl.sh
+++ b/scripts/renew_ssl.sh
@ -65,6 +65,22 @@ for conf in /etc/nginx/conf.d/*.conf; do
                echo "[SSL-Renew] Certbot failed for $DOMAIN."
             fi
        fi
+    else
+        echo "[SSL-Renew] CRT Not Found for $DOMAIN. Generating Self-Signed Bootstrap Cert..."
+        
+        # Ensure dir exists
+        mkdir -p "$(dirname "$CRT_FILE")"
+        
+        KEY_FILE=$(grep -E "\s*ssl_certificate_key\s+" "$conf" | sed -r 's/.*ssl_certificate_key\s+(.*);/\1/' | head -n 1)
+        mkdir -p "$(dirname "$KEY_FILE")"
+        
+        # Generate minimal self-signed cert valid for 1 day (forces renewal next run)
+        openssl req -x509 -nodes -days 1 -newkey rsa:2048 \
+          -keyout "$KEY_FILE" \
+          -out "$CRT_FILE" \
+          -subj "/C=BR/ST=SP/L=Bootstrap/O=ITGuys/CN=$DOMAIN"
+          
+        echo "[SSL-Renew] Bootstrap Cert created. Nginx should be able to start."
    fi
 done