boban
/
mailwolt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: WizardDomains übergibt SSL-Handling komplett an mailwolt-apply-domains 

- Kein certbot --nginx mehr im Wizard (scheitert an catch-all server_name)
- mailwolt-apply-domains erstellt Vhosts zuerst, dann certbot --webroot
- sudoers-Eintrag für certbot im Installer

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
main
boban 2026-04-23 22:48:47 +02:00
parent d5d5fd819c
commit e833ab72c6
2 changed files with 30 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
app/Console/Commands/WizardDomains.php
View File

@ -26,7 +26,6 @@ class WizardDomains extends Command
@mkdir(self::STATE_DIR, 0755, true);
// Start: alle auf pending
foreach (['ui', 'mail', 'webmail'] as $key) {
file_put_contents(self::STATE_DIR . "/{$key}", 'pending');
}
@ -34,6 +33,7 @@ class WizardDomains extends Command
$domains = ['ui' => $ui, 'mail' => $mail, 'webmail' => $webmail];
$allOk = true;
// DNS prüfen
foreach ($domains as $key => $domain) {
if (!$domain) {
file_put_contents(self::STATE_DIR . "/{$key}", 'skip');
@ -42,47 +42,42 @@ class WizardDomains extends Command
file_put_contents(self::STATE_DIR . "/{$key}", 'running');
// DNS prüfen
$hasDns = checkdnsrr($domain, 'A') || checkdnsrr($domain, 'AAAA');
if (!$hasDns) {
file_put_contents(self::STATE_DIR . "/{$key}", 'nodns');
$allOk = false;
continue;
}
// SSL-Zertifikat anfordern
if ($ssl) {
$out = shell_exec(sprintf(
'sudo -n certbot certonly --nginx --non-interactive --agree-tos -m root@%s -d %s 2>&1',
escapeshellarg($domain),
escapeshellarg($domain)
));
$certOk = str_contains((string) $out, 'Successfully') || str_contains((string) $out, 'Certificate not yet due for renewal');
if (!$certOk) {
file_put_contents(self::STATE_DIR . "/{$key}", 'error');
$allOk = false;
continue;
}
}
file_put_contents(self::STATE_DIR . "/{$key}", 'done');
}
// Nginx neu konfigurieren (alle Domains auf einmal)
if ($allOk) {
$helper = '/usr/local/sbin/mailwolt-apply-domains';
shell_exec(sprintf(
'sudo -n %s --ui-host %s --webmail-host %s --mail-host %s --ssl-auto %d 2>&1',
escapeshellarg($helper),
escapeshellarg($ui),
escapeshellarg($webmail),
escapeshellarg($mail),
$ssl ? 1 : 0,
));
if (!$allOk) {
file_put_contents(self::STATE_DIR . '/done', '0');
Setting::set('ssl_configured', '0');
return self::SUCCESS;
}
file_put_contents(self::STATE_DIR . '/done', $allOk ? '1' : '0');
Setting::set('ssl_configured', $allOk ? '1' : '0');
// Nginx-Vhosts + optionales SSL via mailwolt-apply-domains
// Das Script erstellt erst die Vhosts (mit ACME-Location), dann certbot --webroot
$helper = '/usr/local/sbin/mailwolt-apply-domains';
$out = shell_exec(sprintf(
'sudo -n %s --ui-host %s --webmail-host %s --mail-host %s --ssl-auto %d 2>&1',
escapeshellarg($helper),
escapeshellarg($ui),
escapeshellarg($webmail),
escapeshellarg($mail),
$ssl ? 1 : 0,
));
$helperOk = $out !== null && !str_contains((string) $out, '[x]');
foreach (['ui', 'mail', 'webmail'] as $key) {
$status = file_get_contents(self::STATE_DIR . "/{$key}");
if ($status === 'running' || $status === 'pending') {
file_put_contents(self::STATE_DIR . "/{$key}", $helperOk ? 'done' : 'error');
}
}
file_put_contents(self::STATE_DIR . '/done', $helperOk ? '1' : '0');
Setting::set('ssl_configured', $helperOk ? '1' : '0');
return self::SUCCESS;
}
}

5
installer.sh
View File

@ -655,11 +655,10 @@ HELPER
chmod 755 /usr/local/sbin/mailwolt-apply-domains
# ===== Sudoers für www-data (certbot + helper) =====
cat > /etc/sudoers.d/mailwolt-www <<'SUDOERS'
cat > /etc/sudoers.d/mailwolt-certbot <<'SUDOERS'
www-data ALL=(root) NOPASSWD: /usr/bin/certbot
www-data ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-apply-domains
SUDOERS
chmod 440 /etc/sudoers.d/mailwolt-www
chmod 440 /etc/sudoers.d/mailwolt-certbot
# git safe.directory damit spätere pulls als root möglich sind
git config --global --add safe.directory "${APP_DIR}" || true