From e833ab72c66147408ba160c7a9687893c1012aca Mon Sep 17 00:00:00 2001
From: boban <boban.blaskovic@gmail.com>
Date: Thu, 23 Apr 2026 22:48:47 +0200
Subject: [PATCH] =?UTF-8?q?Fix:=20WizardDomains=20=C3=BCbergibt=20SSL-Hand?=
 =?UTF-8?q?ling=20komplett=20an=20mailwolt-apply-domains?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Kein certbot --nginx mehr im Wizard (scheitert an catch-all server_name)
- mailwolt-apply-domains erstellt Vhosts zuerst, dann certbot --webroot
- sudoers-Eintrag für certbot im Installer

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 app/Console/Commands/WizardDomains.php | 61 ++++++++++++--------------
 installer.sh                           |  5 +--
 2 files changed, 30 insertions(+), 36 deletions(-)

diff --git a/app/Console/Commands/WizardDomains.php b/app/Console/Commands/WizardDomains.php
index de51211..6e8b147 100644
--- a/app/Console/Commands/WizardDomains.php
+++ b/app/Console/Commands/WizardDomains.php
@@ -26,7 +26,6 @@ class WizardDomains extends Command
 
         @mkdir(self::STATE_DIR, 0755, true);
 
-        // Start: alle auf pending
         foreach (['ui', 'mail', 'webmail'] as $key) {
             file_put_contents(self::STATE_DIR . "/{$key}", 'pending');
         }
@@ -34,6 +33,7 @@ class WizardDomains extends Command
         $domains = ['ui' => $ui, 'mail' => $mail, 'webmail' => $webmail];
         $allOk   = true;
 
+        // DNS prüfen
         foreach ($domains as $key => $domain) {
             if (!$domain) {
                 file_put_contents(self::STATE_DIR . "/{$key}", 'skip');
@@ -42,47 +42,42 @@ class WizardDomains extends Command
 
             file_put_contents(self::STATE_DIR . "/{$key}", 'running');
 
-            // DNS prüfen
             $hasDns = checkdnsrr($domain, 'A') || checkdnsrr($domain, 'AAAA');
             if (!$hasDns) {
                 file_put_contents(self::STATE_DIR . "/{$key}", 'nodns');
                 $allOk = false;
-                continue;
             }
-
-            // SSL-Zertifikat anfordern
-            if ($ssl) {
-                $out = shell_exec(sprintf(
-                    'sudo -n certbot certonly --nginx --non-interactive --agree-tos -m root@%s -d %s 2>&1',
-                    escapeshellarg($domain),
-                    escapeshellarg($domain)
-                ));
-                $certOk = str_contains((string) $out, 'Successfully') || str_contains((string) $out, 'Certificate not yet due for renewal');
-                if (!$certOk) {
-                    file_put_contents(self::STATE_DIR . "/{$key}", 'error');
-                    $allOk = false;
-                    continue;
-                }
-            }
-
-            file_put_contents(self::STATE_DIR . "/{$key}", 'done');
         }
 
-        // Nginx neu konfigurieren (alle Domains auf einmal)
-        if ($allOk) {
-            $helper = '/usr/local/sbin/mailwolt-apply-domains';
-            shell_exec(sprintf(
-                'sudo -n %s --ui-host %s --webmail-host %s --mail-host %s --ssl-auto %d 2>&1',
-                escapeshellarg($helper),
-                escapeshellarg($ui),
-                escapeshellarg($webmail),
-                escapeshellarg($mail),
-                $ssl ? 1 : 0,
-            ));
+        if (!$allOk) {
+            file_put_contents(self::STATE_DIR . '/done', '0');
+            Setting::set('ssl_configured', '0');
+            return self::SUCCESS;
         }
 
-        file_put_contents(self::STATE_DIR . '/done', $allOk ? '1' : '0');
-        Setting::set('ssl_configured', $allOk ? '1' : '0');
+        // Nginx-Vhosts + optionales SSL via mailwolt-apply-domains
+        // Das Script erstellt erst die Vhosts (mit ACME-Location), dann certbot --webroot
+        $helper = '/usr/local/sbin/mailwolt-apply-domains';
+        $out = shell_exec(sprintf(
+            'sudo -n %s --ui-host %s --webmail-host %s --mail-host %s --ssl-auto %d 2>&1',
+            escapeshellarg($helper),
+            escapeshellarg($ui),
+            escapeshellarg($webmail),
+            escapeshellarg($mail),
+            $ssl ? 1 : 0,
+        ));
+
+        $helperOk = $out !== null && !str_contains((string) $out, '[x]');
+
+        foreach (['ui', 'mail', 'webmail'] as $key) {
+            $status = file_get_contents(self::STATE_DIR . "/{$key}");
+            if ($status === 'running' || $status === 'pending') {
+                file_put_contents(self::STATE_DIR . "/{$key}", $helperOk ? 'done' : 'error');
+            }
+        }
+
+        file_put_contents(self::STATE_DIR . '/done', $helperOk ? '1' : '0');
+        Setting::set('ssl_configured', $helperOk ? '1' : '0');
         return self::SUCCESS;
     }
 }
diff --git a/installer.sh b/installer.sh
index c471f45..6961eee 100644
--- a/installer.sh
+++ b/installer.sh
@@ -655,11 +655,10 @@ HELPER
 chmod 755 /usr/local/sbin/mailwolt-apply-domains
 
 # ===== Sudoers für www-data (certbot + helper) =====
-cat > /etc/sudoers.d/mailwolt-www <<'SUDOERS'
+cat > /etc/sudoers.d/mailwolt-certbot <<'SUDOERS'
 www-data ALL=(root) NOPASSWD: /usr/bin/certbot
-www-data ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-apply-domains
 SUDOERS
-chmod 440 /etc/sudoers.d/mailwolt-www
+chmod 440 /etc/sudoers.d/mailwolt-certbot
 
 # git safe.directory damit spätere pulls als root möglich sind
 git config --global --add safe.directory "${APP_DIR}" || true