boban
/
mailwolt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: WizardDomains übergibt SSL-Handling komplett an mailwolt-apply-domains 

- Kein certbot --nginx mehr im Wizard (scheitert an catch-all server_name)
- mailwolt-apply-domains erstellt Vhosts zuerst, dann certbot --webroot
- sudoers-Eintrag für certbot im Installer

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
main
boban 2026-04-23 22:48:47 +02:00
parent d5d5fd819c
commit e833ab72c6
2 changed files with 30 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
app/Console/Commands/WizardDomains.php
View File

@ -26,7 +26,6 @@ class WizardDomains extends Command
@mkdir(self::STATE_DIR, 0755, true); @mkdir(self::STATE_DIR, 0755, true);
// Start: alle auf pending
foreach (['ui', 'mail', 'webmail'] as $key) { foreach (['ui', 'mail', 'webmail'] as $key) {
file_put_contents(self::STATE_DIR . "/{$key}", 'pending'); file_put_contents(self::STATE_DIR . "/{$key}", 'pending');
} }
@ -34,6 +33,7 @@ class WizardDomains extends Command
$domains = ['ui' => $ui, 'mail' => $mail, 'webmail' => $webmail]; $domains = ['ui' => $ui, 'mail' => $mail, 'webmail' => $webmail];
$allOk = true; $allOk = true;
// DNS prüfen
foreach ($domains as $key => $domain) { foreach ($domains as $key => $domain) {
if (!$domain) { if (!$domain) {
file_put_contents(self::STATE_DIR . "/{$key}", 'skip'); file_put_contents(self::STATE_DIR . "/{$key}", 'skip');
@ -42,36 +42,23 @@ class WizardDomains extends Command
file_put_contents(self::STATE_DIR . "/{$key}", 'running'); file_put_contents(self::STATE_DIR . "/{$key}", 'running');
// DNS prüfen
$hasDns = checkdnsrr($domain, 'A') || checkdnsrr($domain, 'AAAA'); $hasDns = checkdnsrr($domain, 'A') || checkdnsrr($domain, 'AAAA');
if (!$hasDns) { if (!$hasDns) {
file_put_contents(self::STATE_DIR . "/{$key}", 'nodns'); file_put_contents(self::STATE_DIR . "/{$key}", 'nodns');
$allOk = false; $allOk = false;
continue;
}
// SSL-Zertifikat anfordern
if ($ssl) {
$out = shell_exec(sprintf(
'sudo -n certbot certonly --nginx --non-interactive --agree-tos -m root@%s -d %s 2>&1',
escapeshellarg($domain),
escapeshellarg($domain)
));
$certOk = str_contains((string) $out, 'Successfully') || str_contains((string) $out, 'Certificate not yet due for renewal');
if (!$certOk) {
file_put_contents(self::STATE_DIR . "/{$key}", 'error');
$allOk = false;
continue;
} }
} }
file_put_contents(self::STATE_DIR . "/{$key}", 'done'); if (!$allOk) {
file_put_contents(self::STATE_DIR . '/done', '0');
Setting::set('ssl_configured', '0');
return self::SUCCESS;
} }
// Nginx neu konfigurieren (alle Domains auf einmal) // Nginx-Vhosts + optionales SSL via mailwolt-apply-domains
if ($allOk) { // Das Script erstellt erst die Vhosts (mit ACME-Location), dann certbot --webroot
$helper = '/usr/local/sbin/mailwolt-apply-domains'; $helper = '/usr/local/sbin/mailwolt-apply-domains';
shell_exec(sprintf( $out = shell_exec(sprintf(
'sudo -n %s --ui-host %s --webmail-host %s --mail-host %s --ssl-auto %d 2>&1', 'sudo -n %s --ui-host %s --webmail-host %s --mail-host %s --ssl-auto %d 2>&1',
escapeshellarg($helper), escapeshellarg($helper),
escapeshellarg($ui), escapeshellarg($ui),
@ -79,10 +66,18 @@ class WizardDomains extends Command
escapeshellarg($mail), escapeshellarg($mail),
$ssl ? 1 : 0, $ssl ? 1 : 0,
)); ));
$helperOk = $out !== null && !str_contains((string) $out, '[x]');
foreach (['ui', 'mail', 'webmail'] as $key) {
$status = file_get_contents(self::STATE_DIR . "/{$key}");
if ($status === 'running' || $status === 'pending') {
file_put_contents(self::STATE_DIR . "/{$key}", $helperOk ? 'done' : 'error');
}
} }
file_put_contents(self::STATE_DIR . '/done', $allOk ? '1' : '0'); file_put_contents(self::STATE_DIR . '/done', $helperOk ? '1' : '0');
Setting::set('ssl_configured', $allOk ? '1' : '0'); Setting::set('ssl_configured', $helperOk ? '1' : '0');
return self::SUCCESS; return self::SUCCESS;
} }
} }

5
installer.sh
View File

@ -655,11 +655,10 @@ HELPER
chmod 755 /usr/local/sbin/mailwolt-apply-domains chmod 755 /usr/local/sbin/mailwolt-apply-domains
# ===== Sudoers für www-data (certbot + helper) ===== # ===== Sudoers für www-data (certbot + helper) =====
cat > /etc/sudoers.d/mailwolt-www <<'SUDOERS' cat > /etc/sudoers.d/mailwolt-certbot <<'SUDOERS'
www-data ALL=(root) NOPASSWD: /usr/bin/certbot www-data ALL=(root) NOPASSWD: /usr/bin/certbot
www-data ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-apply-domains
SUDOERS SUDOERS
chmod 440 /etc/sudoers.d/mailwolt-www chmod 440 /etc/sudoers.d/mailwolt-certbot
# git safe.directory damit spätere pulls als root möglich sind # git safe.directory damit spätere pulls als root möglich sind
git config --global --add safe.directory "${APP_DIR}" || true git config --global --add safe.directory "${APP_DIR}" || true