Fix: Kein Self-signed HTTPS mehr — plain HTTP bis LE-Cert vorhanden

- Nginx initial: nur HTTP-Block (kein 443/self-signed)
- mailwolt-apply-domains: kein self-signed Fallback; ohne LE-Cert
  bleibt nginx HTTP-only, mit LE-Cert wird auf HTTPS umgestellt
- Monit: MariaDB per matching statt pidfile (mysqld.pid oft nicht da)
- ACME-Challenge Location bereits im initialen HTTP-Block vorhanden

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

installer.sh

@@ -453,37 +453,10 @@ server {
   access_log /var/log/nginx/${APP_USER}_access.log;
   error_log  /var/log/nginx/${APP_USER}_error.log;
 
-  location / {
-    try_files \$uri \$uri/ /index.php?\$query_string;
+  location ^~ /.well-known/acme-challenge/ {
+    root /var/www/letsencrypt;
+    try_files \$uri =404;
   }
-  location ~ \.php\$ {
-    include snippets/fastcgi-php.conf;
-    fastcgi_pass unix:${PHP_FPM_SOCK};
-  }
-  location ^~ /livewire/ {
-    try_files \$uri /index.php?\$query_string;
-  }
-  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ {
-    expires 30d;
-    access_log off;
-  }
-}
-
-server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  server_name _;
-
-  ssl_certificate     ${CERT};
-  ssl_certificate_key ${KEY};
-  ssl_protocols       TLSv1.2 TLSv1.3;
-
-  root ${APP_DIR}/public;
-  index index.php index.html;
-
-  access_log /var/log/nginx/${APP_USER}_ssl_access.log;
-  error_log  /var/log/nginx/${APP_USER}_ssl_error.log;
-
   location / {
     try_files \$uri \$uri/ /index.php?\$query_string;
   }
@@ -700,8 +673,16 @@ if [ "${SSL_AUTO}" = "1" ]; then
   done
 fi
 
-# --- Phase 3: Finale Vhosts (LE-Cert oder self-signed Fallback) ---
+# --- Phase 3: Finale Vhosts ---
+# Nur HTTPS wenn LE-Cert tatsächlich vorhanden, sonst HTTP-only (kein self-signed Fallback)
 (
+UI_HAS_CERT=0
+WM_HAS_CERT=0
+[ -f "/etc/letsencrypt/live/${UI_HOST}/fullchain.pem" ]      && UI_HAS_CERT=1
+[ -f "/etc/letsencrypt/live/${WEBMAIL_HOST}/fullchain.pem" ] && WM_HAS_CERT=1
+
+if [ "${UI_HAS_CERT}" = "1" ] || [ "${WM_HAS_CERT}" = "1" ]; then
+  # Mindestens ein Cert vorhanden → HTTP-Redirect Block
   cat <<CONF
 server {
   listen 80;
@@ -715,15 +696,33 @@ server {
   location / { return 301 https://\$host\$request_uri; }
 }
 CONF
-
-if [ -n "${UI_HOST}" ]; then
-  if [ "${SSL_AUTO}" = "1" ] && [ -f "/etc/letsencrypt/live/${UI_HOST}/fullchain.pem" ]; then
-    CERT_UI="/etc/letsencrypt/live/${UI_HOST}/fullchain.pem"
-    KEY_UI="/etc/letsencrypt/live/${UI_HOST}/privkey.pem"
 else
-    CERT_UI="/etc/mailwolt/ssl/cert.pem"
-    KEY_UI="/etc/mailwolt/ssl/key.pem"
+  # Kein Cert → HTTP-only, App läuft auf Port 80 weiter
+  cat <<CONF
+server {
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  server_name _;
+
+  root ${APP_DIR}/public;
+  index index.php index.html;
+
+  location /.well-known/acme-challenge/ {
+    root ${ACME_ROOT};
+    try_files \$uri =404;
+  }
+  location / { try_files \$uri \$uri/ /index.php?\$query_string; }
+  location ~ \.php\$ {
+    include snippets/fastcgi-php.conf;
+    fastcgi_pass unix:${PHP_FPM_SOCK};
+  }
+  location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
+  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
+}
+CONF
 fi
+
+if [ -n "${UI_HOST}" ] && [ "${UI_HAS_CERT}" = "1" ]; then
   cat <<CONF
 
 server {
@@ -731,32 +730,25 @@ server {
   listen [::]:443 ssl http2;
   server_name ${UI_HOST};
 
-  ssl_certificate     ${CERT_UI};
-  ssl_certificate_key ${KEY_UI};
+  ssl_certificate     /etc/letsencrypt/live/${UI_HOST}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/${UI_HOST}/privkey.pem;
   ssl_protocols       TLSv1.2 TLSv1.3;
 
   root ${APP_DIR}/public;
   index index.php index.html;
 
   location / { try_files \$uri \$uri/ /index.php?\$query_string; }
-  location ~ \.php$ {
+  location ~ \.php\$ {
     include snippets/fastcgi-php.conf;
     fastcgi_pass unix:${PHP_FPM_SOCK};
   }
   location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
-  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
+  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
 }
 CONF
 fi
 
-if [ -n "${WEBMAIL_HOST}" ]; then
-  if [ "${SSL_AUTO}" = "1" ] && [ -f "/etc/letsencrypt/live/${WEBMAIL_HOST}/fullchain.pem" ]; then
-    CERT_WM="/etc/letsencrypt/live/${WEBMAIL_HOST}/fullchain.pem"
-    KEY_WM="/etc/letsencrypt/live/${WEBMAIL_HOST}/privkey.pem"
-  else
-    CERT_WM="/etc/mailwolt/ssl/cert.pem"
-    KEY_WM="/etc/mailwolt/ssl/key.pem"
-  fi
+if [ -n "${WEBMAIL_HOST}" ] && [ "${WM_HAS_CERT}" = "1" ]; then
   cat <<CONF
 
 server {
@@ -764,20 +756,20 @@ server {
   listen [::]:443 ssl http2;
   server_name ${WEBMAIL_HOST};
 
-  ssl_certificate     ${CERT_WM};
-  ssl_certificate_key ${KEY_WM};
+  ssl_certificate     /etc/letsencrypt/live/${WEBMAIL_HOST}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/${WEBMAIL_HOST}/privkey.pem;
   ssl_protocols       TLSv1.2 TLSv1.3;
 
   root ${APP_DIR}/public;
   index index.php index.html;
 
   location / { try_files \$uri \$uri/ /index.php?\$query_string; }
-  location ~ \.php$ {
+  location ~ \.php\$ {
     include snippets/fastcgi-php.conf;
     fastcgi_pass unix:${PHP_FPM_SOCK};
   }
   location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
-  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
+  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
 }
 CONF
 fi
@@ -869,7 +861,7 @@ check process dovecot with pidfile /run/dovecot/master.pid
   if failed host 127.0.0.1 port 993 type tcpssl for 3 cycles then restart
   if 5 restarts within 10 cycles then alert
 
-check process mariadb with pidfile /run/mysqld/mysqld.pid
+check process mariadb matching "mysqld"
   start program = "/bin/systemctl start mariadb"
   stop  program = "/bin/systemctl stop mariadb"
   if failed host 127.0.0.1 port 3306 type tcp for 2 cycles then restart