From d435f3e37fabef9b46b938692a3bed2c9527c31b Mon Sep 17 00:00:00 2001
From: wdh-home <243823965@qq.com>
Date: Tue, 19 May 2026 10:21:45 +0800
Subject: [PATCH] 1

---
 scripts/add-domain-certs-core.sh | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/scripts/add-domain-certs-core.sh b/scripts/add-domain-certs-core.sh
index af74dae..001e6a2 100644
--- a/scripts/add-domain-certs-core.sh
+++ b/scripts/add-domain-certs-core.sh
@@ -3,6 +3,11 @@ set -eu
 
 # Add certificates for new domains on an already running OpenResty gateway.
 # This flow is separate from init-certs-core.sh and never restarts containers.
+# Order matters:
+# 1. Ensure nginx configs exist for the new domains.
+# 2. Create temporary dummy certificates for SSL configs that do not have certs yet.
+# 3. Reload OpenResty so the new HTTP-01 challenge routes are active.
+# 4. Probe the challenge routes, request real certificates, then reload again.
 
 CERT_ROOT="./certs/live"
 ROOT_DIR="$(CDPATH= cd -- "$(dirname -- "$0")/.." && pwd)"
@@ -97,12 +102,14 @@ check_http_challenge() {
 
     for domain in $DOMAINS; do
         url="http://$domain/$HTTP_PROBE_PATH"
+        local_url="http://127.0.0.1/$HTTP_PROBE_PATH"
 
         echo "Checking local HTTP-01 route for $domain..."
-        if ! body="$(curl -fsS --max-time 5 --resolve "$domain:80:127.0.0.1" "$url" 2>&1)"; then
+        if ! body="$(curl -fsS --noproxy '*' --max-time 5 -H "Host: $domain" "$local_url" 2>&1)"; then
             echo "Error: OpenResty is not serving the challenge path for $domain on local port 80." >&2
-            echo "Tried: $url via 127.0.0.1" >&2
+            echo "Tried: $local_url with Host: $domain" >&2
             echo "$body" >&2
+            echo "Hint: an empty reply usually means the request hit the default deny server, so verify OpenResty loaded the domain config." >&2
             return 1
         fi
 
@@ -119,7 +126,7 @@ check_http_challenge() {
         fi
 
         echo "Checking public HTTP-01 route for $domain..."
-        if ! body="$(curl -fsS --max-time 10 "$url" 2>&1)"; then
+        if ! body="$(curl -fsS --noproxy '*' --max-time 10 "$url" 2>&1)"; then
             echo "Error: $domain is not reachable on public HTTP port 80." >&2
             echo "Tried: $url" >&2
             echo "$body" >&2
@@ -211,8 +218,10 @@ if [ "$conf_error" -ne 0 ]; then
 fi
 
 export DOMAINS CERT_ROOT
+echo "Ensuring temporary certificates exist before loading any new SSL configs..."
 DUMMY_DOMAINS="$(sh "$ROOT_DIR/scripts/ensure-dummy-certs.sh")"
 
+echo "Reloading OpenResty so new domain configs can serve HTTP-01 challenges..."
 reload_openresty
 check_http_challenge