sgg-sgg-docker-container/openresty-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1

Browse Source
This commit is contained in:
wdh-home
2026-05-19 10:21:45 +08:00
parent ed72a62687
commit d435f3e37f
1 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
scripts/add-domain-certs-core.sh
View File

@@ -3,6 +3,11 @@ set -eu
# Add certificates for new domains on an already running OpenResty gateway. # Add certificates for new domains on an already running OpenResty gateway.
# This flow is separate from init-certs-core.sh and never restarts containers. # This flow is separate from init-certs-core.sh and never restarts containers.
# Order matters:
# 1. Ensure nginx configs exist for the new domains.
# 2. Create temporary dummy certificates for SSL configs that do not have certs yet.
# 3. Reload OpenResty so the new HTTP-01 challenge routes are active.
# 4. Probe the challenge routes, request real certificates, then reload again.
CERT_ROOT="./certs/live" CERT_ROOT="./certs/live"
ROOT_DIR="$(CDPATH= cd -- "$(dirname -- "$0")/.." && pwd)" ROOT_DIR="$(CDPATH= cd -- "$(dirname -- "$0")/.." && pwd)"
@@ -97,12 +102,14 @@ check_http_challenge() {
for domain in $DOMAINS; do for domain in $DOMAINS; do
url="http://$domain/$HTTP_PROBE_PATH" url="http://$domain/$HTTP_PROBE_PATH"
local_url="http://127.0.0.1/$HTTP_PROBE_PATH"
echo "Checking local HTTP-01 route for $domain..." echo "Checking local HTTP-01 route for $domain..."
if ! body="$(curl -fsS --max-time 5 --resolve "$domain:80:127.0.0.1" "$url" 2>&1)"; then if ! body="$(curl -fsS --noproxy '*' --max-time 5 -H "Host: $domain" "$local_url" 2>&1)"; then
echo "Error: OpenResty is not serving the challenge path for $domain on local port 80." >&2 echo "Error: OpenResty is not serving the challenge path for $domain on local port 80." >&2
echo "Tried: $url via 127.0.0.1" >&2 echo "Tried: $local_url with Host: $domain" >&2
echo "$body" >&2 echo "$body" >&2
echo "Hint: an empty reply usually means the request hit the default deny server, so verify OpenResty loaded the domain config." >&2
return 1 return 1
fi fi
@@ -119,7 +126,7 @@ check_http_challenge() {
fi fi
echo "Checking public HTTP-01 route for $domain..." echo "Checking public HTTP-01 route for $domain..."
if ! body="$(curl -fsS --max-time 10 "$url" 2>&1)"; then if ! body="$(curl -fsS --noproxy '*' --max-time 10 "$url" 2>&1)"; then
echo "Error: $domain is not reachable on public HTTP port 80." >&2 echo "Error: $domain is not reachable on public HTTP port 80." >&2
echo "Tried: $url" >&2 echo "Tried: $url" >&2
echo "$body" >&2 echo "$body" >&2
@@ -211,8 +218,10 @@ if [ "$conf_error" -ne 0 ]; then
fi fi
export DOMAINS CERT_ROOT export DOMAINS CERT_ROOT
echo "Ensuring temporary certificates exist before loading any new SSL configs..."
DUMMY_DOMAINS="$(sh "$ROOT_DIR/scripts/ensure-dummy-certs.sh")" DUMMY_DOMAINS="$(sh "$ROOT_DIR/scripts/ensure-dummy-certs.sh")"
echo "Reloading OpenResty so new domain configs can serve HTTP-01 challenges..."
reload_openresty reload_openresty
check_http_challenge check_http_challenge