fix(npm): IT API TLS helper + treat certificate_id string 0 as missing
All checks were successful
Deploy to Phoenix / deploy (push) Successful in 6s
All checks were successful
Deploy to Phoenix / deploy (push) Successful in 6s
- jq select includes certificate_id == "0" for NPM JSON quirks - request-it-api-tls-npm.sh wraps CERT_DOMAINS_FILTER for it-api.sankofa.nexus - Docs: TLS command, Cloudflare redirect-loop note; spec remaining items Made-with: Cursor
This commit is contained in:
defiQUG
9
scripts/deployment/request-it-api-tls-npm.sh
Executable file
9
scripts/deployment/request-it-api-tls-npm.sh
Executable file
@@ -0,0 +1,9 @@
|
||||
#!/usr/bin/env bash
|
||||
# Request Let's Encrypt via NPMplus for it-api.sankofa.nexus and assign to proxy host.
|
||||
# Requires NPM_* in repo .env. Same as:
|
||||
# CERT_DOMAINS_FILTER='it-api\.sankofa\.nexus' bash scripts/request-npmplus-certificates.sh
|
||||
set -euo pipefail
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
|
||||
export CERT_DOMAINS_FILTER='it-api\.sankofa\.nexus'
|
||||
exec bash "${PROJECT_ROOT}/scripts/request-npmplus-certificates.sh" "$@"
|
||||
@@ -67,7 +67,7 @@ echo ""
|
||||
# Authenticate (use jq to build JSON so password is safely escaped)
|
||||
log_info "Authenticating to NPMplus API..."
|
||||
AUTH_JSON=$(jq -n --arg identity "$NPM_EMAIL" --arg secret "$NPM_PASSWORD" '{identity:$identity,secret:$secret}')
|
||||
TOKEN_RESPONSE=$(curl -s -k -X POST "$NPM_URL/api/tokens" \
|
||||
TOKEN_RESPONSE=$(curl -s -k -L --http1.1 --connect-timeout 15 --max-time "${NPM_CURL_MAX_TIME:-180}" -X POST "$NPM_URL/api/tokens" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "$AUTH_JSON")
|
||||
|
||||
@@ -87,7 +87,7 @@ echo ""
|
||||
|
||||
# Get all proxy hosts
|
||||
log_info "Fetching proxy hosts..."
|
||||
PROXY_HOSTS_JSON=$(curl -s -k -X GET "$NPM_URL/api/nginx/proxy-hosts" \
|
||||
PROXY_HOSTS_JSON=$(curl -s -k -L --http1.1 --connect-timeout 15 --max-time "${NPM_CURL_MAX_TIME:-300}" -X GET "$NPM_URL/api/nginx/proxy-hosts" \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H "Content-Type: application/json")
|
||||
|
||||
@@ -101,7 +101,7 @@ if [ "$PROXY_COUNT" = "0" ]; then
|
||||
fi
|
||||
|
||||
# Build list of hosts that need a certificate (id|domain, one per line)
|
||||
NEED_CERT_LIST=$(echo "$PROXY_HOSTS_JSON" | jq -r '.[] | select(.certificate_id == null or .certificate_id == 0) | "\(.id)|\(.domain_names[0] // "")"' 2>/dev/null | while IFS='|' read -r id domain; do
|
||||
NEED_CERT_LIST=$(echo "$PROXY_HOSTS_JSON" | jq -r '.[] | select(.certificate_id == null or .certificate_id == 0 or .certificate_id == "0") | "\(.id)|\(.domain_names[0] // "")"' 2>/dev/null | while IFS='|' read -r id domain; do
|
||||
[ -z "$domain" ] || [ "$domain" = "null" ] && continue
|
||||
echo "$domain" | grep -q "test.*example.com" && continue
|
||||
echo "${id}|${domain}"
|
||||
@@ -133,7 +133,7 @@ fi
|
||||
# Try to get DNS (Cloudflare) credential_id so we use same method as UI (DNS challenge)
|
||||
CREDENTIAL_ID=""
|
||||
for path in "/api/nginx/letsencrypt-credentials" "/api/letsencrypt-credentials"; do
|
||||
CRED_JSON=$(curl -s -k -X GET "$NPM_URL$path" -H "Authorization: Bearer $TOKEN" 2>/dev/null || echo "[]")
|
||||
CRED_JSON=$(curl -s -k -L --http1.1 --connect-timeout 15 --max-time "${NPM_CURL_MAX_TIME:-180}" -X GET "$NPM_URL$path" -H "Authorization: Bearer $TOKEN" 2>/dev/null || echo "[]")
|
||||
if echo "$CRED_JSON" | jq -e 'type == "array" and length > 0' >/dev/null 2>&1; then
|
||||
CREDENTIAL_ID=$(echo "$CRED_JSON" | jq -r '.[0].id // .[0].credential_id // empty' 2>/dev/null)
|
||||
[ -n "$CREDENTIAL_ID" ] && [ "$CREDENTIAL_ID" != "null" ] && break
|
||||
@@ -158,7 +158,7 @@ while IFS='|' read -r host_id domain; do
|
||||
# Request certificate. NPM API accepts only domain_names + provider (extra keys cause "must NOT have additional properties").
|
||||
# For DNS (Cloudflare) and correct expiry, request certs in NPM UI: Hosts → host → SSL → Request new SSL Certificate → DNS Challenge, Cloudflare.
|
||||
log_info " Requesting SSL certificate..."
|
||||
CERT_RESPONSE=$(curl -s -k -X POST "$NPM_URL/api/nginx/certificates" \
|
||||
CERT_RESPONSE=$(curl -s -k -L --http1.1 --connect-timeout 15 --max-time "${NPM_CURL_MAX_TIME:-180}" -X POST "$NPM_URL/api/nginx/certificates" \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "$(jq -n --arg domain "$domain" '{ domain_names: [$domain], provider: "letsencrypt" }')")
|
||||
@@ -175,7 +175,7 @@ while IFS='|' read -r host_id domain; do
|
||||
|
||||
# Update proxy host to use certificate
|
||||
log_info " Assigning certificate to proxy host..."
|
||||
UPDATE_RESPONSE=$(curl -s -k -X PUT "$NPM_URL/api/nginx/proxy-hosts/$host_id" \
|
||||
UPDATE_RESPONSE=$(curl -s -k -L --http1.1 --connect-timeout 15 --max-time "${NPM_CURL_MAX_TIME:-180}" -X PUT "$NPM_URL/api/nginx/proxy-hosts/$host_id" \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "{
|
||||
|
||||
Reference in New Issue
Block a user