fix(ssl): skip le renewal on alias-domain change for non-le sites#488
Open
mrrobot47 wants to merge 1 commit into
Open
fix(ssl): skip le renewal on alias-domain change for non-le sites#488mrrobot47 wants to merge 1 commit into
mrrobot47 wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Adding/removing alias domains on a non-LE SSL site (
custom/self/inherit) hard-errored.update_alias_domains()unconditionally callsssl_renew()for any SSL-enabled site, andrenew_ssl_cert()doesEE::error('Only Letsencrypt certificate renewal is supported.'). BecauseEE::error()exits, the operation aborted after docker-compose was regenerated and containers restarted with the new alias config, but before the DB was updated — leaving container and DB state inconsistent (and with no revert, sinceEE::errordoesn't throw).Fix
Only call
ssl_renew()whensite_ssl === 'le'(the LE path is unchanged, byte-for-byte). Forcustom, warn that the user must supply a cert covering the new alias set; forself/inherit, log that no cert action is needed. The alias-domain update now completes for all SSL types.Note
With the hard error gone, execution now reaches the existing
revokeCertificates($old_certs)for non-LE sites.$old_certsis loaded from the ACME repository, so it is empty (a no-op) for a normal custom site; in the edge case where stale LE artifacts exist for the same domains, those unused certs are revoked — consistent with the line's "revoke old certificate which will not be used" intent.Testing
Manual: create a
--ssl=customsite, runee site update <site> --add-alias-domains=foo.test→ completes with the custom-cert warning (previously: hard error). LE sites still force-renew exactly as before.