romfast/ROMFASTSQL
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(vm201): wildcard *.roa auto-renew via cPanel DNS-01 hook

Browse Source 
Fix expirare cert wildcard *.roa.romfast.ro (incident 2026-05-31):
renewal-ul era [Manual] DNS-01, nu rula din Scheduled Task -> 61 erori
-> expirat. Subdomeniile Dokploy (efactura.roa etc.) dadeau
ERR_CERT_DATE_INVALID.

- cpanel-acme-dns.ps1: hook win-ACME DNS-01 (cPanel UAPI mass_edit_zone,
  fallback ZoneEdit) care pune/sterge TXT _acme-challenge automat
- cpanel-dns.config.example.json: template (token-ul real e gitignored)
- monitor-ssl-certificates.sh: sentinel efactura.roa (wildcard) + alerta
  in loc de auto-renew prin guest-exec (dezactivat)
- README + doc cert: flux DNS-01 cPanel + acces OpenSSH VM 201

Renewal nou roa-wildcard-cpanel, auto, due 2026-08-19; vechiul [Manual]
anulat. Cert live valid pana 2026-09-23.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude Agent
2026-06-25 13:23:54 +00:00
parent e8d1889364
commit a41e9d81cf
6 changed files with 305 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
proxmox/vm201-windows/scripts/monitor-ssl-certificates.sh
View File

@@ -13,15 +13,22 @@ LOG_FILE="/var/log/ssl-monitor.log"
EMAIL_TO="root" # Proxmox trimite la adresa configurata
# Domenii de verificat
# NOTA: efactura.roa.romfast.ro este un SENTINEL pentru certificatul wildcard
# *.roa.romfast.ro. Wildcardul nu poate fi testat direct, asa ca verificam
# un subdomeniu real acoperit de el. Site ID "WILDCARD" => doar ALERTA,
# fara auto-renew (wildcardul e DNS-01, reinnoit de cpanel-acme-dns.ps1 pe
# VM 201; auto-renew prin guest-exec nu mai functioneaza - exec dezactivat).
# Context: incident expirare wildcard 2026-05-31 (vezi README VM 201).
DOMAINS=(
"roa.romfast.ro"
"dokploy.romfast.ro"
"gitea.romfast.ro"
"roa2web.romfast.ro"
"efactura.roa.romfast.ro"
)
# Site IDs pentru fiecare domeniu (in aceeasi ordine)
SITE_IDS=(1 2 3 4)
SITE_IDS=(1 2 3 4 "WILDCARD")
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
@@ -52,6 +59,14 @@ force_renew_certificate() {
local site_id=$1
local domain=$2
# Wildcard (*.roa) = DNS-01, reinnoit automat de cpanel-acme-dns.ps1 pe VM 201.
# Nu incercam auto-renew aici (nu e HTTP-01/siteid si guest-exec e dezactivat) -
# doar semnalam ca a expirat ca sa intervina cineva pe VM 201.
if ! [[ "$site_id" =~ ^[0-9]+$ ]]; then
log "ALERTA: $domain (wildcard *.roa) necesita interventie manuala pe VM 201 - verifica renewal-ul win-acme cu validare cPanel (cpanel-acme-dns.ps1)"
return 1
fi
log "Fortez reinstalare certificat pentru $domain (Site ID: $site_id)..."
# Executa pe VM 201 prin Proxmox guest agent