Mercurial Hosting > luan

changeset 2117:1e247cd012ee ssltesting

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
use site_dir/ssl for all ssl related files; raise error() on empty acme-tiny output.
author Violet7
date Tue, 06 Jan 2026 09:01:44 -0800
parents 059afc92310b
children 4253d6dfd737
files host/renewSsl.sh host/startup/nginx/nginx.conf.luan src/luan/host/Https.luan
diffstat 3 files changed, 12 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/host/renewSsl.sh	Mon Jan 05 14:02:55 2026 -0700
+++ b/host/renewSsl.sh	Tue Jan 06 09:01:44 2026 -0800
@@ -26,7 +26,7 @@
 		SSLDIR="$SITEROOT/ssl"
 		CSRFILE="$SSLDIR/$DOMAIN.csr"
 		FULLCHAIN="$SSLDIR/fullchain.cer"
-		CHALLENGEDIR="$SITEROOT/.well-known/acme-challenge"
+		CHALLENGEDIR="$SSLDIR/.well-known/acme-challenge"
 		TMPOUT="$SSLDIR/$DOMAIN.crt.tmp"
 		echo "Processing domain: $DOMAIN"
 
--- a/host/startup/nginx/nginx.conf.luan	Mon Jan 05 14:02:55 2026 -0700
+++ b/host/startup/nginx/nginx.conf.luan	Tue Jan 06 09:01:44 2026 -0800
@@ -27,11 +27,15 @@
 		include nginx.default.conf;
 
 		location /.well-known/acme-challenge/ {
-			alias <%=rootDir%>/sites/$host/acme-challenge/;
+			# $host/ssl does not exist for non-ssl sites and requests to here
+			# will fail with 404 for those sites, which is what we want
+			alias <%=rootDir%>/sites/$host/ssl/acme-challenge/;
 			autoindex on;
 		}
 	}
 
-	include <%=rootDir%>/sites/*/nginx.ssl.conf;
+	# glob pattern returns no results for site dirs that don't have 
+	# the ssl/ subdir, so this is ok
+	include <%=rootDir%>/sites/*/ssl/nginx.ssl.conf;
 }
 <%
--- a/src/luan/host/Https.luan	Mon Jan 05 14:02:55 2026 -0700
+++ b/src/luan/host/Https.luan	Tue Jan 06 09:01:44 2026 -0800
@@ -24,17 +24,16 @@
 local my_ips = Io.my_ips()
 
 local function get_files(domain,site_dir)
-	-- TODO: implement this later
-	local ssl_files_dir = site_dir--.child("ssl/")
-	-- ssl_files_dir.mkdir()
+	local ssl_files_dir = site_dir.child("ssl/")
+	ssl_files_dir.mkdir()
 
 	return {
-		nginx_file = site_dir.child("nginx.ssl.conf")
+		nginx_file = ssl_files_dir.child("nginx.ssl.conf")
 		key_file = ssl_files_dir.child(domain..".key")
 		local_cer_file = ssl_files_dir.child("fullchain.cer")
 		csr_file = ssl_files_dir.child(domain..".csr")
 		tmp_cert_out = ssl_files_dir.child(domain..".crt.tmp")
-		acme_challenges = site_dir.child("acme-challenge/")
+		acme_challenges = ssl_files_dir.child("acme-challenge/")
 	}
 end
 
@@ -111,9 +110,8 @@
 
 	-- Empty stdout from acme-tiny is a failure.
 	if files.tmp_cert_out.length() == 0 then
-		-- TODO: this should fail non-gracefully,
-		-- all failures here are almost certainly bugs.
 		logger.error("FAILED getting cert from letsencrypt.\nSee previous output.\nNot writing to fullchain.cer")
+		error("FAILED getting cert from letsencrypt.\nSee log output.\nNot writing to fullchain.cer")
 	else
 		-- Success! Move the temp output to the real fullchain.
 		local local_cer_file_str = files.local_cer_file.canonical().to_string()