Skip to content

Fix site deletion when ssl is not issued #447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 2, 2025
Merged

Fix site deletion when ssl is not issued #447

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
19100f1
fix(site): improve SSL error handling and warnings
mrrobot47 Sep 2, 2025
87c7140
fix(site): enhance error handling for SSL challenges
mrrobot47 Sep 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 42 additions & 23 deletions src/helper/Site_Letsencrypt.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,18 +77,20 @@ public function revokeAuthorizationChallenge(AuthorizationChallenge $challenge)
]]
];

$client = $this->getHttpClient();
$resourceUrl = $this->getResourceUrl(ResourcesDirectory::NEW_ORDER);
$response = $client->request('POST', $resourceUrl, $client->signKidPayload($resourceUrl, $this->getResourceAccount(), $payload));
if (!isset($response['authorizations']) || !$response['authorizations']) {
throw new ChallengeNotSupportedException();
$client = $this->getHttpClient();
$resourceUrl = $this->getResourceUrl( ResourcesDirectory::NEW_ORDER );
$response = $client->request( 'POST', $resourceUrl, $client->signKidPayload( $resourceUrl, $this->getResourceAccount(), $payload ) );
if ( ! isset( $response['authorizations'] ) || ! $response['authorizations'] ) {
\EE::warning( 'Challenge not supported for domain' );

return false;
}

$orderEndpoint = $client->getLastLocation();
foreach ($response['authorizations'] as $authorizationEndpoint) {
$authorizationsResponse = $client->request('POST', $authorizationEndpoint, $client->signKidPayload($authorizationEndpoint, $this->getResourceAccount(), [ 'status' => 'deactivated' ]));
}
return;
return true;
}
}

Expand Down Expand Up @@ -207,9 +209,10 @@ public function authorize( Array $domains, $wildcard = false, $preferred_challen
$order = $this->client->requestOrder( $domains );
} catch ( \Exception $e ) {
\EE::warning( 'It seems you\'re in local environment or using non-public domain, please check logs. Skipping letsencrypt.' );
throw $e;
}
\EE::log( 'You can fix the issue and re-run: ee site ssl-verify ' . $domains[0] );

return false;
}
$authorizationChallengesToSolve = [];
foreach ( $order->getAuthorizationsChallenges() as $domainKey => $authorizationChallenges ) {
$authorizationChallenge = null;
Expand All @@ -223,12 +226,14 @@ public function authorize( Array $domains, $wildcard = false, $preferred_challen
\EE::debug( 'Authorization challenge supported by solver. Solver: ' . $solverName . ' Challenge: ' . $candidate->getType() );
break;
}
// Should not get here as we are handling it.
\EE::debug( 'Authorization challenge not supported by solver. Solver: ' . $solverName . ' Challenge: ' . $candidate->getType() );
\EE::debug( print_r( $candidate, true ) );
}
if ( null === $authorizationChallenge ) {
throw new ChallengeNotSupportedException();
\EE::warning( 'Challenge not supported for domain ' . $domainKey );
\EE::log( 'You can fix the issue and re-run: ee site ssl-verify ' . $domainKey );

return false;
}
\EE::debug( 'Storing authorization challenge. Domain: ' . $domainKey . ' Challenge: ' . print_r( $authorizationChallenge->toArray(), true ) );

Expand Down Expand Up @@ -367,29 +372,37 @@ public function check( Array $domains, $wildcard = false, $preferred_challenge =
}
}
if ( null === $authorizationChallenge ) {
throw new ChallengeNotSupportedException();
\EE::warning( 'Challenge not supported for domain' );

return false;
}
} else {
if ( ! $this->repository->hasDomainAuthorizationChallenge( $domain ) ) {
\EE::error( "Domain: $domain not yet authorized/has not been started of with EasyEngine letsencrypt site creation." );
}
$authorizationChallenge = $this->repository->loadDomainAuthorizationChallenge( $domain );
if ( ! $solver->supports( $authorizationChallenge ) ) {
throw new ChallengeNotSupportedException();
\EE::warning( 'Challenge not supported for domain' );

return false;
}
}
\EE::debug( 'Challenge loaded.' );

$authorizationChallenge = $this->client->reloadAuthorization( $authorizationChallenge );
if ( ! $authorizationChallenge->isValid() ) {
\EE::debug( sprintf( 'Testing the challenge for domain %s', $domain ) );
if ( ! $validator->isValid( $authorizationChallenge ) ) {
throw new \Exception( sprintf( 'Can not validate challenge for domain %s', $domain ) );
}

\EE::debug( sprintf( 'Requesting authorization check for domain %s', $domain ) );
try {
\EE::debug( sprintf( 'Testing the challenge for domain %s', $domain ) );
if ( ! $validator->isValid( $authorizationChallenge ) ) {
\EE::warning( 'Can not validate challenge for domain ' . $domain );
\EE::log( 'You can fix the issue and re-run: ee site ssl-verify ' . $domain );

return false;
}

\EE::debug( sprintf( 'Requesting authorization check for domain %s', $domain ) );
$this->client->challengeAuthorization( $authorizationChallenge );
$authorizationChallengeToCleanup[] = $authorizationChallenge;
} catch ( \Exception $e ) {
\EE::debug( $e->getMessage() );
\EE::warning( 'Challenge Authorization failed. Check logs and check if your domain is pointed correctly to this server.' );
Expand All @@ -398,9 +411,9 @@ public function check( Array $domains, $wildcard = false, $preferred_challenge =
$site_name = str_replace( '*.', '', $site_name );

\EE::log( "Re-run `ee site ssl-verify $site_name` after fixing the issue." );
throw $e;

return false;
}
$authorizationChallengeToCleanup[] = $authorizationChallenge;
}
}

Expand Down Expand Up @@ -581,7 +594,7 @@ private function executeRenewal( $domain, array $alternativeNames, $force = fals
)
);

return;
return true;
}

\EE::log(
Expand Down Expand Up @@ -627,12 +640,18 @@ private function executeRenewal( $domain, array $alternativeNames, $force = fals
\EE::warning( 'A critical error occured during certificate renewal' );
\EE::debug( print_r( $e, true ) );

throw $e;
\EE::warning( 'Challenge Authorization failed. Check logs and check if your domain is pointed correctly to this server.' );
\EE::log( 'You can fix the issue and re-run: ee site ssl-verify ' . $domains[0] );

return false;
} catch ( \Throwable $e ) {
\EE::warning( 'A critical error occured during certificate renewal' );
\EE::debug( print_r( $e, true ) );

throw $e;
\EE::warning( 'Challenge Authorization failed. Check logs and check if your domain is pointed correctly to this server.' );
\EE::log( 'You can fix the issue and re-run: ee site ssl-verify ' . $domains[0] );

return false;
}
}

Expand Down
43 changes: 25 additions & 18 deletions src/helper/class-ee-site.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1543,6 +1543,7 @@ protected function init_le( $site_url, $site_fs_path, $wildcard = false, $www_or
\EE::get_runner()->ensure_present_in_config( 'le-mail', $this->le_mail );
if ( ! $client->register( $this->le_mail ) ) {
$this->site_data['site_ssl'] = null;
\EE::warning( 'SSL registration failed.' );

return;
}
Expand All @@ -1553,6 +1554,9 @@ protected function init_le( $site_url, $site_fs_path, $wildcard = false, $www_or
$client->revokeAuthorizationChallenges( $domains );

if ( ! $client->authorize( $domains, $wildcard, $preferred_challenge ) ) {
$this->site_data['site_ssl'] = null;
\EE::warning( 'SSL authorization failed. Site will be created without SSL. You can fix the issue and re-run: ee site ssl-verify ' . $site_url );

return;
}
$api_key_absent = empty( get_config_value( 'cloudflare-api-key' ) );
Expand All @@ -1563,7 +1567,12 @@ protected function init_le( $site_url, $site_fs_path, $wildcard = false, $www_or
EE::log( 'Waiting for DNS entry propagation.' );
sleep( 10 );
}
$this->ssl_verify( [], [ 'force' => $force ], $www_or_non_www );
if ( ! $this->ssl_verify( [], [ 'force' => $force ], $www_or_non_www ) ) {
$this->site_data['site_ssl'] = null;
\EE::warning( 'SSL verification failed. You can fix the issue and re-run: ee site ssl-verify ' . $site_url );

return;
}
}
}

Expand Down Expand Up @@ -1603,6 +1612,7 @@ private function get_cert_domains( string $site_url, $wildcard, $www_or_non_www
* @param string Absolute path of site.
* @param string $site_container_path
*
*
* @return bool
*/
protected function check_www_or_non_www_domain( $site_url, $site_path, $site_container_path ): bool {
Expand Down Expand Up @@ -1679,29 +1689,24 @@ public function ssl_verify( $args = [], $assoc_args = [], $www_or_non_www = fals

$preferred_challenge = get_preferred_ssl_challenge( $domains );

try {
$client->check( $domains, $this->site_data['site_ssl_wildcard'], $preferred_challenge );
} catch ( \Exception $e ) {
if ( $called_by_ee && $api_key_absent ) {
throw $e;
}
if ( ! $client->check( $domains, $this->site_data['site_ssl_wildcard'], $preferred_challenge ) ) {
$is_solver_dns = ( $this->site_data['site_ssl_wildcard'] || 'dns' === $preferred_challenge ) ? true : false;
$api_key_present = ! empty( get_config_value( 'cloudflare-api-key' ) );

if ( $called_by_ee && ! $is_solver_dns && $api_key_present ) {
throw $e;
}

$warning = ( $is_solver_dns && $api_key_present ) ? "The dns entries have not yet propogated. Manually check: \nhost -t TXT _acme-challenge." . $this->site_data['site_url'] . "\nBefore retrying `ee site ssl " . $this->site_data['site_url'] . "`" : 'Failed to verify SSL: ' . $e->getMessage();
$warning = ( $is_solver_dns && $api_key_present )
? "The dns entries have not yet propogated. Manually check: \nhost -t TXT _acme-challenge." . $this->site_data['site_url'] . "\nBefore retrying `ee site ssl " . $this->site_data['site_url'] . "`"
: 'Failed to verify SSL.';

EE::warning( $warning );
EE::warning( sprintf( 'Check logs and retry `ee site ssl-verify %s` once the issue is resolved.', $this->site_data['site_url'] ) );

return;
return false;
}

$san = array_values( array_diff( $domains, [ $this->site_data['site_url'] ] ) );
$client->request( $this->site_data['site_url'], $san, $this->le_mail, $force );
if ( ! $client->request( $this->site_data['site_url'], $san, $this->le_mail, $force ) ) {
return false;
}

if ( ! $this->site_data['site_ssl_wildcard'] ) {
$client->cleanup();
Expand All @@ -1710,6 +1715,8 @@ public function ssl_verify( $args = [], $assoc_args = [], $www_or_non_www = fals
reload_global_nginx_proxy();

EE::success( 'SSL verification completed.' );

return true;
}

/**
Expand Down Expand Up @@ -2284,7 +2291,7 @@ public function sync( $args, $assoc_args ) {
*
* [--list]
* : List all available backups on remote.
*
*
* ## EXAMPLES
*
* # Backup a site
Expand All @@ -2296,7 +2303,7 @@ public function sync( $args, $assoc_args ) {
public function backup( $args, $assoc_args ) {
$args = auto_site_name( $args, 'site', __FUNCTION__ );
$this->site_data = get_site_info( $args, true, true, true );
$backup_restore = new Site_Backup_Restore();
$backup_restore = new Site_Backup_Restore();
$backup_restore->backup( $args, $assoc_args );
}

Expand All @@ -2315,15 +2322,15 @@ public function backup( $args, $assoc_args ) {
*
* # Restore latest backup of site.
* $ ee site restore example.com
*
*
* # Restore specific backup of site.
* $ ee site restore example.com --id=1737560626_2025-01-22-15-43-46
*
*/
public function restore( $args, $assoc_args ) {
$args = auto_site_name( $args, 'site', __FUNCTION__ );
$this->site_data = get_site_info( $args, true, true, true );
$backup_restore = new Site_Backup_Restore();
$backup_restore = new Site_Backup_Restore();
$backup_restore->restore( $args, $assoc_args );
}

Expand Down
Loading