deploy(M00-E): 补充Certbot证书检查

2026-06-15 16:42:42 +08:00
parent d9d51e9d67
commit 4cb3ab6529
19 changed files with 158 additions and 24 deletions
@@ -1,5 +1,18 @@
 #!/usr/bin/env bash
 set -euo pipefail

-curl -fsS --max-time 10 https://api.txyundm.cn/app-api/health
+domain="${QIPAI_DOMAIN:-api.txyundm.cn}"
+origin="https://${domain}"

+if command -v getent >/dev/null 2>&1; then
+  getent hosts "$domain" || true
+fi
+
+for path in /health /app-api/health /admin-api/health; do
+  url="${origin}${path}"
+  if curl -fsSIL --max-time 10 "$url" >/dev/null 2>&1; then
+    printf 'PASS: %s\n' "$url"
+  else
+    printf 'WARN: %s not reachable\n' "$url"
+  fi
+done
@@ -10,6 +10,7 @@
 | `repo-status.sh` | 检查固定仓库、分支、DIRTY/AHEAD/BEHIND/DIVERGED 状态。 |
 | `deploy-business.sh` | 克隆/更新仓库并生成 dry-run release manifest。 |
 | `domain-https.sh` | 检查固定 API 域名、Nginx 模板、站点启用状态、TLS 和健康端点。 |
+| `certbot.sh` | 检查 Certbot、证书文件、续期配置和 `certbot.timer`，输出人工签发/续期命令。 |
 | `backup.sh` | 生成 manifest-only 备份记录。 |
 | `restore.sh` | 输出人工恢复要求，不自动改动生产数据。 |
 | `rollback.sh` | 列出 release 回滚点。 |
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=lib.sh
+. "${SCRIPT_DIR}/lib.sh"
+
+qipai_certbot_status() {
+  local live_dir webroot_dir renewal_file
+  live_dir="/etc/letsencrypt/live/${QIPAI_DOMAIN}"
+  webroot_dir="/var/www/certbot"
+  renewal_file="/etc/letsencrypt/renewal/${QIPAI_DOMAIN}.conf"
+
+  qipai_info "certbot domain: ${QIPAI_DOMAIN}"
+  qipai_info "certbot webroot: ${webroot_dir}"
+  qipai_info "certificate live dir: ${live_dir}"
+
+  if command -v certbot >/dev/null 2>&1; then
+    qipai_pass "certbot: $(command -v certbot)"
+    certbot --version 2>/dev/null || true
+  else
+    qipai_warn "certbot not installed"
+  fi
+
+  if [ -d "$webroot_dir" ]; then
+    qipai_pass "webroot exists: ${webroot_dir}"
+  else
+    qipai_warn "webroot not found: ${webroot_dir}"
+  fi
+
+  if [ -f "${live_dir}/fullchain.pem" ] && [ -f "${live_dir}/privkey.pem" ]; then
+    qipai_pass "certificate files exist for ${QIPAI_DOMAIN}"
+    openssl x509 -in "${live_dir}/fullchain.pem" -noout -subject -issuer -dates 2>/dev/null || true
+  else
+    qipai_warn "certificate files not found for ${QIPAI_DOMAIN}"
+  fi
+
+  if [ -f "$renewal_file" ]; then
+    qipai_pass "renewal config exists: ${renewal_file}"
+  else
+    qipai_warn "renewal config not found: ${renewal_file}"
+  fi
+
+  if command -v systemctl >/dev/null 2>&1; then
+    systemctl is-enabled --quiet certbot.timer 2>/dev/null && qipai_pass "certbot.timer enabled" || qipai_warn "certbot.timer not enabled or not installed"
+    systemctl is-active --quiet certbot.timer 2>/dev/null && qipai_pass "certbot.timer active" || qipai_warn "certbot.timer not active"
+  else
+    qipai_warn "systemctl not available; certbot timer check skipped"
+  fi
+
+  qipai_info "manual issue command:"
+  qipai_info "sudo certbot certonly --webroot -w ${webroot_dir} -d ${QIPAI_DOMAIN}"
+  qipai_info "manual renewal dry-run:"
+  qipai_info "sudo certbot renew --dry-run"
+}
+
+if [ "${1:-}" = "--run" ]; then
+  qipai_certbot_status
+fi
@@ -4,6 +4,8 @@ set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # shellcheck source=lib.sh
 . "${SCRIPT_DIR}/lib.sh"
+# shellcheck source=certbot.sh
+. "${SCRIPT_DIR}/certbot.sh"

 qipai_domain_https_status() {
  local template_path nginx_available nginx_enabled
@@ -67,6 +69,8 @@ qipai_domain_https_status() {
    qipai_warn "curl not installed"
  fi

+  qipai_certbot_status
+
  qipai_info "manual install command after certificate is ready:"
  qipai_info "sudo install -m 0644 ${template_path} ${nginx_available} && sudo ln -sfn ${nginx_available} ${nginx_enabled} && sudo nginx -t && sudo systemctl reload nginx"
 }
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail

-QIPAI_DEPLOY_VERSION="${QIPAI_DEPLOY_VERSION:-0.1.1-m00-domain-https-check}"
+QIPAI_DEPLOY_VERSION="${QIPAI_DEPLOY_VERSION:-0.1.2-m00-certbot-check}"
 APP_ROOT="${APP_ROOT:-/opt/apps}"
 QIPAI_REPO_URL="${QIPAI_REPO_URL:-ssh://git@127.0.0.1:2222/panda/qipai.git}"
 QIPAI_PUBLIC_REPO_URL="${QIPAI_PUBLIC_REPO_URL:-ssh://git@git.txyundm.cn:2222/panda/qipai.git}"