fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
278 lines
9.6 KiB
Bash
Executable File
278 lines
9.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Comprehensive fix for SSL Certificate Error 596
|
|
# This script performs a complete certificate regeneration and sync across cluster
|
|
# Usage: ./scripts/fix-ssl-596-comprehensive.sh [node_ip|all]
|
|
|
|
set -euo pipefail
|
|
|
|
# Load IP configuration
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
|
|
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
|
|
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
|
|
|
|
# Colors
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
CYAN='\033[0;36m'
|
|
NC='\033[0m'
|
|
|
|
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
|
|
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
|
|
log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; }
|
|
log_error() { echo -e "${RED}[✗]${NC} $1"; }
|
|
log_header() { echo -e "${CYAN}=== $1 ===${NC}"; }
|
|
|
|
# Node configuration
|
|
declare -A NODES
|
|
NODES[ml110]="${PROXMOX_HOST_ML110:-192.168.11.10}:password"
|
|
NODES[r630-01]="${PROXMOX_HOST_R630_01:-192.168.11.11}:password"
|
|
NODES[r630-02]="${PROXMOX_HOST_R630_02:-192.168.11.12}:password"
|
|
NODES[r630-03]="${IP_SERVICE_13:-${IP_SERVICE_13:-${IP_SERVICE_13:-${IP_SERVICE_13:-192.168.11.13}}}}:L@kers2010"
|
|
NODES[r630-04]="${IP_DEVICE_14:-${IP_DEVICE_14:-${IP_DEVICE_14:-${IP_DEVICE_14:-192.168.11.14}}}}:L@kers2010"
|
|
|
|
# SSH helper
|
|
ssh_node() {
|
|
local node_info="$1"
|
|
shift
|
|
local node_ip="${node_info%%:*}"
|
|
local node_pass="${node_info##*:}"
|
|
sshpass -p "$node_pass" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 root@"$node_ip" "$@"
|
|
}
|
|
|
|
fix_node_comprehensive() {
|
|
local node_info="$1"
|
|
local node_name="${2:-}"
|
|
local node_ip="${node_info%%:*}"
|
|
|
|
log_header "Comprehensive SSL Fix for ${node_name:-$node_ip}"
|
|
echo ""
|
|
|
|
# Test connectivity
|
|
if ! ping -c 2 -W 2 "$node_ip" >/dev/null 2>&1; then
|
|
log_error "Node ${node_ip} is NOT reachable"
|
|
return 1
|
|
fi
|
|
|
|
log_info "Executing comprehensive SSL certificate fix..."
|
|
echo ""
|
|
|
|
ssh_node "$node_info" bash <<'ENDSSH'
|
|
set -e
|
|
|
|
echo "=== Step 1: Backup current certificates ==="
|
|
BACKUP_DIR="/root/ssl-backup-$(date +%Y%m%d_%H%M%S)"
|
|
mkdir -p "$BACKUP_DIR"
|
|
|
|
if [ -f /etc/pve/local/pve-ssl.key ]; then
|
|
cp /etc/pve/local/pve-ssl.key "$BACKUP_DIR/" 2>/dev/null || true
|
|
echo "✓ Backed up pve-ssl.key"
|
|
fi
|
|
if [ -f /etc/pve/local/pve-ssl.pem ]; then
|
|
cp /etc/pve/local/pve-ssl.pem "$BACKUP_DIR/" 2>/dev/null || true
|
|
echo "✓ Backed up pve-ssl.pem"
|
|
fi
|
|
if [ -f /etc/pve/pve-root-ca.pem ]; then
|
|
cp /etc/pve/pve-root-ca.pem "$BACKUP_DIR/" 2>/dev/null || true
|
|
echo "✓ Backed up pve-root-ca.pem"
|
|
fi
|
|
echo "Backup location: $BACKUP_DIR"
|
|
echo ""
|
|
|
|
echo "=== Step 2: Stop Proxmox services ==="
|
|
systemctl stop pveproxy pvedaemon 2>/dev/null || true
|
|
sleep 2
|
|
echo "✓ Services stopped"
|
|
echo ""
|
|
|
|
echo "=== Step 3: Remove old certificate files ==="
|
|
# Remove old certificates (they will be regenerated)
|
|
rm -f /etc/pve/local/pve-ssl.key.old
|
|
rm -f /etc/pve/local/pve-ssl.pem.old
|
|
echo "✓ Old certificate files removed"
|
|
echo ""
|
|
|
|
echo "=== Step 4: Regenerate SSL certificates ==="
|
|
if command -v pvecm >/dev/null 2>&1; then
|
|
echo "Running: pvecm updatecerts -f"
|
|
pvecm updatecerts -f 2>&1
|
|
echo "✓ Certificates regenerated"
|
|
else
|
|
echo "ERROR: pvecm command not found"
|
|
exit 1
|
|
fi
|
|
echo ""
|
|
|
|
echo "=== Step 5: Verify certificate files exist ==="
|
|
if [ -f /etc/pve/local/pve-ssl.key ] && [ -f /etc/pve/local/pve-ssl.pem ]; then
|
|
echo "✓ Certificate files exist"
|
|
ls -la /etc/pve/local/pve-ssl.*
|
|
else
|
|
echo "ERROR: Certificate files not found after regeneration"
|
|
exit 1
|
|
fi
|
|
echo ""
|
|
|
|
echo "=== Step 6: Verify certificate validity ==="
|
|
if [ -f /etc/pve/pve-root-ca.pem ]; then
|
|
echo "Root CA certificate dates:"
|
|
openssl x509 -in /etc/pve/pve-root-ca.pem -noout -dates 2>/dev/null || echo "Could not read dates"
|
|
echo ""
|
|
echo "Node certificate dates:"
|
|
openssl x509 -in /etc/pve/local/pve-ssl.pem -noout -dates 2>/dev/null || echo "Could not read dates"
|
|
echo ""
|
|
echo "Certificate chain verification:"
|
|
openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem 2>&1 || echo "Verification failed"
|
|
fi
|
|
echo ""
|
|
|
|
echo "=== Step 7: Set correct permissions ==="
|
|
chmod 640 /etc/pve/local/pve-ssl.key
|
|
chmod 644 /etc/pve/local/pve-ssl.pem
|
|
chown root:www-data /etc/pve/local/pve-ssl.key
|
|
chown root:www-data /etc/pve/local/pve-ssl.pem
|
|
echo "✓ Permissions set"
|
|
echo ""
|
|
|
|
echo "=== Step 8: Start Proxmox services ==="
|
|
systemctl start pvedaemon
|
|
sleep 2
|
|
systemctl start pveproxy
|
|
sleep 3
|
|
echo "✓ Services started"
|
|
echo ""
|
|
|
|
echo "=== Step 9: Verify services are running ==="
|
|
if systemctl is-active --quiet pveproxy && systemctl is-active --quiet pvedaemon; then
|
|
echo "✓ pveproxy: active"
|
|
echo "✓ pvedaemon: active"
|
|
else
|
|
echo "⚠ Some services may not be running properly"
|
|
systemctl status pveproxy --no-pager -l | head -10 || true
|
|
systemctl status pvedaemon --no-pager -l | head -10 || true
|
|
fi
|
|
echo ""
|
|
|
|
echo "=== Step 10: Test web interface locally ==="
|
|
HTTP_CODE=$(curl -k -s -o /dev/null -w "%{http_code}" https://localhost:8006/ 2>/dev/null || echo "000")
|
|
if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "401" ] || [ "$HTTP_CODE" = "302" ]; then
|
|
echo "✓ Web interface is responding (HTTP $HTTP_CODE)"
|
|
else
|
|
echo "⚠ Web interface returned HTTP $HTTP_CODE"
|
|
fi
|
|
echo ""
|
|
|
|
echo "=== Step 11: Check for worker exits ==="
|
|
WORKER_EXITS=$(journalctl -u pveproxy --since '1 minute ago' --no-pager 2>/dev/null | grep -c 'worker exit' || echo '0')
|
|
if [ "$WORKER_EXITS" -eq "0" ]; then
|
|
echo "✓ No worker exits in the last minute"
|
|
else
|
|
echo "⚠ Found $WORKER_EXITS worker exit(s) in the last minute"
|
|
fi
|
|
echo ""
|
|
ENDSSH
|
|
|
|
if [ $? -eq 0 ]; then
|
|
log_success "Comprehensive SSL fix completed for ${node_name:-$node_ip}"
|
|
|
|
# Test from remote
|
|
log_info "Testing web interface from remote..."
|
|
sleep 3
|
|
HTTP_CODE=$(curl -k -s -o /dev/null -w "%{http_code}" --connect-timeout 5 "https://${node_ip}:8006/" 2>/dev/null || echo "000")
|
|
if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "401" ] || [ "$HTTP_CODE" = "302" ]; then
|
|
log_success "Web interface is accessible at https://${node_ip}:8006"
|
|
else
|
|
log_warn "Web interface test returned HTTP $HTTP_CODE"
|
|
fi
|
|
else
|
|
log_error "Comprehensive SSL fix failed for ${node_name:-$node_ip}"
|
|
return 1
|
|
fi
|
|
|
|
echo ""
|
|
echo "----------------------------------------"
|
|
echo ""
|
|
}
|
|
|
|
# Determine target
|
|
TARGET="${1:-r630-02}"
|
|
|
|
if [[ "$TARGET" == "all" ]]; then
|
|
log_info "Fixing SSL certificates on all Proxmox nodes..."
|
|
echo ""
|
|
|
|
for node_name in "${!NODES[@]}"; do
|
|
node_info="${NODES[$node_name]}"
|
|
fix_node_comprehensive "$node_info" "$node_name" || log_warn "Failed to fix ${node_name}, continuing..."
|
|
done
|
|
|
|
log_success "All fix attempts complete!"
|
|
|
|
elif [[ -n "${NODES[$TARGET]:-}" ]]; then
|
|
# Target is a node name
|
|
node_info="${NODES[$TARGET]}"
|
|
fix_node_comprehensive "$node_info" "$TARGET"
|
|
|
|
elif [[ "$TARGET" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
|
# Target is an IP address - find matching node
|
|
found=false
|
|
for node_name in "${!NODES[@]}"; do
|
|
node_info="${NODES[$node_name]}"
|
|
node_ip="${node_info%%:*}"
|
|
if [[ "$node_ip" == "$TARGET" ]]; then
|
|
fix_node_comprehensive "$node_info" "$node_name"
|
|
found=true
|
|
break
|
|
fi
|
|
done
|
|
|
|
if [[ "$found" == "false" ]]; then
|
|
log_error "Node with IP $TARGET not found in configuration"
|
|
exit 1
|
|
fi
|
|
|
|
else
|
|
log_error "Invalid target: $TARGET"
|
|
echo ""
|
|
echo "Usage: $0 [node_name|node_ip|all]"
|
|
echo ""
|
|
echo "Available nodes:"
|
|
for node_name in "${!NODES[@]}"; do
|
|
node_ip="${NODES[$node_name]%%:*}"
|
|
echo " - $node_name ($node_ip)"
|
|
done
|
|
echo " - all (fix all nodes)"
|
|
exit 1
|
|
fi
|
|
|
|
echo ""
|
|
log_header "IMPORTANT: Browser Cache Clearing Required"
|
|
echo ""
|
|
log_warn "The SSL error 596 may persist in your browser due to cached certificate information."
|
|
echo ""
|
|
log_info "You MUST clear your browser cache and cookies:"
|
|
echo ""
|
|
log_info "Chrome/Edge:"
|
|
log_info " 1. Press Ctrl+Shift+Delete (or Cmd+Shift+Delete on Mac)"
|
|
log_info " 2. Select 'Cached images and files'"
|
|
log_info " 3. Select 'Cookies and other site data'"
|
|
log_info " 4. Time range: 'All time'"
|
|
log_info " 5. Click 'Clear data'"
|
|
echo ""
|
|
log_info "Firefox:"
|
|
log_info " 1. Press Ctrl+Shift+Delete (or Cmd+Shift+Delete on Mac)"
|
|
log_info " 2. Select 'Cached Web Content'"
|
|
log_info " 3. Select 'Cookies'"
|
|
log_info " 4. Time range: 'Everything'"
|
|
log_info " 5. Click 'Clear Now'"
|
|
echo ""
|
|
log_info "Alternative: Use Incognito/Private browsing mode to test"
|
|
echo ""
|
|
log_info "After clearing cache, access: https://${TARGET%%:*}:8006"
|
|
echo ""
|