platforms/lilith-platform.live
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4
lilith-platform.live/infrastructure/scripts/dev-cert-refresh.sh
autocommit 84fdd26157 scripts(dev-cert): 🔨 Update dev-cert-refresh.sh with improved reliability and enhanced certificate renewal logic 
Co-Authored-By: Lilith Autocommit <noreply@atlilith.com>
2026-05-16 21:27:15 -07:00

62 lines
2.7 KiB
Bash
Executable file
Raw Permalink Blame History

#!/usr/bin/env bash
# =============================================================================
# dev-cert-refresh.sh — Regenerate the unified mkcert wildcard for *.apricot.lan
# =============================================================================
# One cert covers every dev hostname under apricot.lan via SAN patterns. Adding
# a new dev subdomain that falls under an existing pattern requires NO cert
# work — just add the server block to infrastructure/Caddyfile.local with
# `import local_tls`.
#
# Re-run this script when:
# - You need a new SAN pattern (e.g. a new two-label suffix like *.example.apricot.lan)
# - The cert is approaching expiry (mkcert default is ~27 months)
# - The mkcert root CA was reinstalled (rootCA fingerprint changed)
#
# Caddy reloads automatically — the cert file path is referenced by the
# `(local_tls)` snippet in infrastructure/Caddyfile.local and Caddy watches it.
# =============================================================================
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
CERT_DIR="$REPO_ROOT/infrastructure/certs"
CRT="$CERT_DIR/_wildcard.apricot.lan.crt"
KEY="$CERT_DIR/_wildcard.apricot.lan.key"
# SAN patterns — edit this list when a new naming dimension appears.
# mkcert wildcards match exactly one label level, so multi-label suffixes
# (e.g. foo.bar.apricot.lan) need their own *.bar.apricot.lan entry.
SANS=(
"*.apricot.lan" # cocotte, sansonnet, quinn, etc.
"*.quinn.apricot.lan" # admin, ai, api, data, docs, m, my, sso, vip, www
"*.com.apricot.lan" # ATT defensive previews (adulttherapytour.com.apricot.lan, ...)
"*.tours.apricot.lan" # adulttherapy.tours.apricot.lan
"*.singles.apricot.lan" # apa.singles, futa.singles
"apricot.lan" # bare apex
)
if ! command -v mkcert >/dev/null 2>&1; then
echo "ERROR: mkcert not in PATH. Install with: brew install mkcert" >&2
exit 1
fi
mkdir -p "$CERT_DIR"
echo "[dev-cert-refresh] generating cert with ${#SANS[@]} SAN patterns"
mkcert -cert-file "$CRT" -key-file "$KEY" "${SANS[@]}"
chmod 600 "$KEY"
chmod 644 "$CRT"
echo "[dev-cert-refresh] cert SANs:"
openssl x509 -in "$CRT" -noout -ext subjectAltName | sed 's/^/ /'
echo "[dev-cert-refresh] reloading Caddy (if running)"
if pgrep -f "caddy run --config" >/dev/null; then
"$HOME/.local/bin/caddy" reload --config "$REPO_ROOT/infrastructure/Caddyfile.local" --address 127.0.0.1:2019 \
&& echo "[dev-cert-refresh] reload OK" \
|| echo "[dev-cert-refresh] reload failed — restart manually"
else
echo "[dev-cert-refresh] Caddy not running; start it via your usual flow"
fi
echo "[dev-cert-refresh] done."
Reference in a new issue View git blame Copy permalink