fix(infra): init-ssl installs HTTP-only config before requesting certs

ImTotem · claude · ImTotem · commit 7df89264b15b · 2026-03-12T14:52:53.000+09:00
Solves chicken-and-egg: HTTPS config needs certs, but certs need
ACME challenge served on HTTP. Now installs temporary HTTP-only
config first, gets certs, then installs full HTTPS config.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/infra/scripts/init-ssl.sh b/infra/scripts/init-ssl.sh
@@ -5,13 +5,38 @@ if [ -f .env ]; then
     set -a; source .env; set +a
 fi
 
+NGINX_AVAILABLE="/etc/nginx/sites-available/bcsd-api.conf"
+NGINX_ENABLED="/etc/nginx/sites-enabled/bcsd-api.conf"
 DOMAIN="${DOMAIN:?Set DOMAIN in .env}"
 N8N_DOMAIN="${N8N_DOMAIN}"
 FRONTEND_DOMAIN="${FRONTEND_DOMAIN}"
 
+DOMAINS="$DOMAIN"
+[ -n "$N8N_DOMAIN" ] && DOMAINS="$DOMAINS $N8N_DOMAIN"
+[ -n "$FRONTEND_DOMAIN" ] && DOMAINS="$DOMAINS $FRONTEND_DOMAIN internal.bcsdlab.com"
+
 echo "=== Initial SSL Certificate Setup ==="
 
-echo "1. Requesting certificate for $DOMAIN..."
+echo "1. Installing HTTP-only nginx config for ACME challenge..."
+sudo mkdir -p /var/www/certbot
+cat <<EOF | sudo tee "$NGINX_AVAILABLE" > /dev/null
+server {
+    listen 80;
+    server_name $DOMAINS;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 444;
+    }
+}
+EOF
+sudo ln -sf "$NGINX_AVAILABLE" "$NGINX_ENABLED"
+sudo nginx -t && sudo nginx -s reload
+
+echo "2. Requesting certificate for $DOMAIN..."
 sudo certbot certonly \
     --webroot \
     -w /var/www/certbot \
@@ -20,7 +45,7 @@ sudo certbot certonly \
     --agree-tos
 
 if [ -n "$N8N_DOMAIN" ]; then
-    echo "2. Requesting certificate for $N8N_DOMAIN..."
+    echo "3. Requesting certificate for $N8N_DOMAIN..."
     sudo certbot certonly \
         --webroot \
         -w /var/www/certbot \
@@ -30,7 +55,7 @@ if [ -n "$N8N_DOMAIN" ]; then
 fi
 
 if [ -n "$FRONTEND_DOMAIN" ]; then
-    echo "3. Requesting certificate for $FRONTEND_DOMAIN (+ internal.bcsdlab.com)..."
+    echo "4. Requesting certificate for $FRONTEND_DOMAIN (+ internal.bcsdlab.com)..."
     sudo certbot certonly \
         --webroot \
         -w /var/www/certbot \
@@ -40,7 +65,8 @@ if [ -n "$FRONTEND_DOMAIN" ]; then
         --agree-tos
 fi
 
-echo "4. Reloading nginx..."
+echo "5. Installing full nginx config with HTTPS..."
+sudo cp infra/nginx/bcsd-api.conf "$NGINX_AVAILABLE"
 sudo nginx -t && sudo nginx -s reload
 
 echo "=== SSL setup complete ==="
