From 2a04099f95e3b0da35890764bfb6fe677757272f Mon Sep 17 00:00:00 2001
From: mguschin <gn.mikle@gmail.com>
Date: Mon, 9 Mar 2026 16:11:03 +0300
Subject: [PATCH] Fix tls script.

---
 scripts/init-letsencrypt.sh | 55 +++++++++++++++----------------------
 1 file changed, 22 insertions(+), 33 deletions(-)

diff --git a/scripts/init-letsencrypt.sh b/scripts/init-letsencrypt.sh
index eb32270..7acffd8 100755
--- a/scripts/init-letsencrypt.sh
+++ b/scripts/init-letsencrypt.sh
@@ -1,57 +1,46 @@
 #!/bin/bash
 # Obtain TLS certificates from Let's Encrypt for evosync.ru
 # Run once on first deploy: sudo ./scripts/init-letsencrypt.sh
+# Requires nginx running on the host with acme-challenge location configured
 
 set -euo pipefail
 
 DOMAIN="evosync.ru"
 EMAIL="${LETSENCRYPT_EMAIL:-admin@evosync.ru}"
-COMPOSE="docker compose"
 CERTBOT_DIR="./certbot"
+ACME_DIR="/var/www/certbot"
 
 echo "==> Creating certbot directories..."
 mkdir -p "$CERTBOT_DIR/conf" "$CERTBOT_DIR/www"
 
-echo "==> Starting nginx (HTTP only, for ACME challenge)..."
-# Temporarily use a basic config that doesn't require certs
-cat > nginx/nginx-temp.conf <<'TMPCONF'
-server {
-    listen 80;
-    server_name evosync.ru www.evosync.ru;
-
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    location / {
-        return 200 'Setting up TLS...';
-        add_header Content-Type text/plain;
-    }
-}
-TMPCONF
-
-$COMPOSE up -d nginx
+echo "==> Ensuring acme-challenge directory exists on host..."
+sudo mkdir -p "$ACME_DIR"
+sudo chmod 755 "$ACME_DIR"
 
 echo "==> Requesting certificate from Let's Encrypt..."
-docker run --rm \
-    -v "$(pwd)/$CERTBOT_DIR/conf:/etc/letsencrypt" \
-    -v "$(pwd)/$CERTBOT_DIR/www:/var/www/certbot" \
-    --network "${COMPOSE_PROJECT_NAME:-evo-syncgit}_default" \
-    certbot/certbot certonly \
+sudo certbot certonly \
     --webroot \
-    --webroot-path=/var/www/certbot \
+    --webroot-path="$ACME_DIR" \
     --email "$EMAIL" \
     --agree-tos \
     --no-eff-email \
     -d "$DOMAIN" \
     -d "www.$DOMAIN"
 
-echo "==> Restoring production nginx config..."
-rm -f nginx/nginx-temp.conf
-
-echo "==> Restarting nginx with TLS..."
-$COMPOSE restart nginx
+echo "==> Copying certificates to project directory..."
+sudo cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" "$CERTBOT_DIR/conf/fullchain.pem"
+sudo cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" "$CERTBOT_DIR/conf/privkey.pem"
+sudo chown "$(whoami):$(whoami)" "$CERTBOT_DIR/conf"/*.pem
 
 echo "==> Done! TLS certificate installed for $DOMAIN"
-echo "    Set up auto-renewal with: sudo crontab -e"
-echo "    Add: 0 3 * * * cd $(pwd) && docker run --rm -v $(pwd)/$CERTBOT_DIR/conf:/etc/letsencrypt -v $(pwd)/$CERTBOT_DIR/www:/var/www/certbot certbot/certbot renew --quiet && docker compose restart nginx"
+echo ""
+echo "Certificate files:"
+echo "  - $CERTBOT_DIR/conf/fullchain.pem"
+echo "  - $CERTBOT_DIR/conf/privkey.pem"
+echo ""
+echo "Configure nginx:"
+echo "  ssl_certificate $CERTBOT_DIR/conf/fullchain.pem;"
+echo "  ssl_certificate_key $CERTBOT_DIR/conf/privkey.pem;"
+echo ""
+echo "Set up auto-renewal with: sudo crontab -e"
+echo "Add: 0 3 * * * certbot renew --quiet && systemctl reload nginx"