modified: internal/service/site_test.go

Code-Egg · Code-Egg · commit 633254a1a8c3 · 2026-04-10T14:17:09.000+08:00
diff --git a/README.md b/README.md
@@ -93,7 +93,7 @@ ols site list
 
 ```bash
 ols --dry-run site create example.com --wp --le --php85 --enable-owasp --hsts --enable-ns
-ols --dry-run site update example.com --enable-recaptcha --disable-owasp --disable-ns
+ols --dry-run site update example.com --enable-recaptcha --disable-owasp --disable-ns --le
 ols --dry-run site info example.com
 ols --dry-run site show example.com
 ols --dry-run site list
@@ -125,7 +125,7 @@ ols site (command) [options]
 | Subcommand | Purpose | Options |
 | --- | --- | --- |
 | `create` | Create a new site/vhost | `--wp` `--le` `--php81` `--php82` `--php83` `--php84` `--php85` `--enable-owasp` `--disable-owasp` `--enable-recaptcha` `--disable-recaptcha` `--enable-ns` `--disable-ns` `--hsts` |
-| `update` | Update an existing site (PHP target optional when only security flags are used) | `--wp` (requires one of `--php81` `--php82` `--php83` `--php84` `--php85`), or security flags only: `--enable-owasp` `--disable-owasp` `--enable-recaptcha` `--disable-recaptcha` `--enable-ns` `--disable-ns` `--hsts` |
+| `update` | Update an existing site (PHP target optional when only security/LE flags are used) | `--wp` (requires one of `--php81` `--php82` `--php83` `--php84` `--php85`), optional `--le`, or security flags only: `--enable-owasp` `--disable-owasp` `--enable-recaptcha` `--disable-recaptcha` `--enable-ns` `--disable-ns` `--hsts` |
 | `info` | Show site metadata and detected status |  |
 | `show` | Print OLS virtual host config (`vhconf.conf`) |  |
 | `list` | List managed sites discovered from OLS vhost directory |  |
diff --git a/internal/cli/site.go b/internal/cli/site.go
@@ -173,6 +173,7 @@ func newSiteUpdateCmd(svc siteManager, rootOpts *rootOptions) *cobra.Command {
 	owasp := &toggleFlags{}
 	recaptcha := &toggleFlags{}
 	var withWordPress bool
+	var withLE bool
 	var withHSTS bool
 	namespace := &toggleFlags{}
 
@@ -181,7 +182,8 @@ func newSiteUpdateCmd(svc siteManager, rootOpts *rootOptions) *cobra.Command {
 		Short: "Update existing site configuration",
 		Example: "ols site update example.com --php83\n" +
 			"ols site update example.com --enable-owasp --enable-recaptcha\n" +
-			"ols --dry-run site update example.com --wp --php85 --hsts",
+			"ols site update example.com --le\n" +
+			"ols --dry-run site update example.com --wp --php85 --hsts --le",
 		Args: cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			phpVersion, err := php.selected("")
@@ -205,12 +207,13 @@ func newSiteUpdateCmd(svc siteManager, rootOpts *rootOptions) *cobra.Command {
 			if withWordPress && phpVersion == "" {
 				return apperr.New(apperr.CodeValidation, "missing PHP version flag for --wp; provide one of --php81/--php82/--php83/--php84/--php85")
 			}
-			if phpVersion == "" && !withWordPress && owaspEnabled == nil && recaptchaEnabled == nil && namespaceEnabled == nil && !withHSTS {
-				return apperr.New(apperr.CodeValidation, "no update action provided; pass PHP version and/or security flags such as --enable-owasp, --enable-recaptcha, --disable-owasp, --disable-recaptcha, --enable-ns, --disable-ns, --hsts")
+			if phpVersion == "" && !withWordPress && !withLE && owaspEnabled == nil && recaptchaEnabled == nil && namespaceEnabled == nil && !withHSTS {
+				return apperr.New(apperr.CodeValidation, "no update action provided; pass PHP version and/or flags such as --wp, --le, --enable-owasp, --enable-recaptcha, --disable-owasp, --disable-recaptcha, --enable-ns, --disable-ns, --hsts")
 			}
 			err = svc.UpdateSitePHP(cmd.Context(), service.UpdateSiteOptions{
 				Domain:            args[0],
 				WithWordPress:     withWordPress,
+				WithLE:            withLE,
 				PHPVersion:        phpVersion,
 				OWASPEnabled:      owaspEnabled,
 				RecaptchaEnabled:  recaptchaEnabled,
@@ -227,6 +230,7 @@ func newSiteUpdateCmd(svc siteManager, rootOpts *rootOptions) *cobra.Command {
 
 	cmd.Flags().SortFlags = false
 	cmd.Flags().BoolVar(&withWordPress, "wp", false, "ensure WordPress and LiteSpeed Cache plugin are present")
+	cmd.Flags().BoolVar(&withLE, "le", false, "issue/update Let's Encrypt certificate for the site")
 	addPHPVersionFlags(cmd, php)
 	cmd.Flags().BoolVar(&owasp.enable, "enable-owasp", false, "enable OWASP ModSecurity at virtual host level")
 	cmd.Flags().BoolVar(&recaptcha.enable, "enable-recaptcha", false, "enable reCAPTCHA at virtual host level")
diff --git a/internal/cli/site_test.go b/internal/cli/site_test.go
@@ -144,6 +144,7 @@ func TestSiteUpdateFlagOrder(t *testing.T) {
 
 	wantPrefix := []string{
 		"wp",
+		"le",
 		"php81",
 		"php82",
 		"php83",
diff --git a/internal/service/site.go b/internal/service/site.go
@@ -135,6 +135,7 @@ type CreateSiteOptions struct {
 type UpdateSiteOptions struct {
 	Domain            string
 	WithWordPress     bool
+	WithLE            bool
 	PHPVersion        string
 	OWASPEnabled      *bool
 	RecaptchaEnabled  *bool
@@ -509,8 +510,10 @@ func (s SiteService) UpdateSitePHP(ctx context.Context, opts UpdateSiteOptions)
 
 	phpRequested := strings.TrimSpace(opts.PHPVersion) != ""
 	securityRequested := opts.OWASPEnabled != nil || opts.RecaptchaEnabled != nil || opts.NamespaceEnabled != nil || opts.EnableHSTSHeaders
+	leRequested := opts.WithLE
+	isTopLevelDomain := isTopLevelSiteDomain(opts.Domain)
 
-	if !phpRequested && !opts.WithWordPress && !securityRequested {
+	if !phpRequested && !opts.WithWordPress && !securityRequested && !leRequested {
 		return apperr.New(apperr.CodeValidation, "no update action requested")
 	}
 	if opts.WithWordPress && !phpRequested {
@@ -528,23 +531,30 @@ func (s SiteService) UpdateSitePHP(ctx context.Context, opts UpdateSiteOptions)
 		if err != nil {
 			return err
 		}
+		packages = packagesForPHPUpdate(phpVersion)
+	}
+	if phpRequested || leRequested {
 		info, err = s.detector.Detect(ctx)
 		if err != nil {
 			return err
 		}
-		packages = packagesForPHPUpdate(phpVersion)
 	}
 
 	s.console.Section("Update site configuration")
 	s.console.Bullet("Domain: " + opts.Domain)
 	if phpRequested {
 		s.console.Bullet("Target PHP: lsphp" + phpVersion)
+	}
+	if phpRequested || leRequested {
 		s.console.Bullet("Platform: " + info.Summary())
 	}
 	s.console.Bullet("VHost config: " + vhostConfig)
 	if opts.WithWordPress {
 		s.console.Bullet("WordPress + LiteSpeed Cache reconcile: enabled")
 	}
+	if opts.WithLE {
+		s.console.Bullet("Let's Encrypt: enabled")
+	}
 	if opts.OWASPEnabled != nil {
 		s.console.Bullet("OWASP virtual-host mode: " + enabledLabel(*opts.OWASPEnabled))
 	}
@@ -586,6 +596,20 @@ func (s SiteService) UpdateSitePHP(ctx context.Context, opts UpdateSiteOptions)
 		if opts.EnableHSTSHeaders {
 			s.console.Bullet("append recommended security extra headers to context / in " + vhostConfig)
 		}
+		if opts.WithLE {
+			if isTopLevelDomain {
+				s.console.Bullet("perform domain reachability precheck for " + opts.Domain)
+				s.console.Bullet("perform optional www reachability precheck for www." + opts.Domain)
+				s.console.Bullet("if www precheck passes, issue Let's Encrypt cert for both domains")
+				s.console.Bullet("if www precheck fails, issue Let's Encrypt cert for primary domain only")
+			} else {
+				s.console.Bullet("skip domain reachability precheck for subdomain LE issuance")
+			}
+			s.console.Bullet("ensure certbot is installed")
+			s.console.Bullet("issue Let's Encrypt certificate via certbot webroot challenge")
+			s.console.Bullet("write cert/key into vhost SSL config")
+			s.console.Bullet("reload OpenLiteSpeed")
+		}
 		s.console.Success("Dry-run plan generated")
 		return nil
 	}
@@ -643,6 +667,42 @@ func (s SiteService) UpdateSitePHP(ctx context.Context, opts UpdateSiteOptions)
 		return err
 	}
 
+	if opts.WithLE {
+		certDomains := []string{opts.Domain}
+		if isTopLevelDomain {
+			ok, detail := precheckLEDomainReachability(opts.Domain)
+			if !ok {
+				return apperr.New(apperr.CodeValidation, "Let's Encrypt precheck failed for "+opts.Domain+": "+detail)
+			}
+			s.console.Success("Let's Encrypt precheck passed for " + opts.Domain + ": " + detail)
+
+			wwwDomain := "www." + opts.Domain
+			okWWW, detailWWW := precheckLEDomainReachability(wwwDomain)
+			if okWWW {
+				certDomains = append(certDomains, wwwDomain)
+				s.console.Success("Let's Encrypt precheck passed for " + wwwDomain + ": " + detailWWW)
+			} else {
+				s.console.Warn("Let's Encrypt precheck failed for " + wwwDomain + "; issuing certificate for primary domain only: " + detailWWW)
+			}
+		}
+
+		certFile, keyFile, err := s.issueLetsEncryptCertificate(ctx, info, docRoot, certDomains...)
+		if err != nil {
+			return err
+		}
+		if err := applyVHostSSLCertificate(vhostConfig, certFile, keyFile); err != nil {
+			return err
+		}
+		s.console.Success("Let's Encrypt certificate issued")
+		s.console.Bullet("Certificate domains: " + strings.Join(certDomains, ", "))
+		s.console.Bullet("Certificate: " + certFile)
+		s.console.Bullet("Private key: " + keyFile)
+
+		if err := s.reloadOpenLiteSpeed(ctx); err != nil {
+			s.console.Warn("Failed to reload OpenLiteSpeed automatically after SSL issuance: " + err.Error())
+		}
+	}
+
 	if boolPtrValue(opts.RecaptchaEnabled) {
 		recaptchaEnabled, err := isServerRecaptchaEnabled(serverConfigPath)
 		if err != nil {
@@ -659,7 +719,9 @@ func (s SiteService) UpdateSitePHP(ctx context.Context, opts UpdateSiteOptions)
 	if securityChanged {
 		s.console.Success("Requested security options applied to vhost config")
 	}
-	s.console.Bullet("Reload OpenLiteSpeed to apply configuration changes")
+	if !opts.WithLE {
+		s.console.Bullet("Reload OpenLiteSpeed to apply configuration changes")
+	}
 	return nil
 }
 
diff --git a/internal/service/site_test.go b/internal/service/site_test.go
@@ -382,6 +382,95 @@ func TestUpdateSiteSecurityOnlyWithoutPHP(t *testing.T) {
 	}
 }
 
+func TestUpdateSiteLetsEncryptForSubdomainWithoutPHP(t *testing.T) {
+	var out bytes.Buffer
+	console := ui.NewStyledConsole(&out)
+	r := &fakeRunner{}
+
+	base := t.TempDir()
+	lswsRoot := filepath.Join(base, "lsws")
+	webRoot := filepath.Join(base, "www")
+	domain := "api.example.com"
+	vhostDir := filepath.Join(lswsRoot, "conf", "vhosts", domain)
+
+	if err := os.MkdirAll(filepath.Join(lswsRoot, "bin"), 0o755); err != nil {
+		t.Fatalf("mkdir bin: %v", err)
+	}
+	if err := os.MkdirAll(filepath.Join(lswsRoot, "conf"), 0o755); err != nil {
+		t.Fatalf("mkdir conf: %v", err)
+	}
+	if err := os.MkdirAll(vhostDir, 0o755); err != nil {
+		t.Fatalf("mkdir vhost: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(lswsRoot, "bin", "lswsctrl"), []byte("stub"), 0o755); err != nil {
+		t.Fatalf("write lswsctrl: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(lswsRoot, "conf", "httpd_config.conf"), []byte("listener Default {\n}\n"), 0o644); err != nil {
+		t.Fatalf("write server config: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(vhostDir, "vhconf.conf"), []byte(buildVHConfig("85")), 0o644); err != nil {
+		t.Fatalf("write vhconf: %v", err)
+	}
+
+	oldRoot := letsencryptLiveRoot
+	letsencryptLiveRoot = filepath.Join(base, "letsencrypt", "live")
+	t.Cleanup(func() { letsencryptLiveRoot = oldRoot })
+
+	certFile, keyFile := letsEncryptCertPaths(domain)
+	if err := os.MkdirAll(filepath.Dir(certFile), 0o755); err != nil {
+		t.Fatalf("mkdir cert dir: %v", err)
+	}
+	if err := os.WriteFile(certFile, []byte("cert"), 0o644); err != nil {
+		t.Fatalf("write cert file: %v", err)
+	}
+	if err := os.WriteFile(keyFile, []byte("key"), 0o600); err != nil {
+		t.Fatalf("write key file: %v", err)
+	}
+
+	svc := NewSiteServiceWithPaths(
+		fakeDetector{info: platform.Info{ID: "ubuntu", Family: platform.FamilyDebian, PackageManager: platform.PackageManagerAPT, VersionID: "24.04"}},
+		r,
+		console,
+		lswsRoot,
+		webRoot,
+	)
+
+	err := svc.UpdateSitePHP(context.Background(), UpdateSiteOptions{Domain: domain, WithLE: true})
+	if err != nil {
+		t.Fatalf("unexpected update error: %v", err)
+	}
+
+	updated, err := os.ReadFile(filepath.Join(vhostDir, "vhconf.conf"))
+	if err != nil {
+		t.Fatalf("read vhconf: %v", err)
+	}
+	content := string(updated)
+	if !strings.Contains(content, certFile) || !strings.Contains(content, keyFile) {
+		t.Fatalf("expected updated SSL cert/key paths in vhconf, got: %s", content)
+	}
+
+	hasCertbot := false
+	hasReload := false
+	for _, call := range r.calls {
+		if len(call) > 0 && call[0] == "certbot" {
+			hasCertbot = true
+			joined := strings.Join(call, " ")
+			if !strings.Contains(joined, "-d "+domain) {
+				t.Fatalf("expected certbot args to include -d %s, got: %#v", domain, call)
+			}
+		}
+		if len(call) == 2 && filepath.Base(call[0]) == "lswsctrl" && call[1] == "reload" {
+			hasReload = true
+		}
+	}
+	if !hasCertbot {
+		t.Fatalf("expected certbot call, got calls: %#v", r.calls)
+	}
+	if !hasReload {
+		t.Fatalf("expected lswsctrl reload call, got calls: %#v", r.calls)
+	}
+}
+
 func TestApplyVHostSecurityOptionsEnableAndDisable(t *testing.T) {
 	vhostPath := filepath.Join(t.TempDir(), "vhconf.conf")
 	if err := os.WriteFile(vhostPath, []byte(buildVHConfig("85")), 0o644); err != nil {
