From 4519dbf04f391a11ffab5ab79f5553938605fd18 Mon Sep 17 00:00:00 2001 From: archipelago Date: Sat, 27 Jun 2026 17:49:50 -0400 Subject: [PATCH] fix(orchestrator): render manifest certs on the adopted-running reconcile path WS-F #10: a netbird reinstall that adopts a leftover running container skipped ensure_manifest_certs, so when its data dir was wiped the self- signed tls.crt/key were never regenerated; the next nginx.conf rewrite + restart then died on the missing cert (proxy 502, login broken). The Running branch of ensure_running_with_mode now calls ensure_manifest_certs before ensure_manifest_files, mirroring prepare_for_start's certs-before- files ordering. Idempotent: a no-op when crt+key already exist. Live-validated on .228: deleted netbird tls.crt/key under a Running container; reconciler regenerated a fresh CN= self-signed cert (1000:1000), https :8087 = 200. Co-Authored-By: Claude Opus 4.8 (1M context) --- core/archipelago/src/container/prod_orchestrator.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/core/archipelago/src/container/prod_orchestrator.rs b/core/archipelago/src/container/prod_orchestrator.rs index 62034a1a..8ce7f62c 100644 --- a/core/archipelago/src/container/prod_orchestrator.rs +++ b/core/archipelago/src/container/prod_orchestrator.rs @@ -1540,6 +1540,14 @@ impl ProdContainerOrchestrator { // anything was rewritten, restart the container so nginx // picks up the new config. let app_hook = self.run_pre_start_hooks(&app_id).await?; + // Certs before files (mirrors prepare_for_start). A manifest + // file rewrite below can trigger a restart, and the container's + // bind-mounts expect the cert present. Without this, an adopted + // running app whose data dir was wiped on reinstall (netbird: + // tls.crt/key live under the removed /var/lib/archipelago/netbird) + // never regenerates the cert → nginx proxy dies on the restart. + // Idempotent: a no-op when crt+key already exist. + self.ensure_manifest_certs(&resolved_manifest).await?; let file_hook = self.ensure_manifest_files(&resolved_manifest).await?; if app_hook == Some(HookOutcome::Rewritten) || file_hook == HookOutcome::Rewritten