95fbb094b0
- S4: Add Bitcoin readiness gate and container tracking with final summary - S5: Replace eval "$DB_PASSWORDS" with safe case-based variable parsing - S6: Add deploy locking with stale lock detection (30min timeout) - S7: Deploy rollback already implemented — verified existing mechanism - S8: Switch trust-archipelago-cert.sh to SSH key auth, sshpass as fallback - S9: Pipe MariaDB SQL via stdin to avoid password in ps output - S17: Add disk space pre-flight check (abort if >85% full) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
74 lines
2.9 KiB
Bash
Executable File
74 lines
2.9 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# Trust the Archipelago server's self-signed certificate on macOS.
|
|
# Run this to eliminate "Not secure" when accessing https://192.168.1.228
|
|
#
|
|
# Usage: ./scripts/trust-archipelago-cert.sh [host]
|
|
# Default host: 192.168.1.228
|
|
#
|
|
# Requires: SSH access to archipelago@host (uses deploy-config.sh password)
|
|
#
|
|
|
|
set -e
|
|
|
|
HOST="${1:-192.168.1.228}"
|
|
CERT_FILE="/tmp/archipelago-${HOST}.crt"
|
|
KEYCHAIN="${HOME}/Library/Keychains/login.keychain-db"
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
|
|
|
|
# Try to fetch cert from server via SSH (most reliable)
|
|
SSH_KEY="${ARCHIPELAGO_SSH_KEY:-$HOME/.ssh/archipelago-deploy}"
|
|
echo "Fetching certificate from server..."
|
|
if [ -f "$SSH_KEY" ]; then
|
|
ssh -o StrictHostKeyChecking=no -i "$SSH_KEY" archipelago@${HOST} \
|
|
'sudo -n cat /etc/archipelago/ssl/archipelago.crt' > "$CERT_FILE" 2>/dev/null || true
|
|
elif [ -f "$SCRIPT_DIR/deploy-config.sh" ]; then
|
|
# Last-resort fallback: password auth (leaks credentials to process list)
|
|
. "$SCRIPT_DIR/deploy-config.sh"
|
|
echo "WARNING: SSH key not found at $SSH_KEY — falling back to password auth"
|
|
if command -v sshpass >/dev/null 2>&1; then
|
|
sshpass -p "$ARCHIPELAGO_PASSWORD" ssh -o StrictHostKeyChecking=no archipelago@${HOST} \
|
|
'sudo -n cat /etc/archipelago/ssl/archipelago.crt' > "$CERT_FILE" 2>/dev/null || true
|
|
else
|
|
echo "WARNING: No SSH key and sshpass not installed — skipping SSH fetch"
|
|
fi
|
|
fi
|
|
|
|
# Fallback: fetch via openssl (can hang on some systems)
|
|
if [ ! -s "$CERT_FILE" ]; then
|
|
echo "Fetching certificate via TLS..."
|
|
(echo "Q"; sleep 1) | openssl s_client -connect "${HOST}:443" -servername "${HOST}" 2>/dev/null | \
|
|
openssl x509 -outform PEM > "$CERT_FILE"
|
|
fi
|
|
|
|
if [ ! -s "$CERT_FILE" ]; then
|
|
echo "Failed to fetch certificate. Ensure deploy-config.sh exists and SSH works, or the server is reachable."
|
|
exit 1
|
|
fi
|
|
|
|
echo "Adding to your login keychain..."
|
|
|
|
# Remove old cert if present (by common name)
|
|
security delete-certificate -c "archipelago.local" "$KEYCHAIN" 2>/dev/null || true
|
|
|
|
# Add to user keychain with trust (no sudo needed)
|
|
if security add-trusted-cert -d -r trustRoot -k "$KEYCHAIN" "$CERT_FILE" 2>/dev/null; then
|
|
echo " Certificate trusted successfully."
|
|
elif security add-trusted-cert -d -r trustAsRoot -k "$KEYCHAIN" "$CERT_FILE" 2>/dev/null; then
|
|
echo " Certificate trusted successfully."
|
|
else
|
|
# Fallback: add cert and open Keychain Access for manual trust
|
|
cp "$CERT_FILE" "$HOME/Desktop/archipelago-${HOST}.crt"
|
|
echo ""
|
|
echo " Could not auto-trust. Certificate saved to Desktop."
|
|
echo " Double-click archipelago-${HOST}.crt to add it, then in Keychain Access"
|
|
echo " find it, double-click, expand Trust → set to 'Always Trust'."
|
|
CERT_FILE="" # Don't delete, we copied to Desktop
|
|
fi
|
|
|
|
rm -f "$CERT_FILE"
|
|
|
|
echo ""
|
|
echo "✅ Done. Restart your browser fully (quit Chrome/Safari) and visit https://${HOST}"
|