Skip to content

fix(ssl): block ssl-verify on non-letsencrypt sites#487

Open
mrrobot47 wants to merge 1 commit into
EasyEngine:developfrom
mrrobot47:fix/ssl-verify-non-le-guard
Open

fix(ssl): block ssl-verify on non-letsencrypt sites#487
mrrobot47 wants to merge 1 commit into
EasyEngine:developfrom
mrrobot47:fix/ssl-verify-non-le-guard

Conversation

@mrrobot47

Copy link
Copy Markdown
Member

Problem

ee site ssl-verify (ssl_verify()) had no guard on the site's SSL type. Run on a custom / self / inherit site it would still prompt for a Let's Encrypt email, instantiate the ACME client, run the challenge, and request an LE certificate — which overwrites the user's custom certificate if the domain validates, or yields a confusing "Failed to verify SSL" error with a retry hint that can never succeed for a non-LE cert.

Fix

Guard ssl_verify() to error clearly when site_ssl !== 'le'. The guard sits after site_data is populated (so it covers the user-invoked subcommand) and does not affect the internal call from init_le() during LE site creation — that path is only reached when site_ssl === 'le', so the guard never fires there.

Testing

Manual:

  1. ee site create custom.test --type=html --ssl=custom --ssl-key=... --ssl-crt=...
  2. ee site ssl-verify custom.test → exits with "SSL verification is only applicable to Let's Encrypt certificates." (no email prompt, no ACME run, certs untouched).
  3. Regression: an --ssl=le site still verifies/renews as before.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants