#!/usr/bin/env bash # Regenerate NPMPlus admin UI TLS cert (port 81) with SAN for LAN IP access. set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" STACK_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)" cd "${STACK_DIR}" if [[ -f .env ]]; then set -a # shellcheck disable=SC1091 source .env set +a fi DATA_ROOT="${DATA_ROOT:-/data}" TLS_DIR="${DATA_ROOT}/apps/npmplus/tls" LAN_IP="${LAN_IP:-$(hostname -I 2>/dev/null | awk '{print $1}')}" HOST_SHORT="${HOST_SHORT:-$(hostname -s 2>/dev/null || hostname)}" if [[ -z "${LAN_IP}" ]]; then echo "ERROR: Could not detect LAN IP. Set LAN_IP in environment." exit 1 fi if [[ ! -d "${TLS_DIR}" ]]; then echo "ERROR: ${TLS_DIR} not found. Start NPMPlus once: ./scripts/start.sh" exit 1 fi SAN="IP:${LAN_IP},DNS:${HOST_SHORT},DNS:localhost" TS="$(date +%Y%m%d%H%M%S)" echo "=== NPMPlus admin cert regeneration ===" echo "TLS dir: ${TLS_DIR}" echo "SAN: ${SAN}" echo "" if [[ "${EUID}" -ne 0 ]]; then echo "Re-run as root to write certs owned by container:" echo " sudo ${SCRIPT_DIR}/regenerate-admin-cert.sh" exit 1 fi for f in dummycert.pem dummykey.pem; do if [[ -f "${TLS_DIR}/${f}" ]]; then cp -a "${TLS_DIR}/${f}" "${TLS_DIR}/${f}.bak.${TS}" echo "Backed up ${f} -> ${f}.bak.${TS}" fi done TMP="$(mktemp -d)" trap 'rm -rf "${TMP}"' EXIT openssl req -x509 -nodes -days 3650 -newkey rsa:4096 \ -keyout "${TMP}/dummykey.pem" \ -out "${TMP}/dummycert.pem" \ -subj "/CN=${HOST_SHORT}" \ -addext "subjectAltName=${SAN}" install -m 600 -o root -g root "${TMP}/dummykey.pem" "${TLS_DIR}/dummykey.pem" install -m 644 -o root -g root "${TMP}/dummycert.pem" "${TLS_DIR}/dummycert.pem" echo "" echo "Installed new cert. Verifying SAN:" openssl x509 -in "${TLS_DIR}/dummycert.pem" -noout -text | grep -A1 'Subject Alternative Name' || true if docker ps --format '{{.Names}}' | grep -qx npmplus; then echo "" echo "Restarting npmplus..." docker compose --profile npmplus restart npmplus else echo "" echo "Container npmplus not running — start with: ./scripts/start.sh" fi echo "" echo "Admin UI: https://${LAN_IP}:81" echo "Use HTTPS (not http). Accept the self-signed cert warning once in the browser."