Fix share_certs_with_core() to handle missing shared CA gracefully

- Check if shared CA exists on core server before attempting to copy - Generate local shared CA if core server doesn't have certificates - Provide clear instructions for manual certificate synchronization - Remove script failure when certificates can't be copied - Allow infrastructure deployment to continue with local CA generation
2026-01-26 00:05:26 -05:00
parent 89ca29918b
commit 52e0697311
1 changed files with 47 additions and 22 deletions
--- a/scripts/ez-homelab.sh
+++ b/scripts/ez-homelab.sh
@@ -289,33 +289,58 @@ share_certs_with_core() {
    log_info "Copying shared CA certificates from core server..."
    mkdir -p "/opt/stacks/core/shared-ca"

+    # First check if shared CA exists on core server
+    SHARED_CA_EXISTS=false
+    if [ "$USE_SSHPASS" = true ] && [ -n "$SSH_PASSWORD" ]; then
+        if sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no "$SSH_USER@$CORE_SERVER_IP" "[ -f /opt/stacks/core/shared-ca/ca.pem ] && [ -f /opt/stacks/core/shared-ca/ca-key.pem ]" 2>/dev/null; then
+            SHARED_CA_EXISTS=true
+        fi
+    else
+        if ssh -o StrictHostKeyChecking=no "$SSH_USER@$CORE_SERVER_IP" "[ -f /opt/stacks/core/shared-ca/ca.pem ] && [ -f /opt/stacks/core/shared-ca/ca-key.pem ]" 2>/dev/null; then
+            SHARED_CA_EXISTS=true
+        fi
+    fi
+
+    if [ "$SHARED_CA_EXISTS" = true ]; then
+        # Copy existing shared CA from core server
        if [ "$USE_SSHPASS" = true ] && [ -n "$SSH_PASSWORD" ]; then
-        # Use password authentication
            log_info "Running: sshpass -p [PASSWORD] scp -o StrictHostKeyChecking=no $SSH_USER@$CORE_SERVER_IP:/opt/stacks/core/shared-ca/ca.pem /opt/stacks/core/shared-ca/"
            if sshpass -p "$SSH_PASSWORD" scp -o StrictHostKeyChecking=no "$SSH_USER@$CORE_SERVER_IP:/opt/stacks/core/shared-ca/ca.pem" "$SSH_USER@$CORE_SERVER_IP:/opt/stacks/core/shared-ca/ca-key.pem" "/opt/stacks/core/shared-ca/" 2>&1; then
                log_success "Shared CA certificates copied from core server"
            else
-            log_warning "Could not copy shared CA certificates from core server."
-            log_info "Please ensure the certificates exist on the core server at: /opt/stacks/core/shared-ca/"
-            log_info "You may need to manually copy the certificates."
-            log_info "Required files: ca.pem, ca-key.pem"
-            echo ""
-            return 1
+                log_warning "Failed to copy shared CA certificates from core server"
+                SHARED_CA_EXISTS=false
            fi
        else
-        # Use key authentication
            log_info "Running: scp -o StrictHostKeyChecking=no $SSH_USER@$CORE_SERVER_IP:/opt/stacks/core/shared-ca/ca.pem /opt/stacks/core/shared-ca/"
            if scp -o StrictHostKeyChecking=no "$SSH_USER@$CORE_SERVER_IP:/opt/stacks/core/shared-ca/ca.pem" "$SSH_USER@$CORE_SERVER_IP:/opt/stacks/core/shared-ca/ca-key.pem" "/opt/stacks/core/shared-ca/" 2>&1; then
                log_success "Shared CA certificates copied from core server"
            else
-            log_warning "Could not copy shared CA certificates from core server."
-            log_info "Please ensure the certificates exist on the core server at: /opt/stacks/core/shared-ca/"
-            log_info "You may need to manually copy the certificates."
-            log_info "Required files: ca.pem, ca-key.pem"
-            echo ""
-            return 1
+                log_warning "Failed to copy shared CA certificates from core server"
+                SHARED_CA_EXISTS=false
            fi
        fi
+    fi
+
+    if [ "$SHARED_CA_EXISTS" = false ]; then
+        # Generate local shared CA if not available from core server
+        log_warning "Shared CA certificates not found on core server."
+        log_info "Generating local shared CA for infrastructure server..."
+        
+        openssl genrsa -out "/opt/stacks/core/shared-ca/ca-key.pem" 4096
+        openssl req -new -x509 -days 365 -key "/opt/stacks/core/shared-ca/ca-key.pem" -sha256 -out "/opt/stacks/core/shared-ca/ca.pem" -subj "/C=US/ST=State/L=City/O=Homelab/CN=Homelab-CA"
+        
+        log_success "Local shared CA generated"
+        log_info "IMPORTANT: Copy these certificates to your core server at /opt/stacks/core/shared-ca/"
+        log_info "Run this command on your CORE server:"
+        echo "  sudo mkdir -p /opt/stacks/core/shared-ca"
+        echo "  sudo scp $SSH_USER@$SERVER_IP:/opt/stacks/core/shared-ca/ca.pem /opt/stacks/core/shared-ca/"
+        echo "  sudo scp $SSH_USER@$SERVER_IP:/opt/stacks/core/shared-ca/ca-key.pem /opt/stacks/core/shared-ca/"
+        echo "  sudo chown -R $SSH_USER:$SSH_USER /opt/stacks/core/shared-ca"
+        echo ""
+        log_info "After copying, restart the core server's Docker services for the changes to take effect."
+        echo ""
+    fi

    # Update Docker daemon configuration to use shared CA
    log_info "Updating Docker daemon to use shared CA for TLS..."