From 09d0e2e03365bb0f45d51ff860ae2cb4f0bdc06f Mon Sep 17 00:00:00 2001
From: Niranjan <niranjan@yakpanel.com>
Date: Tue, 7 Apr 2026 10:23:05 +0530
Subject: [PATCH] new changes

---
 .../app/api/__pycache__/ssl.cpython-314.pyc   | Bin 6908 -> 9406 bytes
 YakPanel-server/backend/app/api/ssl.py        |  82 ++++++++++++--
 .../__pycache__/site_service.cpython-314.pyc  | Bin 32648 -> 36883 bytes
 .../backend/app/services/site_service.py      | 103 +++++++++++++++++-
 .../webserver/templates/nginx_site.conf       |   9 +-
 5 files changed, 177 insertions(+), 17 deletions(-)

diff --git a/YakPanel-server/backend/app/api/__pycache__/ssl.cpython-314.pyc b/YakPanel-server/backend/app/api/__pycache__/ssl.cpython-314.pyc
index 3b55a964520a77efdebad945740f059a51585d4e..678fc7b3bc753690b7ea6d258fd30c3b6f69b79b 100644
GIT binary patch
delta 4574
zcmb6cZERcB^*%p;Jbyhqu^lINKAg|iq)tkcCLsx>A!~5x2ks+F=}2oi_KWj|V_Ww<
zH;LJB5Qw&jDU|nvAdu*!Nz0~98iEPLG&VFe5Ci0pBAeG#6lv3hrfsR3ZQZn~JNMac
zLr16W%0BnJbI(2J+;i?d_uPN(eQTWUWUVFy?dQ*25Z<aj$JXYG6hcdgLlQcPIBJ}d
zD7Du}8nve-8hXvRHmH+yLA|688YDv#;ibo!piwfaxOUtWG)ra`*Nt0(R>`X3`f)aB
zlWZz(7`F$jq$(9>#;b!4$pLr{amI0H&?ULl0n>O*&@H)D+&o?ztdr`39?7GATgJV?
zda1q%ozOKS&dRY}6ld$#kmVpGHE?z};;P&zVV4?DG=%Oc(YHgcx)&Bp+6jF#I^iN;
zxf`Fh%3zO%bATu(5tX2N)d`@$=R%;?1tT>lti5!JEH#6w17((N9p|n{yQzu{t6$qS
zMQTA{-7TtGZ)3mbtA+MZoEN0j-y)@rqgs)_LH>wZZK&syrv#iz&hbepJTFMIVR2EE
z__=U8BF)NAX?FGaDaD2PIG^NkMB>Au0N~VYN|dtNZc$7qGyuOw(Wfy#BP=LdDH4~z
z?-+4@K?0!YF)w9s@&^>~Nmw4EQ~SL@cfntD09ZnQLk7xqg@BhHRJ*G{Mo|JPO$!L|
z>(w6uSd!1Xng+n*sIurZnnXLwyfNUbhwoO{vvxGL3!yYMMdqt5q?g||J1C?4sIxt%
zavr<`p-C#EX@VI>)Cf|+H5$bb<*_uKlKh&iy*ne~?r9;}U8ZGgR7xThjU=|y{W?W2
z&SoSbq3Gskh3KrJNr{S<I8xCI;*5~sK{7S3P-zi-lS4iq_JCQ6BV3jo<`?*AMv6=)
zc-#Ras+Y)qT|yfSyKH&d^6c?-rfF&9GXqn!+0QT+twU$14YPH*|7`#AzO(yQnhWOo
z3+DQw!})aZiVm^ESM<o@!u22{%XG(5a}gmaM#*NU<V%_{4R*=xbgLKF0YxO_7S$w7
zVx$6}{3hL|!S%0RroXG{>;$sHq;QPK;ps&T-bD%>NhEN9@V5Z)>+w#4`{f_&TixpN
z%&<YiWz~2P2Af{}y}p5>`eYrm+)mc0=u5+jVV<AHsg$JXc(62q-9(}W*U3L)JbEGw
zd*zEv8`bxmv5TsgyN%!8JpxqK^8F>thY1$}ePqA@;M!?)8a;_rC*Wau!{{;Tfvj$*
z;pa@<IgY-$L%L~*zZR=jX{S@M#qx4sf}d99Vk_WSM+nsI{dPBui^N@IgO5>^{)!4W
zO!b>I`TT8l&8ChZTlzbY(RIZ@aMi>pF|5*9K%PKId-WQa9I?u;oBl=7@^y0$z%R_>
zUYaxPB7P~i%8BUGq_u=gUa~Y&R{3R1o!JV>fPqB7Olsv{S?>JO_jSvlb`pgUIUJqj
zRNm4!OGWTWv|XM23u}F2S~o?)q_#><OzS80BoT8q`Eyf^nX^yoxGJuib4<#Q+gv%$
z$+@_iE;eoOqN&=-<j}T-RA|j;(!d!x<H^^i8Y;Ak63*REq5v(;OfVs``)+9`(ZD=H
zu^34Sz|mG7zHb}b5LL+>aact?Y9fr}?A_9~@u_*E3DPQAzI+#JK58$`<Ql%(3=7($
zNgJogUQ`=bJ7MG+w>y%fE7#R5HK7Ul<q@r;f$Sc&O_6h^wn`X6-Gn24gC5#l;kemP
z=mvu5Mve^i+#IQ3C#j0ON`D{XJl}-%El^AJA)N`OO%tZjUiodS$Coxwm@BS|No2uO
z{S`sSJ3|A&<j9ef5A8q1SSBo?q0-oP$Td|IS0u;x6Ukf?#N5X<Pmxokw%g42arM1r
zokWs)XWwuNOypYr_h@o$oQFc>{Fl|Y{@=56>U1BPYAl<L^e9%|9NWXs)!hs@=b6=P
zI|IJT%$xmfWO%<ULqJ2cvjGW|0Ui1y{NLP53zWY-d$0T*c7*DB^&_@{(&1(hEC1Qn
zMtNkXy@$GA4%#2hDb%3CkSi#aOe|)Nfj~J6XElL&_{XwUfj}~q3<yaHYJjLDoZ_?Q
zKp+ywJRgu!V%87{sQEfu69|wpfXA4R1){TXGw{hc50~JqB&D+~5fk8NW=h<Ct-?kl
zX(^Y%d^nYn(isV=2Yx|P43aR%14W@pb+QGK&2r@{(w9t0zL``e8SC<mCq)TV_yozf
zlkbXm`9PQt?l+ZK=J)#|$(WB%ilBrr3ZgHS^o2$yf?Y?lwJK8%Boc)&AE@;0ymMf;
z=vPp-uA-4&fRZQXBgK&~nu_th!6U-{CWMZ_buUGvjHu9aVm!NN6g()*2vMk#K#iDz
zIny9885fcZKDA=<WzsP+Is<nb9~<;3da~?XM#{E*#bjc5X>w^=OxS(x`gMO3-UmU%
zq%6Su3D6Q?B!EO$y@eG+WLi`U4?2=uRCHoGA;6^y6_}7#D+|RWW~S3P73D=Sr_eZ)
z#H9RJs>Z;wBPnT&c=!OuDXg#)rC=ObNDB~F#Z;>3h$n~xpcKGr4@<#!5(CKPifu$1
zltDb^OJ#yCA<Tgd)gn|)5gbk>A?7#?+ltR&I3fs>1f|e%Uc%%?@U!?3p_YmXbtpO$
zhjk?qsd=!1hKfNkmqQeW>P(@db1|s4U`;qmW|I3KR+gGqbZYsEj{!j>7ivdGhwnz)
zkKru*sj9~LEf^tngZMkhDA&G#i+humYpdVQvCExjI}0Z7n#sE|x^D8FulmH)S}^(7
zO#XFK=hEm#b^Chtj-`W_8Ap++E)r;g-?HT_>57cG$ass4tH@Lls_Cq$$oPs3TV!fC
z8*FC%(&%OjtNRAEVXIqy?CHmf7F*HVRIG9po$d|$u628^Ys;*+o6cxA8xdnUoqIgD
z(tN?-E!rH*kDh(BVC&A?x>sT^Kk~vOC47}DuzhQ6-#R-`V1+#V_8rSVG*x&gzV=W&
ze{42CES#Y?Snn$RlhHSHKfV6~drzLZ=d#1~{NTC4mu9{<`C_urxM!_#&ue|J54|$<
z%UtVP&w=&Eu|ngawZ=p59bIpHVBHZaSVK!=MU%Z?YF#t6uAADIMn5x{HflOo?|t3y
ziebHGpkN<3qbu5+%Zq0hS85BkmXB>Mm+iGHZAH5)?>_iJG|wF?a1XC>59g;M`6$26
z&8#1Zf8vf8fvNZ9p%;b<-d%a`uH0(ND!)3D_w3y?Xr1gP(puR~78$FaZ7VX?ylroh
zu|M1U{Ls0ff}<_(Xgl9>o<Bd6uMPmaMGx#c{k5%bWNFv})CmhO)_RMM_?C{gnKt#v
z?%XucM&}lTEHwpl+nTv;3sEE-#6$VsBNuY)1NpBX&ojq2X+r<U6&A5aDX6Qf?)tm<
zBy5-`+71s=t5pEr9Q6Qv$K62S-jPn|e%;)9s2{znZ3X<@oelzr-2mTnj`TwJK0_Vu
z)4p%?61=^Zz`Lo#1KRiZ5lO$P>pwi$MtxA#2p=EpHW1j~dANuEu+>grj}|B&4p4^&
z<rT-#gQRFJ9T*E>|E)SbP4;;W08*V=sIO61RQRJ<sfTjE*ZGP@Pp(qjBLAVLw?;)r
zRj~@SpcdR6*dy<C_jSlb7^4b%gL<RmEu&h-!n2WngkSU<%UMZ2=XT~EBm(yk&<a4&
zN789N8H4nZ!jNM9I@NlGNx%&gjtN-NkpnKO2}I3nA}RRP!&`bexyaKZA&8Rtf+{Cp
z5kCW5Pr+Y&2Y`B#A<jFNg7S{qk89c$Ll~YT(QvqA8Dw&V1zA^jIadevbcsAZB|u*6
zQeV2|FEvHMV-}Je<U3LyVvzvyoKar|ka^%qj7btv)nnqT(vyRfwF)ylmx^T){6735
ze8P=}#ESr6Pf^sTX!s&BUWAQ(5mm`|d)zJkmyrJw@_mMOUP42k8>?43R(0p+FBrR*
u^ncOAOL@~NCp{tWr|!m;Q*!RF>f_-mjWl(e8uE_V<TUb{XNR^PH2fRE;S?wU

delta 2118
zcmaJ>Yiv|S6rQ<v@7?#K`|h@-+Xtl=+5&BX@Cbrc*`*1zH?o>YS+~2lWy5W^%$-sS
z(biysF&ZUfBE}!S{#0WkPz}W&2tm`RF==8G@d_e|{@|A-5XD3j&)n@s;D__$%$f6=
zGjq=QE~fw9;9KMKx)7{4zWcto-E+zppL!o7G>ue5(E+65G^QAKAuXgtDyD4ImXfGc
z&vjy2PT8s5;%#Y1%1NCTFQr{6H+5UQoc5%=)NAqfv@hkSev5ac1F0%nW%15*FcqR9
zi+82hhf@(6u@3HZG!>(<RGh}^(SX>1RFCTIz^ZSPz*9zuRu5G7ZD2Qpp?&^tNSm(#
zTLT&hJ#g|?PF;c;h#|EqhV+1ryUPxU)<h7*4uU2$;O-X7Vp=;;&29uEUEzxNgOR(i
z8Uc^!L$Ov=GGfQEYs~|>fJYoWsvq*GS8)?k63iyd1pL}jEuS?GYPy~^CP(w^YoU$#
z#2WUIlo4(TOpu${lsF<)LyjS~Lv9xCpxGh$J)x}@B&MT83L41{PLeu)6mz;xR&dTX
zmZJw1nMB|~qO8-|6pM4Y+c5NOp)`^!jvAy5B*9tTS%<O0UUt2P!z|&haVyvq4N4S&
z#MpLsLgtR7njLUAgV_mp2Trha?&sF=-!ym)b`Z;=gPU=paD^Sny_4u9dJ&O?rD0i5
zf_>|9vTvkKQ(+L9w!u<i(n=BTvfRBORxpXdW`%Anhvu&*oUG%DB#>$JCyL-+eA}Ye
zT(wIgKmHnw-j+CH-I-tR8n8!*Cv*ZK+nq(Iw~({5XT1Mlf!+3X0e#h%t`Ssw8_#rk
zRhpnf7!$#&f2DnYprYG~`)#{Xp&p@HRF5)tD6|8L?8u00*uUO=|M>&|mRi-5L4Eh<
zvK+^QR4>bUqfY|k0~1>%{(n1Y{GIkO+x}2Rma!c;ss<_pF#%yoCL^y}Ru>NNoYbm}
z%<2QRzRe&mq%BdfEJ|#Kk`<tKwP-*85^JfUjNBJv4S_^-E3SkZu3CPcR8}>sV&&F@
zSPiRAHKIn<SVmeaHlYn-5i9XyJK4VQ&e=D^b=YPKC4*gvG~+n?Insr<v0(K0)Uo=!
zM(ALPCiz|()hCnf?GxG{DS@bcBH4IMZcMfpU{_#oA1#fx7e}c^a(P-jqJbngOf;>X
zmJHxE=wdzDXyQibSUW9_Xr*y#N*W<0VtS16d|oq*p>bWGEZ&7jo3b%Qb9CG=#Svrp
zSfmFsC=M0#IjSXzc6eMfs8%p#h%q)!6%XOPM%HuE$q6qGadNVY6aGu4JvV6ZL4&~?
zog^GqO-V0JXvCCYfQn;^gFM2G`4pOBe(0%TaM8I%0gfX;c*Y`ROnSk@Z~$p(N%B=5
zDl@?6bve5%|1$ywMr*n8v+$;Sw_p;MJnUTc{FE}&{7Kt~Z8Iy*9GNS8ap=OKxq&4F
zqtJP^bL08dXIG!8o$Fr`v2zDr5|QM%>p+3})5c8CqJP~Bsp*~@cGpW2r<>kU-csIP
zv*=$r({V|hcV2d0aWAg!z2>W#5zq9TPoGWC_WsblXQ6w~rLOtSmp5P8y6D@x;MjZB
zvnBj`;q>DRO<U$tm+}kl-3zwee;G}X=!xcCt$3yi$mcx?pkK!7INk7Q7`A!Wie0TN
zUf18t5uprM9^n2D1fZXh5e33Qz=IzH5a9IVLU|{N*-z`v3NlATvWgu_c1JCCqZQV~
zM=fM&A#wIua%0Or9*qC{G@8S6Ef<{@a&QPdq)jT$<zlm{hVb4ectHLlQ!W}qMO`!H
z+}M~l3Qc2_2sDo(l`HMgp;@zqBD4W7nPGvm)iH(y?pA@}`oj%1QVGr}cB<hwPtvq!
z0h#mJEZN0gY5e7BnLu+uD~ZDzwV>L9NI>=y^cL>|!kr0!RvBR}fOl*gDHX<bZ991$
z6daz7uYf?|G5!&4`w2PO?@h79>g!0kj*>S}>rH3ybjytN?!=;V?X<ikv)1Om&>t3v
W-Vu>dy(DlvU0TOj^C}z1$A1BdD&2hm

diff --git a/YakPanel-server/backend/app/api/ssl.py b/YakPanel-server/backend/app/api/ssl.py
index e0f0f387..1cb82fd0 100644
--- a/YakPanel-server/backend/app/api/ssl.py
+++ b/YakPanel-server/backend/app/api/ssl.py
@@ -1,5 +1,7 @@
 """YakPanel - SSL/Domains API - Let's Encrypt via certbot"""
 import os
+import shutil
+import subprocess
 from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select
@@ -7,14 +9,25 @@ from pydantic import BaseModel
 
 from app.core.database import get_db
 from app.core.config import get_runtime_config
-from app.core.utils import exec_shell_sync
+from app.core.utils import environment_with_system_path
 from app.api.auth import get_current_user
 from app.models.user import User
 from app.models.site import Site, Domain
+from app.services.site_service import regenerate_site_vhost
 
 router = APIRouter(prefix="/ssl", tags=["ssl"])
 
 
+def _certbot_executable() -> str:
+    w = shutil.which("certbot")
+    if w:
+        return w
+    for p in ("/usr/bin/certbot", "/usr/local/bin/certbot"):
+        if os.path.isfile(p):
+            return p
+    return "certbot"
+
+
 @router.get("/domains")
 async def ssl_domains(
     current_user: User = Depends(get_current_user),
@@ -48,8 +61,9 @@ class RequestCertRequest(BaseModel):
 async def ssl_request_cert(
     body: RequestCertRequest,
     current_user: User = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
 ):
-    """Request Let's Encrypt certificate via certbot (webroot challenge)"""
+    """Request Let's Encrypt certificate via certbot (webroot challenge)."""
     if not body.domain or not body.webroot or not body.email:
         raise HTTPException(status_code=400, detail="domain, webroot and email required")
     if ".." in body.domain or ".." in body.webroot:
@@ -59,14 +73,62 @@ async def ssl_request_cert(
     webroot_abs = os.path.abspath(body.webroot)
     if not any(webroot_abs.startswith(a + os.sep) or webroot_abs == a for a in allowed):
         raise HTTPException(status_code=400, detail="Webroot must be under www_root or setup_path")
-    cmd = (
-        f'certbot certonly --webroot -w "{body.webroot}" -d "{body.domain}" '
-        f'--non-interactive --agree-tos --email "{body.email}"'
-    )
-    out, err = exec_shell_sync(cmd, timeout=120)
-    if err and "error" in err.lower() and "successfully" not in err.lower():
-        raise HTTPException(status_code=500, detail=err.strip() or out.strip())
-    return {"status": True, "msg": "Certificate requested", "output": out}
+
+    dom = body.domain.split(":")[0].strip()
+    certbot_bin = _certbot_executable()
+    cmd = [
+        certbot_bin,
+        "certonly",
+        "--webroot",
+        "-w",
+        body.webroot,
+        "-d",
+        dom,
+        "--non-interactive",
+        "--agree-tos",
+        "--email",
+        body.email,
+        "--preferred-challenges",
+        "http",
+        "--no-eff-email",
+    ]
+
+    try:
+        proc = subprocess.run(
+            cmd,
+            capture_output=True,
+            text=True,
+            timeout=180,
+            env=environment_with_system_path(),
+        )
+    except FileNotFoundError:
+        raise HTTPException(
+            status_code=500,
+            detail="certbot not found. Install it (e.g. apt install certbot) and ensure it is on PATH.",
+        ) from None
+    except subprocess.TimeoutExpired:
+        raise HTTPException(status_code=500, detail="certbot timed out (180s)") from None
+
+    if proc.returncode != 0:
+        msg = (proc.stderr or proc.stdout or "").strip() or f"certbot exited with code {proc.returncode}"
+        raise HTTPException(status_code=500, detail=msg[:8000])
+
+    result = await db.execute(select(Domain).where(Domain.name == dom).limit(1))
+    row = result.scalar_one_or_none()
+    if row:
+        regen = await regenerate_site_vhost(db, row.pid)
+        if not regen.get("status"):
+            return {
+                "status": True,
+                "msg": "Certificate issued but nginx vhost update failed: " + str(regen.get("msg", "")),
+                "output": (proc.stdout or "")[-2000:],
+            }
+
+    return {
+        "status": True,
+        "msg": "Certificate issued and nginx updated",
+        "output": (proc.stdout or "")[-2000:],
+    }
 
 
 @router.get("/certificates")
diff --git a/YakPanel-server/backend/app/services/__pycache__/site_service.cpython-314.pyc b/YakPanel-server/backend/app/services/__pycache__/site_service.cpython-314.pyc
index dbeb6e8b2c9b72e206850cf6642d2bf448258662..bb05cbcc275cd062b9a207cc162283c303db8997 100644
GIT binary patch
delta 7058
zcmb7Jdw5glc|S)tOFGuYy7-1{A73z*FY*Ng84w8OQmzgWj?#cZ*w(R8kR|aQ8G{Ix
z`C|pQYa#v8#cWCAK1&y}B@2zRjC9EovbAL0Ixr5gqnU(tJnhqDUBoh$r!0NC_x+A+
z2}+XgJdb~Rzwdp&+xxw@b9~~rJe^RP8_Xsn2hSh=(L2HJ&d1Ef{MR2_boqgTBF<|o
z;zHJ#%WDVP!RRt?lh+BYLTrWjSh=?dTE&c4;q`b+pjDdTiQZ=K0%*IGHr>oGc%Ty6
zRZP0ZTMcv#qZfKxybGaKn;BW_T?DN<##`id16|MPI&TBejf{4C`D)JHn*1*Riiy8P
zAGCbNZ=qi6YW|_*x2-?mjXF4z8vZ`nOV3Nq^r_w|DwUMl_4^`nEZj3F5gRZ&pHmS#
zeZt=0UIeXC?o-alTW=sdV^8DH^Umkxm)D*-^g_kC_ABnyz@qP$6z9Xlnoo2p9MVM}
zYjyBEJ+{F?_qOR(+tu_y{sMZB#=gp{YUg2Ec=m9Or3!@@<$XM^hfhGyaW2lQ_VIs!
zEtnWunrg0FM}M%wMQ!WK%|5;zR>CK$n(ubdYkd}ePRL>Psl2**F-=BHSmdNn-fOVV
zFXqPSv&@8MZiDj@8kBgbeX**VZNr@x-{O^GLnJKL^$&$YefxTX;YKk^f(Q3YhuvbZ
zU)(Ci7RloJa347wjfwrikR*%Jp`Z+Ogov?yL0O#BxrcPXDacxYxXR<{OptX*3YqCV
zQEAYvCmxj9gwTxOLMTJnjIa@*3Bau-4<qdbNNIX|WGSWU?@Oto`(-V3)r#<tLS)+f
zAt@$H$`1X}p4dK_>;;A|0U$pMFv?vs6r3zSQGUuhtuLR{mrv=%X?^XazIIAqH?8+f
z>OE)VDgENJYp&>*j;{GY$UmhS=N~t`XR*%;rjyIYmYrNVw(_0gx-*qiLgVPVS%Yx0
zXsqa@Ys_^jFn<4(p>ee1_P%XXhWgPZ9kY3c<HN^>kB=N1In_IzS8_S8<jLNr2Tl(>
z9X=gC<DD*Vxm?~dV<|Xs@Pz3-!9t2*vvjHLumHcx<JHr%EsnzOxi*(W>F9OaM!M9#
zq>Xd|Kb4nJbjm=aK#)j%F}aiZfm=iDAV5|i>_Tu*KCdFt2c$d<fUdEa*WEyvwK>yj
z_`PnirM2+;-#X4}Pv;?}N6LVdkpn3KseJ4+A!X*w1!)UXR?g~peEpNvPs-1%9dEkg
zsJmiupILXs(vmJfwvE#nZrB&|H9B_SKJbzGCm$&0em?`>0{7F<2R7Nk|6-1yUF9?8
zqc7zHYJ38qmZlvQLJ9LKomU6WSy^VM4NiljaehXQ+s1qIq9&h~?sYn~dat2fMO!tc
zR<F@3%=?ttr@Nh<xQ%V`=KDBU(Bv}%ntc{Pi;oAi`b>ZYZGzX9yQbHETg&0ogOt;!
z0xa~Y0gH0z;x-{y8UkNQJkh*E>WhQ}qAZbv5)qFaWe&Hot84oXad@8;7Pqb!`y>*}
zxT7bfTGoEcf^HFt^!3Dok+68Lc*`gr5sBjADPFv#ULhV$@kZvTDZV?d>h4bQRq#_4
zZ<<@k$mU3Zi^C%A?TbZO4y|CFii98Is~9iJ^vNMVZX?(qgjFT6D(<SfE5{EJ1-QF1
z++a8$9TFLOqWhv5YF}(Hq>u>@&|*O9?->fkn8X~N+mG_fY9tbgiSZvR4T+Elflx3Y
ziR~@zVlx0vml4h3E@^2Kn*nmT8SN#);+_$)*)uGKLQVU_k>PN2Pv4-_1R*jMlEMR0
zvv`Cl1+|sgnm=|p3L1z>hhojq5QNgqSy2Q=MTQZT9b#9E9QG>#wPuI}#d~3w3iGHj
z-kMOZVeTqNL{ELUr*0tF|L7yp0r-;!9*u?v9_<~BJ}M9QyKBTF@g4K~kq$+{|7CG;
zOCY;kPhX!T%l=SgK#cVF&#i<TnKzisDv!vI_9bN5y&7lT@;kG(w(a|W&f1L^h?CXL
zPuAZf$NC0>a7nT(4uyk<mN&-+qs<`K1l>*X#4e8<>D!-OXl}qAhLaTthWkQ80ZGgV
zdcb>bJ7v!KQ+#vW;Q>u3qZNZd#l+1X*6@TjBJ-%xtxoBBqERUvQ1VkN#1*%d^uiCp
z@JRv)Rs;zF12O4G7yy8Db&#GZYTc_j;D_V|2<Z!jYcmgOA0H)?75RIIf}wyP9L}Hd
zwO+WJ{p1J?VZnM0i;C$&&gh&rxGou7<C@Wq8L^7Gi@%asxtWJ_)b;ekryrgenJQcQ
zZsF3m$!O<{;FuO%lY(o!Yhvk?P(LlSO$u#i7oXEk39Cle%?P%WtH)N4w@(yK33by#
z%cRh9)_zu+5>}3`OKViZf@=#FjeF7@?-pmon(>1`)z-|^)J-f+bE<mBHAmU06=@FA
zi9K!Q@=GrnOF?46%5<5<urgh)S>156!ft3t*J?b~Hy0Hds?#36wr!@Z{j4L+X_l6z
z_1uD*@dXoWCV~^YU}S5_Oi9(aFwr{k@Wd8qw^-7qyjttc=5m8ItroSJq=BVZru^a@
zK&v?@3qH~Cw6dg%Ms3d;HPFePZhFI3lMu3rv)Kp{HlJ94o6^UmL2%WW^to4>5}?rO
zll=Q)v8c>$wKJ6;f_A3Tly6J1xRq?4b@Rjt9Wu{RbDk}68tJbCV7_hO?Kco+A#1AP
z_c~-$E&OKkEmBIpMaqa-RzNBrGp`9LGg20$z98Qs+s4_89+$u4-Z37yVyjBqvCn}y
z*a?)9f(@{#xd)36mV!TI6|hftd-dq$qlRrNuPSQra8V<TJ1U!AgX}8INe#eQ7q<nh
z+?Rhx9~8+xBkkGgw5VD7*09{E_2tw5aFp;ys&g(ZGtSklkhN7&vrjLv`MUJm>U=z;
zXjX<NtlWc^A(e+4Qf)AE+=1WTu~0rNWa(7lCJbCTNJTACD@<45vs$?gP+mrD-Fb88
z_1Wf@jM{znJ7$84%x514MMND@XZM_%MD8KmL+w7T&*5|W^4c>6Othea+or+=eY9Ym
zlWupK)P=r6S{ZRzy#}9ZzSzig(($YSeGTa@CQPq6E3*U5J}6j}y+-F}v-r$+c9uga
zQjptO4d<?4XAg4j0=m6$<GL`$8Yt@PYKU}TNRnfIOgxn%V%456%5+ukoLomw7cQ(}
zVf?64?>_>YBl{6T2!jY=0Qynk1}zC9wWO#n5w{)Lv16-$$9k`Cz1QEd_5QV6j=FV(
zpg1f2+3UbwY+|@0EYcQ{qey>lxE(?600I{KbFQic%@}qMAshtgAXw;<LjWm0n$n{C
z$|(beT1A|_XsALG*@JR^l*@w@0!2_vE`nBVExp+7q#wik)&CY*79NK#=FbThl0Plx
z^md4rCdUmmXK<wRxuTL20<A6Hop9A%cD0XfeKRz@;j5DyzWUCFom0#APHx!wX2H}R
z{~N96T7jNizISx}jMX-}>0eE@6a1{HVuGJCRh>|MAehG5W}HQ18%}hbQq2}O&sbe&
zO3od5yW`S!@1?HYpQu$O<`bK4=s1(@hJ`a@47L<ao69H7<(Dd&&$_1QW5tmsv-4zR
zEOM#5?d+y0^QzIWK+qrU{Plk=<W}_XGI$I3mfo<wMe|mn4v-p3p64$lUnx=Z{22XV
zX_fX{AaQ~ITj>YTKEGfqe=%uxomW+!f^IT~@EF230aDs%57eaOkFnzknl5kEeiz7#
z$=Zr<@K!c}vDh0QOePlUSl%3=SH;!*)nr-a%legQGhiB7!SCU069|ehQfm<?z;kLc
zj&x>8Q~feNM3?Ryq%YMM^53NYSif9l;i<Nvw-k>-a61GYIrr6*9&2b69>-1$3*<F=
zu3;g6oW9>sTyy81kw1aJHkH|YX`@T{bL@N;;S62VSXqqfAb$#w5(1Gys0LZ#3`&VN
z)(cs){u+I;u|s<a<gO<Fr}5`%{uI61vP9+LlaAJLtp`u2oRuwwsv)l-WVN#jn~I8P
zYH0)9k#1QvOEyG{Ec{lI(nm-@BL3dPY;-D5?&}Hl5ILoWl2keLcTkpT@(HAH{#4$8
z6zhq_h~lQ~(sEWqF{ZS4QPvQYBakWwdt#)P<4QR45cImugemX>$`&9zMb9s5hI_fO
zY^&}U&;bWsd(XHEjy=14m1-rQbgg(-llU{>+%oS7!W%^x3j6-Z5L94H!_VO)e}V9q
z2rnSKitx7pUGaQ2CLqB#0V&{i67<om8VEZi)8C&U18+NJ@cUyuy^zxVDV;Kq>}7hu
zxK2JqxYJ&+k6pm)IDw8xgAsU1Ghz2X0J!s%Q?s#8Ved~6m=gXOsf%>-zAEDlAXh^8
zkSV>mc@4dPcR}+0HNWBc%XHh?22~fIjIUh}@5?ygH2u-KMuDl4wV$G&t*g}i8dzOC
ztzQ3L0b{ZC*q1Nz5x(K`yOK>CUQ#ErM)dingR5jsYy_KQ0Pcd{Lxqaj%;K1<2=fM{
zeA!ukht0f?^Xl)aqMzY#T$e=?a-EKEZqj}R?On;AZ2p!?%pMbsu~QMv^~6KlR`Umv
z=eAYm??xLUze0Eh0BSK7rM{0H^TC5WkIf*$=UUfaA@@auvj`ms7-7P$myk>%ybK^?
znyyu9dGZQ<b7wXGeR_T8!o)e0V7f)M{;~<KoSeZvX16~?D%W_2q5&vK1MY?|(R?<X
zp&66^MEDqi881tx%sUfrV5boQm6jX0u=yrJ*1$JoliBupq~1dKdxX~!FjtT}E*h_s
z%==18Cr5^$U{2{`Jp{rB8OGF1jw4`cnd2p5jtQ`xv5U{SO%#6$fw|9*koqygd}t;A
zgiU5{%(>piCiAeLBK0o_M@tZyVf{N&*AaRVeomk6E)xcj{2IbVdZBxTHV>}nKr(Ol
zPqiwtlX=n0$=~$8$gjDJfu!_-pp3C2zyc9`Xv->+od~rFy;hw50{vCs9<2$cf0@=x
zA3C$P%=`oWHsiK$BscZHssur1z+G-WrDtDV{gM5Op|aq2yZywqEcT`Hq_DCjBP`{1
ze2Ep|ew6!m;Re{Q&m+~u?(Oe@!~n-Ws<VA!fKw_qcGlOiiILB3$hl4?nY}u^l9Xvq
zSL`D#$;X8+0z<}m;Ds2A)45k+i!8;y9WogmAoK?O$&pNmv?lk3{)X565{6`yHJe-?
zepg?S_4d2m6M2CyAFdU0JelqvE)%kG@%QlOvO`V$$8^h~Tz?MYHbxM5Jk4F4I$q$z
zQd1<-fE1PpbL@&Qxe}(=>}_N{l4<okyO+E9B?|-0`M=OZi3<0sMi|De-|m|3!klZ&
z-e8V<ZNWh~{)Nq~dokb4@iF9Ta4ju@4k6d$UOl`*D1pvd_>(PadTH~0$<^@()eBXf
zoo>F<tx2i3Z``f~U8Ze#iG+U+bmHT#r+<BPIe(L;j~+{W0~gweunnOW;T{AmL&#nP
z_FlnGn+=_pknsxy%*F&WD)|fn!vJB<fi_5RkI!-JZCUwPqhC1~2@Hj#Rip-3ycWjD
i-=iOmJm|Q&m52W=-7JM~-Jgbdc*nlk&C`vE`~D9*`Mj+F

delta 3722
zcmai%e{fXQ702J*&2DztWb<RmFS3wLNH%#%5aU=B!mrS2NeoTHhU`d@#7*`=7WNl+
z-%=BP1aSn63Z+-4I7}(pYDH-k7jdZl$9ATLDYl{xQ(hfA&N#Fxod(*DW5=OA-}^!~
zV1ym!lXK2J_r812kNY0tsAb>(n7hfHKSQD4XJhY2Tq_Q`%Najd|L$rvP*kP_ip!K}
zVU+3KfQPi1(Dc~>HBdrY>BQKaKx3ec^zsS4Do{b%Ea~eDRFdq4Ebe2K3!4Jfq}NP%
z)&}O1Rx3U00(B(&rR)#XliVQX`T(1&sLh#E>{LD*5wU_V*?nSD;W8G?yi|CCi7!i|
z;<9f@yi-=<bm&?v84c;0__%Dr0>iZ-!3VYeAze?V3@6vZ5v~pDsV-hj$5nH<hyL)H
zKr6wp>FH!t6CszkH%NNw`-EM}=Sn&ATme3C7mZu#@5jX@<2L&HZ@W_H8PA2}faHWU
z1Ck3;o<e^4klc_8%EeI49H|#8cIOojjR^N$rPWqN$@$k+hGzxs_4G{q!esR-0rnjh
zu!x$9h{qb7k*5T5f_X$+&_%S1BNbI*WUg2IrNU{4V=`a(R+JV896@%s#at)p4!XN-
zVoR+@yjYuO%WCIt(8i&yx$Zf$&X@Hpat9q>UCmPv%%5td6cvgSb?vN9Eb-UP<16U#
zBLzPCMH7P|J(7s~miR_y__q1Drl)z_XE5K0wbi%7U^B!X|F?4t%RP6C^ZtfT)oR#7
z$)pw!^A1{sw-D3<em~^3!1sW4Kq2q|upa0mT+jIcJ$AErbxuo3?qDLWYjHhQK*Rot
zpEy(Rt%{OCCi)*FP@+qfr5)^i@xn6$yE^||QYPA}R*IemkHuXoE;ej)x{7yo@p5t%
z539%7mdqWER>tDuuBIAWimY42+NQsfzOZ=}8_w)$e#=swCNqx%TLDfmY{?MUQ+yi?
z+r`lQ7TY5v4rh+cf1EYT336yQ#xd2%OY+1fD%*a2IH?(yWNPBXqPJxk+nag1<)mZr
zAUUdbb5S{S52il~WW)1Ks1Fg2S@{mg6MJ}c(LF3Aez_?o8e2;l7j3PJET<K*qjg{w
z&c(4m?gYGmT)#tn(c0`9hMo&NEACue7e+w23&<xJ_Q6Cf7SUBNpXOZV?&Llvw`k->
z;#)(}NZ4>_4@FXXB)-wG4sO`UAIF+c08fh3i>u2KNxq9<xWb88C=&0FhhiGV^XlS8
zSGH0%i~1!iY_F5w-b{SSB`Zsd-nMU8ey3!fXgg%P1F_&TDsl%1B7YXhW?(5)GngW<
zvWe2WbLHI8ov_*fJHc=ycv$281H*E*k((L}MMFGgSVPgM8J-dN%9wA5g!PTwjhY_P
zb<V>u$*4|w8f-GWZ^G9ZNhRnmi-mOVSCk5cqij{T8Q0_REdq9nh3)exgOT=C_H$&Q
zgTC2*$U?_n)49}gNy$9bc_C+TAC3Ii-4oF@Up%4vHYC#2YBIw6vB&}72fz=3BfwF@
znvpy?C#*#^T??xv{KhbFc}N+*QSo-S_d$7H2d4iCxVeI0lYxGYB*V_NSYoRt3x^*g
zi<)bmPR`v8=T`uE*b|UWijLJa_6sD^!M3dKu{ho!S+(#S5o)frTvIYvd%nf&7vZ~8
zEa`1_$tslkZlU*9+drhCYl=ABd$C9k$w%SU(8b>o=X<J{E%SWvHS1`$PQJc6@RV#7
zt%r*4Rf}#BB{<3Mk&$`}>TiI_8ZoP4(M@IXTdeDtHafq@ba~;(4mm3d*UfW%L`EB<
z_t|nLl4Hv=`_{EveAxq|^194PQ@T-%uV2P0Gk5k?=dDM<@OOd72r4sgvoRQC_sIAh
zgeqI;YfDMM<tgB40Ivv+izi<DBZ!B9X9y_^!SCaxFdQZrbJEGMc(ApSeOElNxo-5w
z7?9CMpg);MhvQGeCX4kakd6|rS1e7YPlB-8bemjcZ#$Wl_pr|UfXvT)NU|kIe+CiX
zOlE?ngblXmfo!#RK$V650;Hb<F9Od2dB9DnM}qle;~4f-B2Aw$hFuSFx-)oW6ys4~
z@~$;o#y6!Xkk+qc6}H`g?4_3=y$r}|*#+rUKo+3vv|m7#?e-d^3~+x1C`;`Oq_e<U
z;18lKHrv$)aWimIEQ__;E|XZ98I8Sdb5eJDFwigCt1lBzy~5h2sTac$j-)~ZQ7tSl
zA^KFy##0^)K_#pF05~rC()Ze~lBG`^PJddGEp6F2#dx6E&ymcpww}%zovi0IDw}xI
z^d~l(SD?K3ZY-k_o4ogoTrF;H>7RJ`%-a+b_G6~q3rX%;7Qj4t-~W`1xb)<EOYZX+
z+;A@Qtg<@r8daTBvMN2Z8AN7`{OhsmPlog%eg#XM6v6Ect}jT8pz{;x{O-)f?Qbyq
zA2DvmV^8MP&I^vJ$#_iv77#D*^}7USnY}AM*gM;my%S{zdvDdjV*kE*>>2UveN#JE
zUKQ)H>Lp;B_8ln-4kc1LeK2m+;u@DNTy>kMPg5pl5@g_BkexGK2g-)ufsNd<7x~}d
z@^>Ht+}MO_>6A=mlQgA~Ix%TVCqd0N5{G&gFuMuTC%~t`XFwk?(OZpUt+s2V@5yW$
zJ8Z3HU22YD?QZWjFIE}fSv0KLy6{sQMC1NN%n;iChewlGW+ku+@B{Y(_^vQdm4fsL
z@H%h~z{{3@2z&%w24tP1&^Y#TOp#y6^6EAmi(`p!I;t(@PAWqBr=)Q4k6T6JK)2)b
QRgC@z^q&Rdy#vet4@Qh=lK=n!

diff --git a/YakPanel-server/backend/app/services/site_service.py b/YakPanel-server/backend/app/services/site_service.py
index 2287690b..c5c53fc0 100644
--- a/YakPanel-server/backend/app/services/site_service.py
+++ b/YakPanel-server/backend/app/services/site_service.py
@@ -83,6 +83,73 @@ def _best_ssl_for_hostnames(hostnames: list[str]) -> dict:
         return none
 
 
+def _letsencrypt_paths(hostname: str) -> tuple[str, str] | None:
+    """Return (fullchain, privkey) if Let's Encrypt files exist for this hostname."""
+    h = (hostname or "").strip().lower().split(":")[0]
+    if not h or ".." in h:
+        return None
+    base = os.path.join(LETSENCRYPT_LIVE, h)
+    fc = os.path.join(base, "fullchain.pem")
+    pk = os.path.join(base, "privkey.pem")
+    if os.path.isfile(fc) and os.path.isfile(pk):
+        return fc, pk
+    return None
+
+
+def _build_ssl_server_block(
+    server_names: str,
+    root_path: str,
+    logs_path: str,
+    site_name: str,
+    php_version: str,
+    fullchain: str,
+    privkey: str,
+    redirects: list[tuple[str, str, int]] | None,
+) -> str:
+    """Second server {} for HTTPS when LE certs exist."""
+    pv = php_version or "74"
+    redirect_lines: list[str] = []
+    for src, tgt, code in (redirects or []):
+        if src and tgt:
+            redirect_lines.append(f"    location = {src} {{ return {code} {tgt}; }}")
+    redirect_block = ("\n" + "\n".join(redirect_lines)) if redirect_lines else ""
+    q_fc = fullchain.replace("\\", "\\\\").replace('"', '\\"')
+    q_pk = privkey.replace("\\", "\\\\").replace('"', '\\"')
+    return (
+        f"server {{\n"
+        f"    listen 443 ssl;\n"
+        f"    server_name {server_names};\n"
+        f'    ssl_certificate "{q_fc}";\n'
+        f'    ssl_certificate_key "{q_pk}";\n'
+        f"    index index.php index.html index.htm default.php default.htm default.html;\n"
+        f"    root {root_path};\n"
+        f"    error_page 404 /404.html;\n"
+        f"    error_page 502 /502.html;\n"
+        f"    location ^~ /.well-known/acme-challenge/ {{\n"
+        f'        default_type "text/plain";\n'
+        f"        allow all;\n"
+        f"        try_files $uri =404;\n"
+        f"    }}\n"
+        f"{redirect_block}\n"
+        r"    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {" + "\n"
+        f"        expires 30d;\n"
+        f"        access_log off;\n"
+        f"    }}\n"
+        r"    location ~ .*\.(js|css)?$ {" + "\n"
+        f"        expires 12h;\n"
+        f"        access_log off;\n"
+        f"    }}\n"
+        r"    location ~ \.php$ {" + "\n"
+        f"        fastcgi_pass unix:/tmp/php-cgi-{pv}.sock;\n"
+        f"        fastcgi_index index.php;\n"
+        f"        include fastcgi.conf;\n"
+        f"    }}\n"
+        f"    access_log {logs_path}/{site_name}.log;\n"
+        f"    error_log {logs_path}/{site_name}.error.log;\n"
+        f"}}\n"
+    )
+
+
 def _render_vhost(
     template: str,
     server_names: str,
@@ -92,14 +159,32 @@ def _render_vhost(
     php_version: str,
     force_https: int,
     redirects: list[tuple[str, str, int]] | None = None,
+    le_hostnames: list[str] | None = None,
 ) -> str:
     """Render nginx vhost template. redirects: [(source, target, code), ...]"""
-    force_block = "return 301 https://$host$request_uri;" if force_https else ""
+    if force_https:
+        force_block = (
+            '    if ($request_uri !~ "^/.well-known/acme-challenge/") {\n'
+            "        return 301 https://$host$request_uri;\n"
+            "    }"
+        )
+    else:
+        force_block = ""
     redirect_lines = []
     for src, tgt, code in (redirects or []):
         if src and tgt:
             redirect_lines.append(f"    location = {src} {{ return {code} {tgt}; }}")
     redirect_block = "\n".join(redirect_lines) if redirect_lines else ""
+    hosts = le_hostnames if le_hostnames is not None else [p for p in server_names.split() if p]
+    ssl_block = ""
+    for h in hosts:
+        le = _letsencrypt_paths(h)
+        if le:
+            fc, pk = le
+            ssl_block = _build_ssl_server_block(
+                server_names, root_path, logs_path, site_name, php_version, fc, pk, redirects
+            )
+            break
     content = template.replace("{SERVER_NAMES}", server_names)
     content = content.replace("{ROOT_PATH}", root_path)
     content = content.replace("{LOGS_PATH}", logs_path)
@@ -107,6 +192,7 @@ def _render_vhost(
     content = content.replace("{PHP_VERSION}", php_version or "74")
     content = content.replace("{FORCE_HTTPS_BLOCK}", force_block)
     content = content.replace("{REDIRECTS_BLOCK}", redirect_block)
+    content = content.replace("{SSL_SERVER_BLOCK}", ssl_block)
     return content
 
 
@@ -183,7 +269,10 @@ async def create_site(
     if os.path.exists(template_path):
         template = read_file(template_path) or ""
         server_names = " ".join(d.split(":")[0] for d in domains)
-        content = _render_vhost(template, server_names, site_path, www_logs, name, php_version or "74", force_https or 0, [])
+        le_hosts = [d.split(":")[0] for d in domains]
+        content = _render_vhost(
+            template, server_names, site_path, www_logs, name, php_version or "74", force_https or 0, [], le_hosts
+        )
         write_file(conf_path, content)
 
     # Reload Nginx if available
@@ -337,7 +426,10 @@ async def update_site(
             fhttps = getattr(site, "force_https", 0) or 0
             redir_result = await db.execute(select(SiteRedirect).where(SiteRedirect.site_id == site.id))
             redirects = [(r.source, r.target, r.code or 301) for r in redir_result.scalars().all()]
-            content = _render_vhost(template, server_names, site.path, cfg["www_logs"], site.name, php_ver, fhttps, redirects)
+            le_hosts = [d.name for d in domain_rows]
+            content = _render_vhost(
+                template, server_names, site.path, cfg["www_logs"], site.name, php_ver, fhttps, redirects, le_hosts
+            )
             write_file(conf_path, content)
         nginx_bin = os.path.join(cfg["setup_path"], "nginx", "sbin", "nginx")
         if os.path.exists(nginx_bin):
@@ -411,7 +503,10 @@ async def regenerate_site_vhost(db: AsyncSession, site_id: int) -> dict:
     fhttps = getattr(site, "force_https", 0) or 0
     redir_result = await db.execute(select(SiteRedirect).where(SiteRedirect.site_id == site.id))
     redirects = [(r.source, r.target, r.code or 301) for r in redir_result.scalars().all()]
-    content = _render_vhost(template, server_names, site.path, cfg["www_logs"], site.name, php_ver, fhttps, redirects)
+    le_hosts = [d.name for d in domain_rows]
+    content = _render_vhost(
+        template, server_names, site.path, cfg["www_logs"], site.name, php_ver, fhttps, redirects, le_hosts
+    )
     write_file(conf_path, content)
     nginx_bin = os.path.join(cfg["setup_path"], "nginx", "sbin", "nginx")
     if os.path.exists(nginx_bin):
diff --git a/YakPanel-server/webserver/templates/nginx_site.conf b/YakPanel-server/webserver/templates/nginx_site.conf
index f03593f8..d5e87dc1 100644
--- a/YakPanel-server/webserver/templates/nginx_site.conf
+++ b/YakPanel-server/webserver/templates/nginx_site.conf
@@ -8,12 +8,14 @@ server {
     error_page 404 /404.html;
     error_page 502 /502.html;
 
-    # ACME challenge
-    location ~ \.well-known {
+    # ACME HTTP-01 (Let's Encrypt). Prefix match wins over regex locations.
+    location ^~ /.well-known/acme-challenge/ {
+        default_type "text/plain";
         allow all;
+        try_files $uri =404;
     }
 
-    # Force HTTPS redirect (when enabled)
+    # Force HTTPS (skipped for ACME — see if block)
     {FORCE_HTTPS_BLOCK}
 
     # Custom redirects
@@ -39,3 +41,4 @@ server {
     access_log {LOGS_PATH}/{SITE_NAME}.log;
     error_log {LOGS_PATH}/{SITE_NAME}.error.log;
 }
+{SSL_SERVER_BLOCK}