new changes

YakPanel-server/backend/app/api/ssl.py

@@ -14,6 +14,7 @@ from app.core.utils import environment_with_system_path
 from app.api.auth import get_current_user
 from app.models.user import User
 from app.models.site import Site, Domain
+from app.core.utils import exec_shell_sync
 from app.services.site_service import regenerate_site_vhost
 
 router = APIRouter(prefix="/ssl", tags=["ssl"])
@@ -97,6 +98,27 @@ def _certbot_missing_message() -> str:
     )
 
 
+def _reload_panel_and_common_nginx() -> None:
+    """Reload nginx so new vhost (ACME path) is live before certbot HTTP-01."""
+    cfg = get_runtime_config()
+    seen: set[str] = set()
+    binaries: list[str] = []
+    panel_ngx = os.path.join(cfg.get("setup_path") or "", "nginx", "sbin", "nginx")
+    if os.path.isfile(panel_ngx):
+        binaries.append(panel_ngx)
+        seen.add(os.path.realpath(panel_ngx))
+    for alt in ("/usr/sbin/nginx", "/usr/bin/nginx", "/usr/local/nginx/sbin/nginx"):
+        if not os.path.isfile(alt):
+            continue
+        rp = os.path.realpath(alt)
+        if rp in seen:
+            continue
+        binaries.append(alt)
+        seen.add(rp)
+    for ngx in binaries:
+        exec_shell_sync(f'"{ngx}" -t && "{ngx}" -s reload', timeout=60)
+
+
 @router.get("/domains")
 async def ssl_domains(
     current_user: User = Depends(get_current_user),
@@ -144,6 +166,25 @@ async def ssl_request_cert(
         raise HTTPException(status_code=400, detail="Webroot must be under www_root or setup_path")
 
     dom = body.domain.split(":")[0].strip()
+    webroot_norm = webroot_abs.rstrip(os.sep)
+
+    result_dom = await db.execute(select(Domain).where(Domain.name == dom).limit(1))
+    dom_row = result_dom.scalar_one_or_none()
+    if dom_row:
+        regen_pre = await regenerate_site_vhost(db, dom_row.pid)
+        if not regen_pre.get("status"):
+            raise HTTPException(
+                status_code=500,
+                detail="Cannot refresh nginx vhost before certificate request: " + str(regen_pre.get("msg", "")),
+            )
+        _reload_panel_and_common_nginx()
+
+    challenge_dir = os.path.join(webroot_norm, ".well-known", "acme-challenge")
+    try:
+        os.makedirs(challenge_dir, mode=0o755, exist_ok=True)
+    except OSError as e:
+        raise HTTPException(status_code=500, detail=f"Cannot create ACME webroot directory: {e}") from e
+
     prefix = _certbot_command()
     if not prefix:
         raise HTTPException(status_code=500, detail=_certbot_missing_message())
@@ -152,7 +193,7 @@ async def ssl_request_cert(
         "certonly",
         "--webroot",
         "-w",
-        body.webroot,
+        webroot_norm,
         "-d",
         dom,
         "--non-interactive",
@@ -180,10 +221,13 @@ async def ssl_request_cert(
 
     if proc.returncode != 0:
         msg = (proc.stderr or proc.stdout or "").strip() or f"certbot exited with code {proc.returncode}"
-        raise HTTPException(status_code=500, detail=msg[:8000])
+        hint = (
+            " Check: DNS A/AAAA for this domain points to this server; port 80 is reachable; "
+            "the website is enabled in YakPanel; nginx on port 80 loads this site’s vhost (same server as panel nginx if used)."
+        )
+        raise HTTPException(status_code=500, detail=(msg + hint)[:8000])
 
-    result = await db.execute(select(Domain).where(Domain.name == dom).limit(1))
-    row = result.scalar_one_or_none()
+    row = dom_row
     if row:
         regen = await regenerate_site_vhost(db, row.pid)
         if not regen.get("status"):