From 5bf6d0d84ce809439a301ec1a461f30c569c1319 Mon Sep 17 00:00:00 2001
From: CyberMind-FR <gandalf@Gk2.net>
Date: Mon, 23 Feb 2026 08:45:50 +0100
Subject: [PATCH] fix(metablogizer): Add wildcard SSL cert mapping on site
 creation

Sites on *.gk2.secubox.in were failing because HAProxy couldn't match
the SNI to the correct certificate. New add_haproxy_cert() helper:
- Extracts base domain from subdomain
- Creates UCI cert entry mapping domain to wildcard cert file
- Applied to all vhost creation paths (create, upload, republish)

Sites now work immediately after one-click deploy without manual
certificate configuration.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../root/usr/libexec/rpcd/luci.metablogizer   | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/package/secubox/luci-app-metablogizer/root/usr/libexec/rpcd/luci.metablogizer b/package/secubox/luci-app-metablogizer/root/usr/libexec/rpcd/luci.metablogizer
index a8224983..31611625 100755
--- a/package/secubox/luci-app-metablogizer/root/usr/libexec/rpcd/luci.metablogizer
+++ b/package/secubox/luci-app-metablogizer/root/usr/libexec/rpcd/luci.metablogizer
@@ -121,6 +121,23 @@ PYEOF
 	done
 }
 
+# Add HAProxy cert entry for wildcard SSL mapping
+add_haproxy_cert() {
+	local domain="$1"
+
+	# Extract base domain for wildcard cert (e.g., gk2.secubox.in from sub.gk2.secubox.in)
+	local base_domain=$(echo "$domain" | sed 's/^[^.]*\.//')
+	local cert_name=$(echo "$domain" | sed 's/[^a-zA-Z0-9]/_/g')
+
+	# Check if wildcard cert exists
+	local wildcard_cert="/opt/haproxy/certs/*.${base_domain}.pem"
+	if lxc-attach -n haproxy -- ls "$wildcard_cert" >/dev/null 2>&1; then
+		uci set "haproxy.cert_${cert_name}=cert"
+		uci set "haproxy.cert_${cert_name}.domain=$domain"
+		uci set "haproxy.cert_${cert_name}.cert_file=$wildcard_cert"
+	fi
+}
+
 # Get .onion address for a site if Tor hidden service exists
 get_onion_address() {
 	local site_name="$1"
@@ -460,6 +477,9 @@ EOF
 		uci set "haproxy.$vhost_name.acme=$acme_val"
 		uci set "haproxy.$vhost_name.enabled=1"
 		uci set "haproxy.$vhost_name.priority=50"
+
+		# Add cert entry for wildcard SSL
+		add_haproxy_cert "$domain"
 		uci commit haproxy
 
 		# Add mitmproxy route for WAF inspection
@@ -838,6 +858,9 @@ method_update_site() {
 				uci set "haproxy.$vhost_name.ssl_redirect=1"
 				uci set "haproxy.$vhost_name.acme=1"
 				uci set "haproxy.$vhost_name.enabled=1"
+
+				# Add cert entry for wildcard SSL
+				add_haproxy_cert "$domain"
 				uci commit haproxy
 
 				# Regenerate and reload HAProxy
@@ -1173,6 +1196,8 @@ EOF
 		uci set "haproxy.$vhost_name.enabled=1"
 		uci set "haproxy.$vhost_name.priority=50"
 
+		# Add cert entry for wildcard SSL
+		add_haproxy_cert "$domain"
 		uci commit haproxy
 
 		# Add mitmproxy route for WAF inspection
@@ -1960,6 +1985,8 @@ EOF
 		uci set "haproxy.$vhost_name.enabled=1"
 		uci set "haproxy.$vhost_name.priority=50"
 
+		# Add cert entry for wildcard SSL
+		add_haproxy_cert "$domain"
 		uci commit haproxy
 
 		# Add mitmproxy route for WAF inspection