[CLAUDE] Scripts: rewrite 4 deploy PS1 ASCII-only for PS 5.1 compat
PowerShell 5.1 reads .ps1 files as locale codepage (not UTF-8 no BOM), which corrupts multi-byte Vietnamese chars and breaks parsing. Rewrote setup-iis-sites.ps1, setup-ssl.ps1, setup-gitea-runner.ps1, deploy-all.ps1 as ASCII-only. Also renamed $Host param to $HostName in Ensure-Site to avoid collision with PowerShell built-in $Host automatic variable. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
pqhuy1987
@ -1,19 +1,19 @@
|
||||
# Cài HTTPS cert Let's Encrypt cho 3 domain SOLUTION_ERP qua win-acme (WACS).
|
||||
# Chạy trên VPS Windows Server với admin privilege.
|
||||
# Idempotent: chạy lại sẽ bỏ qua cert còn valid.
|
||||
# Install HTTPS cert Let's Encrypt for 3 SOLUTION_ERP domains via win-acme (WACS).
|
||||
# Run on VPS Windows Server with admin privilege.
|
||||
# Idempotent: re-run skips cert still valid.
|
||||
#
|
||||
# Usage:
|
||||
# .\setup-ssl.ps1
|
||||
#
|
||||
# Prereq:
|
||||
# - IIS sites đã tạo (chạy setup-iis-sites.ps1 trước)
|
||||
# - Port 80 từ Internet → VPS mở (Let's Encrypt HTTP-01 challenge)
|
||||
# - 3 domain api/admin/user.huypham.vn đã trỏ DNS về VPS IP
|
||||
# - IIS sites created (run setup-iis-sites.ps1 first)
|
||||
# - Port 80 from Internet -> VPS open (Let's Encrypt HTTP-01 challenge)
|
||||
# - 3 domains api/admin/user.huypham.vn pointing DNS to VPS IP
|
||||
#
|
||||
# Output:
|
||||
# - 3 cert trong Windows Cert Store (LocalMachine\My)
|
||||
# - HTTPS binding port 443 cho 3 site
|
||||
# - Scheduled task auto-renew (90 day cycle Let's Encrypt, win-acme tự renew khi còn 30 ngày)
|
||||
# - 3 cert in Windows Cert Store (LocalMachine\My)
|
||||
# - HTTPS binding port 443 for 3 sites
|
||||
# - Scheduled task auto-renew (90 day cycle Let's Encrypt, win-acme auto renew when 30 days left)
|
||||
|
||||
$ErrorActionPreference = 'Stop'
|
||||
|
||||
@ -31,38 +31,39 @@ if (-not (Test-Path $WacsExe)) {
|
||||
Remove-Item $zip
|
||||
Write-Host " Installed to $WacsDir"
|
||||
} else {
|
||||
Write-Host "==> win-acme đã cài tại $WacsDir"
|
||||
Write-Host "==> win-acme already installed at $WacsDir"
|
||||
}
|
||||
|
||||
# ===================== 2. Check IIS sites exist =====================
|
||||
Import-Module WebAdministration
|
||||
$domains = @(
|
||||
@{ Site = "SolutionErp-Api"; Host = "api.huypham.vn" },
|
||||
@{ Site = "SolutionErp-Admin"; Host = "admin.huypham.vn" },
|
||||
@{ Site = "SolutionErp-User"; Host = "user.huypham.vn" }
|
||||
@{ Site = "SolutionErp-Api"; HostName = "api.huypham.vn" },
|
||||
@{ Site = "SolutionErp-Admin"; HostName = "admin.huypham.vn" },
|
||||
@{ Site = "SolutionErp-User"; HostName = "user.huypham.vn" }
|
||||
)
|
||||
|
||||
foreach ($d in $domains) {
|
||||
if (-not (Test-Path "IIS:\Sites\$($d.Site)")) {
|
||||
Write-Error "Site '$($d.Site)' chưa tồn tại. Chạy setup-iis-sites.ps1 trước."
|
||||
Write-Error "Site '$($d.Site)' does not exist. Run setup-iis-sites.ps1 first."
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
Write-Host " 3 IIS site đã ready"
|
||||
Write-Host " 3 IIS sites ready"
|
||||
|
||||
# ===================== 3. Run win-acme cho từng domain =====================
|
||||
# ===================== 3. Run win-acme per domain =====================
|
||||
foreach ($d in $domains) {
|
||||
Write-Host "`n==> Issue cert cho $($d.Host)" -ForegroundColor Cyan
|
||||
Write-Host ""
|
||||
Write-Host "==> Issue cert for $($d.HostName)" -ForegroundColor Cyan
|
||||
|
||||
# win-acme CLI non-interactive:
|
||||
# --target iis → lấy hostname từ IIS binding
|
||||
# --host → domain cụ thể
|
||||
# --installation iis → auto bind HTTPS 443 + http→https redirect
|
||||
# --accepttos → auto chấp nhận Let's Encrypt terms
|
||||
# --emailaddress → email contact nhận alert expiry (đổi cho phù hợp)
|
||||
$args = @(
|
||||
# --target manual + --host <domain>
|
||||
# --siteid -> IIS site to install on
|
||||
# --installation iis -> auto bind HTTPS 443 + http->https redirect
|
||||
# --accepttos -> accept Let's Encrypt terms
|
||||
# --emailaddress -> contact email for expiry alerts
|
||||
$wacsArgs = @(
|
||||
"--target", "manual",
|
||||
"--host", $d.Host,
|
||||
"--host", $d.HostName,
|
||||
"--siteid", (Get-Website $d.Site).Id,
|
||||
"--store", "certificatestore",
|
||||
"--installation", "iis",
|
||||
@ -70,44 +71,33 @@ foreach ($d in $domains) {
|
||||
"--emailaddress", "admin@huypham.vn"
|
||||
)
|
||||
|
||||
& $WacsExe @args
|
||||
& $WacsExe @wacsArgs
|
||||
if ($LASTEXITCODE -ne 0) {
|
||||
Write-Warning "Issue cert cho $($d.Host) FAIL exit $LASTEXITCODE — kiểm tra:"
|
||||
Write-Warning " 1. Port 80 Internet → VPS mở (Let's Encrypt reach qua HTTP-01)?"
|
||||
Write-Warning " 2. DNS $($d.Host) → $((Resolve-DnsName $d.Host -Type A -ErrorAction SilentlyContinue).IPAddress)?"
|
||||
Write-Warning " 3. IIS site $($d.Site) binding port 80 có host header $($d.Host)?"
|
||||
Write-Warning "Issue cert for $($d.HostName) FAIL exit $LASTEXITCODE - check:"
|
||||
Write-Warning " 1. Port 80 Internet -> VPS open (Let's Encrypt reach via HTTP-01)?"
|
||||
Write-Warning " 2. DNS $($d.HostName) -> $((Resolve-DnsName $d.HostName -Type A -ErrorAction SilentlyContinue).IPAddress)?"
|
||||
Write-Warning " 3. IIS site $($d.Site) binding port 80 with host header $($d.HostName)?"
|
||||
} else {
|
||||
Write-Host " ✅ Cert installed"
|
||||
Write-Host " [OK] Cert installed"
|
||||
}
|
||||
}
|
||||
|
||||
# ===================== 4. HTTP → HTTPS redirect rule =====================
|
||||
Write-Host "`n==> Setup HTTP → HTTPS redirect (URL Rewrite)" -ForegroundColor Cyan
|
||||
$redirectConfig = @'
|
||||
<rewrite>
|
||||
<rules>
|
||||
<rule name="Redirect HTTP to HTTPS" stopProcessing="true">
|
||||
<match url="(.*)" />
|
||||
<conditions>
|
||||
<add input="{HTTPS}" pattern="^OFF$" />
|
||||
</conditions>
|
||||
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
|
||||
</rule>
|
||||
</rules>
|
||||
</rewrite>
|
||||
'@
|
||||
# win-acme --installation iis đã tự add redirect rule khi binding xong — skip manual.
|
||||
Write-Host " (win-acme tự setup redirect)"
|
||||
# ===================== 4. HTTP -> HTTPS redirect =====================
|
||||
Write-Host ""
|
||||
Write-Host "==> HTTP -> HTTPS redirect (win-acme auto-adds via --installation iis)" -ForegroundColor Cyan
|
||||
Write-Host " (skip manual rule - win-acme handled it)"
|
||||
|
||||
# ===================== 5. Verify scheduled task =====================
|
||||
Write-Host "`n==> Verify scheduled task auto-renew"
|
||||
Write-Host ""
|
||||
Write-Host "==> Verify scheduled task auto-renew"
|
||||
$task = Get-ScheduledTask -TaskName "win-acme renew (acme-v02.api.letsencrypt.org)" -ErrorAction SilentlyContinue
|
||||
if ($task) {
|
||||
Write-Host " ✅ Task '$($task.TaskName)' exists — auto renew 9h daily"
|
||||
Write-Host " [OK] Task '$($task.TaskName)' exists - auto renew 9h daily"
|
||||
} else {
|
||||
Write-Warning " Task chưa tạo — chạy tay: $WacsExe --renew --baseuri https://acme-v02.api.letsencrypt.org/"
|
||||
Write-Warning " Task not created - run manually: $WacsExe --renew --baseuri https://acme-v02.api.letsencrypt.org/"
|
||||
}
|
||||
|
||||
Write-Host "`n✅ SSL setup DONE" -ForegroundColor Green
|
||||
Write-Host ""
|
||||
Write-Host "[OK] SSL setup DONE" -ForegroundColor Green
|
||||
Write-Host " Test: openssl s_client -connect api.huypham.vn:443 < /dev/null | openssl x509 -noout -subject -dates"
|
||||
Write-Host " hoặc browser: https://api.huypham.vn/health/live"
|
||||
Write-Host " Or browser: https://api.huypham.vn/health/live"
|
||||
|
||||
Reference in New Issue
Block a user