fix(script): confirm auto-detected public IPv4 before issuing IP certificate

On networks with asymmetric routing (or proxies/multi-WAN), external
IP-echo services can return a transit or gateway address instead of the
server's real incoming IP, and every IP-certificate flow silently
issued for that wrong address. The x-ui.sh menu flow (option 20 -> 6)
and the install.sh/update.sh SSL menus now show the detected IPv4 for
confirmation (Enter keeps the old behavior), and declining falls into
the same validated manual-entry loop already used when every provider
fails. Non-interactive installs are untouched - XUI_SERVER_IP already
pins the address there.

Closes #5867
This commit is contained in:
MHSanaei
2026-07-11 22:35:31 +02:00
parent 201d4731de
commit 1c789c3e4d
3 changed files with 50 additions and 10 deletions
+18
View File
@@ -873,6 +873,24 @@ prompt_and_setup_ssl() {
# User chose Let's Encrypt IP certificate option
echo -e "${green}Using Let's Encrypt for IP certificate (shortlived profile)...${plain}"
# Confirm the auto-detected IP before issuing for it: with asymmetric
# routing / multi-WAN the echo services can return a transit address.
if [[ "$NONINTERACTIVE" != "1" ]]; then
local ip_confirm=""
read -rp "Is ${server_ip} the correct incoming public IPv4 address for this server? [Default y]: " ip_confirm
if [[ -n "$ip_confirm" && "$ip_confirm" != "y" && "$ip_confirm" != "Y" ]]; then
server_ip=""
while [[ -z "$server_ip" ]]; do
read -rp "Please enter your server's public IPv4 address: " server_ip
server_ip="${server_ip// /}"
if [[ ! "$server_ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo -e "${red}Invalid IPv4 address. Please try again.${plain}"
server_ip=""
fi
done
fi
fi
# Ask for optional IPv6
local ipv6_addr=""
prompt_or_default ipv6_addr "Do you have an IPv6 address to include? (leave empty to skip): " "" XUI_SSL_IPV6
+16
View File
@@ -667,6 +667,22 @@ prompt_and_setup_ssl() {
# User chose Let's Encrypt IP certificate option
echo -e "${green}Using Let's Encrypt for IP certificate (shortlived profile)...${plain}"
# Confirm the auto-detected IP before issuing for it: with asymmetric
# routing / multi-WAN the echo services can return a transit address.
local ip_confirm=""
read -rp "Is ${server_ip} the correct incoming public IPv4 address for this server? [Default y]: " ip_confirm
if [[ -n "$ip_confirm" && "$ip_confirm" != "y" && "$ip_confirm" != "Y" ]]; then
server_ip=""
while [[ -z "$server_ip" ]]; do
read -rp "Please enter your server's public IPv4 address: " server_ip
server_ip="${server_ip// /}"
if [[ ! "$server_ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo -e "${red}Invalid IPv4 address. Please try again.${plain}"
server_ip=""
fi
done
fi
# Ask for optional IPv6
local ipv6_addr=""
read -rp "Do you have an IPv6 address to include? (leave empty to skip): " ipv6_addr
+16 -10
View File
@@ -1548,19 +1548,25 @@ ssl_cert_issue_for_ip() {
fi
done
if [[ -z "$server_ip" ]]; then
if [[ -n "$server_ip" ]]; then
LOGI "Server IP detected: ${server_ip}"
if ! confirm "Is ${server_ip} the correct incoming public IPv4 address for this server?" "y"; then
server_ip=""
fi
else
LOGI "Could not auto-detect server IP from any provider."
while [[ -z "$server_ip" ]]; do
read -rp "Please enter your server's public IPv4 address: " server_ip
server_ip="${server_ip// /}"
if [[ ! "$server_ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
LOGE "Invalid IPv4 address. Please try again."
server_ip=""
fi
done
fi
LOGI "Server IP detected: ${server_ip}"
while [[ -z "$server_ip" ]]; do
read -rp "Please enter your server's public IPv4 address: " server_ip
server_ip="${server_ip// /}"
if [[ ! "$server_ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
LOGE "Invalid IPv4 address. Please try again."
server_ip=""
fi
done
LOGI "Issuing certificate for server IP: ${server_ip}"
# Ask for optional IPv6
local ipv6_addr=""