From 1c789c3e4d6b179baadf332d573b0bbee9673069 Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Sat, 11 Jul 2026 22:35:31 +0200 Subject: [PATCH] fix(script): confirm auto-detected public IPv4 before issuing IP certificate On networks with asymmetric routing (or proxies/multi-WAN), external IP-echo services can return a transit or gateway address instead of the server's real incoming IP, and every IP-certificate flow silently issued for that wrong address. The x-ui.sh menu flow (option 20 -> 6) and the install.sh/update.sh SSL menus now show the detected IPv4 for confirmation (Enter keeps the old behavior), and declining falls into the same validated manual-entry loop already used when every provider fails. Non-interactive installs are untouched - XUI_SERVER_IP already pins the address there. Closes #5867 --- install.sh | 18 ++++++++++++++++++ update.sh | 16 ++++++++++++++++ x-ui.sh | 26 ++++++++++++++++---------- 3 files changed, 50 insertions(+), 10 deletions(-) diff --git a/install.sh b/install.sh index ffa0479e0..c737a34bc 100644 --- a/install.sh +++ b/install.sh @@ -873,6 +873,24 @@ prompt_and_setup_ssl() { # User chose Let's Encrypt IP certificate option echo -e "${green}Using Let's Encrypt for IP certificate (shortlived profile)...${plain}" + # Confirm the auto-detected IP before issuing for it: with asymmetric + # routing / multi-WAN the echo services can return a transit address. + if [[ "$NONINTERACTIVE" != "1" ]]; then + local ip_confirm="" + read -rp "Is ${server_ip} the correct incoming public IPv4 address for this server? [Default y]: " ip_confirm + if [[ -n "$ip_confirm" && "$ip_confirm" != "y" && "$ip_confirm" != "Y" ]]; then + server_ip="" + while [[ -z "$server_ip" ]]; do + read -rp "Please enter your server's public IPv4 address: " server_ip + server_ip="${server_ip// /}" + if [[ ! "$server_ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo -e "${red}Invalid IPv4 address. Please try again.${plain}" + server_ip="" + fi + done + fi + fi + # Ask for optional IPv6 local ipv6_addr="" prompt_or_default ipv6_addr "Do you have an IPv6 address to include? (leave empty to skip): " "" XUI_SSL_IPV6 diff --git a/update.sh b/update.sh index c24501ce6..793d30e15 100755 --- a/update.sh +++ b/update.sh @@ -667,6 +667,22 @@ prompt_and_setup_ssl() { # User chose Let's Encrypt IP certificate option echo -e "${green}Using Let's Encrypt for IP certificate (shortlived profile)...${plain}" + # Confirm the auto-detected IP before issuing for it: with asymmetric + # routing / multi-WAN the echo services can return a transit address. + local ip_confirm="" + read -rp "Is ${server_ip} the correct incoming public IPv4 address for this server? [Default y]: " ip_confirm + if [[ -n "$ip_confirm" && "$ip_confirm" != "y" && "$ip_confirm" != "Y" ]]; then + server_ip="" + while [[ -z "$server_ip" ]]; do + read -rp "Please enter your server's public IPv4 address: " server_ip + server_ip="${server_ip// /}" + if [[ ! "$server_ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo -e "${red}Invalid IPv4 address. Please try again.${plain}" + server_ip="" + fi + done + fi + # Ask for optional IPv6 local ipv6_addr="" read -rp "Do you have an IPv6 address to include? (leave empty to skip): " ipv6_addr diff --git a/x-ui.sh b/x-ui.sh index 4125198c4..9dcf27c0a 100644 --- a/x-ui.sh +++ b/x-ui.sh @@ -1548,19 +1548,25 @@ ssl_cert_issue_for_ip() { fi done - if [[ -z "$server_ip" ]]; then + if [[ -n "$server_ip" ]]; then + LOGI "Server IP detected: ${server_ip}" + if ! confirm "Is ${server_ip} the correct incoming public IPv4 address for this server?" "y"; then + server_ip="" + fi + else LOGI "Could not auto-detect server IP from any provider." - while [[ -z "$server_ip" ]]; do - read -rp "Please enter your server's public IPv4 address: " server_ip - server_ip="${server_ip// /}" - if [[ ! "$server_ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - LOGE "Invalid IPv4 address. Please try again." - server_ip="" - fi - done fi - LOGI "Server IP detected: ${server_ip}" + while [[ -z "$server_ip" ]]; do + read -rp "Please enter your server's public IPv4 address: " server_ip + server_ip="${server_ip// /}" + if [[ ! "$server_ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + LOGE "Invalid IPv4 address. Please try again." + server_ip="" + fi + done + + LOGI "Issuing certificate for server IP: ${server_ip}" # Ask for optional IPv6 local ipv6_addr=""