From 62f303905eb6b195c1127d46453bb57d9e08763a Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Thu, 2 Jul 2026 13:20:31 +0200 Subject: [PATCH] fix(scripts): pass --force to acme.sh --installcert so it survives sudo acme.sh guards every non-install command behind _checkSudo: when a non-root user runs the panel scripts via sudo, it prints the sudo wiki warning and exits before doing anything, unless FORCE is set. All our --issue calls already pass --force and were unaffected, but none of the --installcert calls did, so issuance succeeded and installation then aborted silently, ending in "Certificate files not found after installation". FORCE has no other effect on the installcert path, so mirror the --issue calls and pass --force everywhere we install certs. Closes #5741 --- install.sh | 6 +++--- update.sh | 6 +++--- x-ui.sh | 8 ++++---- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/install.sh b/install.sh index 4ada81de1..8e28900b4 100644 --- a/install.sh +++ b/install.sh @@ -373,7 +373,7 @@ setup_ssl_certificate() { fi # Install certificate - ~/.acme.sh/acme.sh --installcert -d ${domain} \ + ~/.acme.sh/acme.sh --installcert --force -d ${domain} \ --key-file /root/cert/${domain}/privkey.pem \ --fullchain-file /root/cert/${domain}/fullchain.pem \ --reloadcmd "systemctl restart x-ui" > /dev/null 2>&1 @@ -517,7 +517,7 @@ setup_ip_certificate() { # Install certificate # Note: acme.sh may report "Reload error" and exit non-zero if reloadcmd fails, # but the cert files are still installed. We check for files instead of exit code. - ~/.acme.sh/acme.sh --installcert -d ${ipv4} \ + ~/.acme.sh/acme.sh --installcert --force -d ${ipv4} \ --key-file "${certDir}/privkey.pem" \ --fullchain-file "${certDir}/fullchain.pem" \ --reloadcmd "${reloadCmd}" 2>&1 || true @@ -705,7 +705,7 @@ ssl_cert_issue() { # install the certificate local installOutput="" - installOutput=$(~/.acme.sh/acme.sh --installcert -d ${domain} \ + installOutput=$(~/.acme.sh/acme.sh --installcert --force -d ${domain} \ --key-file /root/cert/${domain}/privkey.pem \ --fullchain-file /root/cert/${domain}/fullchain.pem --reloadcmd "${reloadCmd}" 2>&1) local installRc=$? diff --git a/update.sh b/update.sh index a5087603c..0257bd929 100755 --- a/update.sh +++ b/update.sh @@ -223,7 +223,7 @@ setup_ssl_certificate() { fi # Install certificate - ~/.acme.sh/acme.sh --installcert -d ${domain} \ + ~/.acme.sh/acme.sh --installcert --force -d ${domain} \ --key-file /root/cert/${domain}/privkey.pem \ --fullchain-file /root/cert/${domain}/fullchain.pem \ --reloadcmd "systemctl restart x-ui" > /dev/null 2>&1 @@ -361,7 +361,7 @@ setup_ip_certificate() { # Install certificate # Note: acme.sh may report "Reload error" and exit non-zero if reloadcmd fails, # but the cert files are still installed. We check for files instead of exit code. - ~/.acme.sh/acme.sh --installcert -d ${ipv4} \ + ~/.acme.sh/acme.sh --installcert --force -d ${ipv4} \ --key-file "${certDir}/privkey.pem" \ --fullchain-file "${certDir}/fullchain.pem" \ --reloadcmd "${reloadCmd}" 2>&1 || true @@ -518,7 +518,7 @@ ssl_cert_issue() { # install the certificate local installOutput="" - installOutput=$(~/.acme.sh/acme.sh --installcert -d ${domain} \ + installOutput=$(~/.acme.sh/acme.sh --installcert --force -d ${domain} \ --key-file /root/cert/${domain}/privkey.pem \ --fullchain-file /root/cert/${domain}/fullchain.pem --reloadcmd "${reloadCmd}" 2>&1) local installRc=$? diff --git a/x-ui.sh b/x-ui.sh index 7e7998fae..5275bf2a8 100644 --- a/x-ui.sh +++ b/x-ui.sh @@ -1435,7 +1435,7 @@ ssl_cert_issue_main() { # renewed cert to these paths and reloads the panel. Without it acme.sh # renews but never updates /root/cert, silently serving a stale cert. if command -v ~/.acme.sh/acme.sh &> /dev/null && ~/.acme.sh/acme.sh --list 2> /dev/null | awk '{print $1}' | grep -Fxq "${domain}"; then - ~/.acme.sh/acme.sh --installcert -d "${domain}" \ + ~/.acme.sh/acme.sh --installcert --force -d "${domain}" \ --key-file "${webKeyFile}" \ --fullchain-file "${webCertFile}" \ --reloadcmd "x-ui restart" 2>&1 || true @@ -1631,7 +1631,7 @@ ssl_cert_issue_for_ip() { # Install the certificate # Note: acme.sh may report "Reload error" and exit non-zero if reloadcmd fails, # but the cert files are still installed. We check for files instead of exit code. - ~/.acme.sh/acme.sh --installcert -d ${server_ip} \ + ~/.acme.sh/acme.sh --installcert --force -d ${server_ip} \ --key-file "${certPath}/privkey.pem" \ --fullchain-file "${certPath}/fullchain.pem" \ --reloadcmd "${reloadCmd}" 2>&1 || true @@ -1836,7 +1836,7 @@ ssl_cert_issue() { # install the certificate local installOutput="" - installOutput=$(~/.acme.sh/acme.sh --installcert -d ${domain} \ + installOutput=$(~/.acme.sh/acme.sh --installcert --force -d ${domain} \ --key-file /root/cert/${domain}/privkey.pem \ --fullchain-file /root/cert/${domain}/fullchain.pem --reloadcmd "${reloadCmd}" 2>&1) local installRc=$? @@ -1998,7 +1998,7 @@ ssl_cert_issue_CF() { ;; esac fi - ~/.acme.sh/acme.sh --installcert -d ${CF_Domain} -d *.${CF_Domain} \ + ~/.acme.sh/acme.sh --installcert --force -d ${CF_Domain} -d *.${CF_Domain} \ --key-file ${certPath}/privkey.pem \ --fullchain-file ${certPath}/fullchain.pem --reloadcmd "${reloadCmd}"