Fix nginx status detection and cert check for root-owned files

nginx config files written by sudo are root-only (rw-------), so nginx_domain() was silently failing to read them. Now uses 'sudo -n cat' with fallback to direct read for world-readable files. Also fix PermissionError on cert_path.exists() — /etc/letsencrypt/live/ requires root, so use 'sudo test -f' instead of Path.exists(). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-05 17:08:49 -04:00 · 2026-04-05 17:08:49 -04:00 · 4b8864edd9
commit 4b8864edd9
parent 61fe8f630b
1 changed files with 9 additions and 4 deletions
--- a/manage.py
+++ b/manage.py
@ -147,12 +147,14 @@ def ui_build_time():
    return None

 def nginx_domain(port):
-    """Find nginx site proxying to our port."""
+    """Find nginx site proxying to our port. Uses sudo to read root-owned configs."""
    if not NGINX_DIR.exists():
        return None
    for f in NGINX_DIR.iterdir():
        try:
-            text = f.read_text()
+            r = subprocess.run(['sudo', '-n', 'cat', str(f)],
+                               capture_output=True, text=True)
+            text = r.stdout if r.returncode == 0 else f.read_text()
            if f':{port}' in text:
                for line in text.splitlines():
                    if 'server_name' in line:
@ -430,8 +432,11 @@ def action_setup_nginx(cfg):
    conf_path = NGINX_DIR / conf_name
    cert_path = Path(f'/etc/letsencrypt/live/{domain}/fullchain.pem')

+    # /etc/letsencrypt/live/ requires root — check with sudo
+    cert_exists = sudo_run(['test', '-f', str(cert_path)], capture_output=True).returncode == 0
+
    print()
-    if cert_path.exists():
+    if cert_exists:
        info(f'SSL certificate found at {cert_path} — will configure HTTPS with redirect from HTTP.')
        conf = f"""server {{
    listen 80;
@ -505,7 +510,7 @@ server {{
    sudo_run(['systemctl', 'reload', 'nginx'])
    ok('nginx reloaded — site is now active')

-    if not cert_path.exists():
+    if not cert_exists:
        warn(f'No SSL certificate found for {domain} — site is HTTP only.')
        if confirm(f'Run certbot to obtain an SSL certificate for {domain} and switch to HTTPS?'):
            print(f'  Running certbot for {domain}...')