From 4b8864edd9c9e76f17ed0e33aa7782f1d146abdf Mon Sep 17 00:00:00 2001
From: Paul Trowbridge <paul@hptrow.me>
Date: Sun, 5 Apr 2026 17:08:49 -0400
Subject: [PATCH] Fix nginx status detection and cert check for root-owned
 files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

nginx config files written by sudo are root-only (rw-------), so
nginx_domain() was silently failing to read them. Now uses 'sudo -n cat'
with fallback to direct read for world-readable files.

Also fix PermissionError on cert_path.exists() — /etc/letsencrypt/live/
requires root, so use 'sudo test -f' instead of Path.exists().

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 manage.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/manage.py b/manage.py
index ba3e31e..7509931 100755
--- a/manage.py
+++ b/manage.py
@@ -147,12 +147,14 @@ def ui_build_time():
     return None
 
 def nginx_domain(port):
-    """Find nginx site proxying to our port."""
+    """Find nginx site proxying to our port. Uses sudo to read root-owned configs."""
     if not NGINX_DIR.exists():
         return None
     for f in NGINX_DIR.iterdir():
         try:
-            text = f.read_text()
+            r = subprocess.run(['sudo', '-n', 'cat', str(f)],
+                               capture_output=True, text=True)
+            text = r.stdout if r.returncode == 0 else f.read_text()
             if f':{port}' in text:
                 for line in text.splitlines():
                     if 'server_name' in line:
@@ -430,8 +432,11 @@ def action_setup_nginx(cfg):
     conf_path = NGINX_DIR / conf_name
     cert_path = Path(f'/etc/letsencrypt/live/{domain}/fullchain.pem')
 
+    # /etc/letsencrypt/live/ requires root — check with sudo
+    cert_exists = sudo_run(['test', '-f', str(cert_path)], capture_output=True).returncode == 0
+
     print()
-    if cert_path.exists():
+    if cert_exists:
         info(f'SSL certificate found at {cert_path} — will configure HTTPS with redirect from HTTP.')
         conf = f"""server {{
     listen 80;
@@ -505,7 +510,7 @@ server {{
     sudo_run(['systemctl', 'reload', 'nginx'])
     ok('nginx reloaded — site is now active')
 
-    if not cert_path.exists():
+    if not cert_exists:
         warn(f'No SSL certificate found for {domain} — site is HTTP only.')
         if confirm(f'Run certbot to obtain an SSL certificate for {domain} and switch to HTTPS?'):
             print(f'  Running certbot for {domain}...')