From 15ad2ec4e0cd925f2d87c3fee5d2978d19e522ec Mon Sep 17 00:00:00 2001 From: Jordan Ramos Date: Wed, 24 Jun 2026 16:41:01 -0600 Subject: [PATCH] Regenerate TLS certs during deploy if missing after rsync The certs/ directory is gitignored so rsync --delete wipes it on each deploy. Add a post-rsync step that generates a self-signed cert if cert.pem is missing, preventing TLS-enabled servers from crashing on restart. Applies to both staging and production deploy jobs. --- .gitlab-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c6a7b77..57fa91a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -183,6 +183,7 @@ deploy-staging: - ssh ${STAGING_USER}@${STAGING_HOST} "cd ${STAGING_DIR} && npm ci --prefer-offline" - ssh ${STAGING_USER}@${STAGING_HOST} "cd ${STAGING_DIR}/frontend && npm ci --prefer-offline" - ssh ${STAGING_USER}@${STAGING_HOST} "cd ${STAGING_DIR}/backend && node migrations/run-all.js" + - ssh ${STAGING_USER}@${STAGING_HOST} "cd ${STAGING_DIR}/backend && test -f certs/cert.pem || (mkdir -p certs && openssl req -x509 -newkey rsa:2048 -keyout certs/key.pem -out certs/cert.pem -days 365 -nodes -subj '/CN=cve-dashboard.local' 2>/dev/null)" - ssh ${STAGING_USER}@${STAGING_HOST} "systemctl restart cve-backend-staging || systemctl start cve-backend-staging || true" - echo "Staging deploy complete." after_script: @@ -228,6 +229,7 @@ deploy-production: - ssh ${PROD_USER}@${PROD_HOST} "cd ${PROD_DIR} && npm ci --prefer-offline" - ssh ${PROD_USER}@${PROD_HOST} "cd ${PROD_DIR}/frontend && npm ci --prefer-offline" - ssh ${PROD_USER}@${PROD_HOST} "cd ${PROD_DIR}/backend && node migrations/run-all.js" + - ssh ${PROD_USER}@${PROD_HOST} "cd ${PROD_DIR}/backend && test -f certs/cert.pem || (mkdir -p certs && openssl req -x509 -newkey rsa:2048 -keyout certs/key.pem -out certs/cert.pem -days 365 -nodes -subj '/CN=cve-dashboard.local' 2>/dev/null)" - ssh ${PROD_USER}@${PROD_HOST} "test -f /etc/systemd/system/cve-backend.service || true" - ssh ${PROD_USER}@${PROD_HOST} "systemctl daemon-reload && systemctl enable cve-backend && systemctl restart cve-backend" - echo "Production deploy complete."