From 55a2762c7116a8f29f44a82f1c8e3981b2d9bfe2 Mon Sep 17 00:00:00 2001
From: yyhuni <yyhunisec@gmail.com>
Date: Thu, 18 Dec 2025 18:53:28 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E8=AF=81=E4=B9=A6=E5=85=BC=E5=AE=B9?=
 =?UTF-8?q?=E6=80=A7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 install.sh | 43 ++++++++++---------------------------------
 1 file changed, 10 insertions(+), 33 deletions(-)

diff --git a/install.sh b/install.sh
index 0c4ebb99..9597374e 100755
--- a/install.sh
+++ b/install.sh
@@ -126,7 +126,7 @@ update_env_var() {
 GENERATED_DB_PASSWORD=""
 GENERATED_DJANGO_KEY=""
 
-# 生成自签 HTTPS 证书（无域名场景）——兼容旧版 OpenSSL
+# 生成自签 HTTPS 证书（使用容器，避免宿主机 openssl 兼容性问题）
 generate_self_signed_cert() {
     local ssl_dir="$DOCKER_DIR/nginx/ssl"
     local fullchain="$ssl_dir/fullchain.pem"
@@ -140,41 +140,18 @@ generate_self_signed_cert() {
     info "未检测到 HTTPS 证书，正在生成自签证书（localhost）..."
     mkdir -p "$ssl_dir"
 
-    # 创建临时配置文件（兼容 OpenSSL 1.0.2）
-    local config_file="/tmp/openssl-selfsigned.cnf"
-    cat > "$config_file" << EOF
-[req]
-distinguished_name = req_distinguished_name
-req_extensions = v3_req
-prompt = no
-
-[req_distinguished_name]
-C = CN
-ST = NA
-L = NA
-O = XingRin
-CN = localhost
-
-[v3_req]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-subjectAltName = DNS:localhost,IP:127.0.0.1
-EOF
-
-    if openssl req -x509 -nodes -newkey rsa:2048 -days 365 \
-        -keyout "$privkey" \
-        -out "$fullchain" \
+    # 使用容器生成证书，避免依赖宿主机 openssl 版本
+    if docker run --rm -v "$ssl_dir:/ssl" alpine/openssl \
+        req -x509 -nodes -newkey rsa:2048 -days 365 \
+        -keyout /ssl/privkey.pem \
+        -out /ssl/fullchain.pem \
         -subj "/C=CN/ST=NA/L=NA/O=XingRin/CN=localhost" \
-        -config "$config_file" \
-        -extensions v3_req >/dev/null 2>&1; then
+        -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" \
+        >/dev/null 2>&1; then
         success "自签证书已生成: $ssl_dir"
     else
-        warn "自签证书生成失败（可能是 OpenSSL 版本过旧），请手动放置证书到 $ssl_dir"
-        warn "或者升级系统 OpenSSL，或使用 Let's Encrypt 证书"
+        warn "自签证书生成失败，请手动放置证书到 $ssl_dir"
     fi
-
-    # 清理临时配置文件
-    rm -f "$config_file"
 }
 
 # 自动为 docker/.env 填充敏感变量
@@ -252,7 +229,7 @@ show_summary() {
 
 step "[1/3] 检查基础命令"
 MISSING_CMDS=()
-for cmd in git curl jq openssl; do
+for cmd in git curl; do
     if ! command -v "$cmd" >/dev/null 2>&1; then
         MISSING_CMDS+=("$cmd")
         warn "未安装: $cmd"