#!/usr/bin/env bash
# Full SSL cert health report - all domains
set -uo pipefail

RED='\033[0;31m'; YELLOW='\033[1;33m'; GREEN='\033[0;32m'; NC='\033[0m'; BOLD='\033[1m'

TODAY_TS=$(date +%s)
WARN_TS=$(date -d "+30 days" +%s)

EXPIRED=0; MISMATCH=0; MISSING_KEY=0; EXPIRING=0; HEALTHY=0

echo -e "${BOLD}SSL Certificate Audit — $(date '+%Y-%m-%d %H:%M:%S')${NC}"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

for dir in /var/cpanel/ssl/apache_tls/*/; do
    domain=$(basename "$dir")
    combined="$dir/combined"
    key_file="$dir/key"

    # Check active in httpd
    IN_HTTPD=false
    grep -q "apache_tls/$domain/" /etc/apache2/conf/httpd.conf /etc/apache2/conf.d/*.conf 2>/dev/null && IN_HTTPD=true

    ACTIVE=""
    $IN_HTTPD && ACTIVE="[ACTIVE]" || ACTIVE="[inactive]"

    if [[ ! -f "$key_file" ]]; then
        echo -e "${YELLOW}MISS-KEY${NC} $ACTIVE $domain (no key file)"
        ((MISSING_KEY++))
        continue
    fi

    cert_md5=$(openssl x509 -noout -modulus -in "$combined" 2>/dev/null | openssl md5 | awk '{print $2}')
    key_md5=$(openssl rsa -noout -modulus -in "$key_file" 2>/dev/null | openssl md5 | awk '{print $2}')

    if [[ -z "$cert_md5" ]]; then
        echo -e "${RED}CORRUPT${NC} $ACTIVE $domain (cert unreadable)"
        ((MISMATCH++))
        continue
    fi

    if [[ "$cert_md5" != "$key_md5" ]]; then
        $IN_HTTPD && echo -e "${RED}MISMATCH${NC} $ACTIVE $domain  ← WILL BREAK APACHE" \
                  || echo -e "${YELLOW}MISMATCH${NC} $ACTIVE $domain  (inactive, not blocking)"
        ((MISMATCH++))
        continue
    fi

    expiry_str=$(openssl x509 -noout -enddate -in "$combined" 2>/dev/null | cut -d= -f2)
    expiry_ts=$(date -d "$expiry_str" +%s 2>/dev/null || echo 0)

    if [[ $expiry_ts -gt 0 && $expiry_ts -lt $TODAY_TS ]]; then
        $IN_HTTPD && echo -e "${RED}EXPIRED${NC} $ACTIVE $domain  ($expiry_str)" \
                  || echo -e "${YELLOW}EXPIRED${NC} $ACTIVE $domain  ($expiry_str)"
        ((EXPIRED++))
    elif [[ $expiry_ts -gt 0 && $expiry_ts -lt $WARN_TS ]]; then
        days=$(( (expiry_ts - TODAY_TS) / 86400 ))
        echo -e "${YELLOW}EXPIRING${NC} $ACTIVE $domain  (${days}d — $expiry_str)"
        ((EXPIRING++))
    else
        echo -e "${GREEN}OK${NC}      $ACTIVE $domain  ($(openssl x509 -noout -enddate -in "$combined" 2>/dev/null | cut -d= -f2))"
        ((HEALTHY++))
    fi
done

echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo -e " ${GREEN}OK: $HEALTHY${NC}  ${YELLOW}EXPIRING: $EXPIRING${NC}  ${RED}EXPIRED: $EXPIRED  MISMATCH: $MISMATCH  MISS-KEY: $MISSING_KEY${NC}"
echo ""

# Trigger AutoSSL for mismatched/expired active domains
NEEDS_AUTOSSL=false
for dir in /var/cpanel/ssl/apache_tls/*/; do
    domain=$(basename "$dir")
    combined="$dir/combined"
    key_file="$dir/key"
    [[ ! -f "$combined" || ! -f "$key_file" ]] && continue
    cert_md5=$(openssl x509 -noout -modulus -in "$combined" 2>/dev/null | openssl md5 | awk '{print $2}')
    key_md5=$(openssl rsa -noout -modulus -in "$key_file" 2>/dev/null | openssl md5 | awk '{print $2}')
    if [[ -n "$cert_md5" && "$cert_md5" != "$key_md5" ]]; then
        grep -q "apache_tls/$domain/" /etc/apache2/conf/httpd.conf /etc/apache2/conf.d/*.conf 2>/dev/null && NEEDS_AUTOSSL=true
    fi
done

if $NEEDS_AUTOSSL; then
    echo -e "${RED}ACTION REQUIRED: Active cert/key mismatch detected.${NC}"
    echo "Run: /usr/local/cpanel/scripts/autossl_check --all"
    echo "  or fix manually via WHM > SSL/TLS > Install SSL"
fi

exit 0
