feat(ssl): add self-signed certificate generation as fallback

Introduce a new Makefile target and script command to generate
self-signed certificates. This serves as a fallback when Let's Encrypt
rate limits are reached, ensuring SSL support continuity. Update the
README to document the new command and provide guidance on handling
rate limits. Remove unnecessary volume mount in compose.yaml for
UnrealIRCd TLS directory, as self-signed certificates are now managed
internally. This change enhances the robustness of the SSL setup by
providing an alternative when automated certificate issuance fails.

Author: kzndotsh

Makefile

@@ -372,12 +372,16 @@ help-ssl:
 	@echo "  ssl-setup           - Setup certificates (only if none exist)"
 	@echo "  ssl-renew           - Renew certificates (only if needed)"
 	@echo "  ssl-status          - Check certificate status"
+	@echo "  ssl-self-signed     - Generate self-signed certificate (fallback)"
 	@echo ""
 	@echo "Quick Start:"
 	@echo "  1. Copy cloudflare-credentials.ini.template to cloudflare-credentials.ini"
 	@echo "  2. Add your Cloudflare API token to cloudflare-credentials.ini"
 	@echo "  3. make ssl-setup   # Initial certificate setup (safe to run multiple times)"
 	@echo "  4. make ssl-status  # Check certificate status"
+	@echo ""
+	@echo "Fallback Options:"
+	@echo "  make ssl-self-signed # Generate self-signed cert if Let's Encrypt fails"
 
 # Docker operations
 docker-build:
@@ -500,6 +504,10 @@ ssl-status: ## Check SSL certificate status
 	@echo -e "$(PURPLE)=== SSL Certificate Status ===$(NC)"
 	@./scripts/ssl-manager.sh status
 
+ssl-self-signed: ## Generate self-signed certificate (fallback)
+	@echo -e "$(PURPLE)=== Generating Self-Signed Certificate ===$(NC)"
+	@./scripts/ssl-manager.sh self-signed
+
 # ============================================================================
 # ENVIRONMENT SETUP
 # ============================================================================

README.md

@@ -221,9 +221,13 @@ make ssl-renew
 # Setup certificates (only if none exist)
 make ssl-setup
 
+# Generate self-signed certificate (fallback)
+make ssl-self-signed
+
 # Direct script usage
 ./scripts/ssl-manager.sh status
 ./scripts/ssl-manager.sh renew
+./scripts/ssl-manager.sh self-signed
 ```
 
 ### 🔧 **Available Commands**
@@ -232,8 +236,17 @@ make ssl-setup
 make ssl-setup              # Setup certificates (only if none exist)
 make ssl-renew              # Renew certificates (only if needed)
 make ssl-status             # Check certificate status
+make ssl-self-signed        # Generate self-signed certificate (fallback)
 ```
 
+### 🚨 **Rate Limit Handling**
+
+If you hit Let's Encrypt rate limits, the system will automatically:
+- ✅ **Detect rate limit errors** during certificate issuance
+- ✅ **Generate self-signed certificates** as a fallback
+- ✅ **Provide clear guidance** on when to retry with Let's Encrypt
+- ✅ **Keep your IRC server running** with SSL support
+
 ### 📋 **Prerequisites**
 
 1. **Cloudflare Account** with DNS hosting for your domain

compose.yaml

@@ -94,10 +94,9 @@ services:
       - path: .env.local
         required: false
 
-    # Volume mounts - persist certificates and access UnrealIRCd TLS directory
+    # Volume mounts - persist certificates and credentials
     volumes:
       - letsencrypt_data:/etc/letsencrypt
-      - ./unrealircd/conf/tls:/etc/letsencrypt/unrealircd:rw
       - ./cloudflare-credentials.ini:/etc/letsencrypt/cloudflare-credentials.ini:ro
 
     # Network access for DNS challenges

scripts/ssl-manager.sh

@@ -71,7 +71,7 @@ issue_certificates() {
     log_info "Issuing SSL certificates for $DOMAIN..."
 
     # Run certbot container to issue certificates
-    docker compose run --rm certbot certonly \
+    if docker compose run --rm certbot certonly \
         --dns-cloudflare \
         --dns-cloudflare-credentials=/etc/letsencrypt/cloudflare-credentials.ini \
         --dns-cloudflare-propagation-seconds=60 \
@@ -81,12 +81,23 @@ issue_certificates() {
         --expand \
         --non-interactive \
         -d "$DOMAIN" \
-        -d "*.$DOMAIN"
-    
-    # Copy certificates to UnrealIRCd TLS directory
-    copy_certificates
-    
-    log_success "SSL certificates issued successfully!"
+        -d "*.$DOMAIN" 2>&1 | tee /tmp/certbot_output.log; then
+        
+        # Copy certificates to UnrealIRCd TLS directory
+        copy_certificates
+        log_success "SSL certificates issued successfully!"
+    else
+        # Check if we hit the rate limit
+        if grep -q "too many certificates" /tmp/certbot_output.log; then
+            log_warn "Let's Encrypt rate limit reached!"
+            log_info "Automatically generating self-signed certificate as fallback..."
+            generate_self_signed_certificate
+        else
+            log_error "Failed to issue SSL certificates"
+            log_info "Check the error above and try again"
+            return 1
+        fi
+    fi
 }
 
 # Renew existing certificates
@@ -103,14 +114,44 @@ renew_certificates() {
     log_info "Renewing SSL certificates..."
 
     # Run certbot container to renew certificates
-    docker compose run --rm certbot renew \
+    if docker compose run --rm certbot renew \
         --quiet \
-        --no-random-sleep-on-renew
+        --no-random-sleep-on-renew 2>&1 | tee /tmp/certbot_renew_output.log; then
+        
+        # Copy renewed certificates
+        copy_certificates
+        log_success "SSL certificates renewed successfully!"
+    else
+        # Check if we hit the rate limit
+        if grep -q "too many certificates" /tmp/certbot_renew_output.log; then
+            log_warn "Let's Encrypt rate limit reached!"
+            log_info "Current certificates will remain valid until they expire"
+            log_info "Run 'make ssl-renew' after the rate limit resets to renew"
+        else
+            log_error "Failed to renew SSL certificates"
+            log_info "Check the error above and try again"
+            return 1
+        fi
+    fi
+}
+
+# Generate self-signed certificate as fallback
+generate_self_signed_certificate() {
+    log_info "Generating self-signed certificate for $DOMAIN..."
 
-    # Copy renewed certificates
-    copy_certificates
+    # Create TLS directory if it doesn't exist
+    mkdir -p "$TLS_DIR"
 
-    log_success "SSL certificates renewed successfully!"
+    # Generate self-signed certificate
+    openssl req -x509 -newkey rsa:4096 -keyout "$TLS_DIR/server.key.pem" -out "$TLS_DIR/server.cert.pem" -days 365 -nodes -subj "/CN=$DOMAIN" 2>/dev/null
+    
+    # Set proper permissions
+    chmod 644 "$TLS_DIR/server.cert.pem"
+    chmod 600 "$TLS_DIR/server.key.pem"
+    
+    log_success "Self-signed certificate generated successfully!"
+    log_warn "This is a self-signed certificate - browsers will show security warnings"
+    log_info "Run 'make ssl-renew' after the Let's Encrypt rate limit resets to get a trusted certificate"
 }
 
 # Copy certificates from certbot to UnrealIRCd TLS directory
@@ -213,11 +254,13 @@ show_usage() {
     echo "  status    - Check certificate status"
     echo "  copy      - Copy certificates to UnrealIRCd directory"
     echo "  restart   - Restart UnrealIRCd to load certificates"
+    echo "  self-signed - Generate self-signed certificate (fallback)"
     echo ""
     echo "Examples:"
     echo "  $0 issue     # Issue new certificates"
     echo "  $0 renew     # Renew existing certificates"
     echo "  $0 status    # Check certificate status"
+    echo "  $0 self-signed # Generate self-signed certificate"
 }
 
 # Main function
@@ -244,6 +287,10 @@ main() {
         "restart")
             restart_unrealircd
             ;;
+        "self-signed")
+            generate_self_signed_certificate
+            restart_unrealircd
+            ;;
         "help"|"--help"|"-h")
             show_usage
             ;;