cat << 'EOF' > cert_apply.sh
#!/bin/bash

# --- 1. 获取用户输入 ---
read -p "请输入您要申请的域名 (例如: ui.shanghi.net): " DOMAIN

# 简单的非空检查
if [ -z "$DOMAIN" ]; then
    echo "错误：域名不能为空！"
    exit 1
fi

# 确认信息
echo "----------------------------------------"
echo "准备为域名: $DOMAIN 申请证书"
echo "存放路径: /data/$DOMAIN.key"
echo "----------------------------------------"
read -p "确认无误请按回车继续，取消请按 Ctrl+C ..."

# --- 2. 基础配置 ---
CERT_BASE_DIR="/data"
EMAIL="my@example.com" # 默认邮箱，不需要每次改

# 确保目录存在
mkdir -p $CERT_BASE_DIR

# --- 3. 环境检查 (安装 socat) ---
# 只有未安装时才尝试安装
if ! command -v socat &> /dev/null; then
    echo "正在安装 socat (Standalone模式依赖)..."
    if [ -f /usr/bin/apt ]; then
        apt update && apt install socat -y
    elif [ -f /usr/bin/yum ]; then
        yum install socat -y
    fi
else
    echo "检测到 socat 已安装，跳过安装步骤。"
fi

# --- 4. 核心申请逻辑 ---
# 检查 80 端口是否被占用 (简单的防呆检查)
if lsof -Pi :80 -sTCP:LISTEN -t >/dev/null ; then
    echo "警告：检测到 80 端口被占用！"
    echo "Standalone 模式需要占用 80 端口。请先停止 Nginx/Apache，或确保没有服务占用 80。"
    read -p "是否强制尝试继续? (y/n): " force_run
    if [ "$force_run" != "y" ]; then
        echo "脚本已终止。"
        exit 1
    fi
fi

echo "正在向 CA 机构申请证书..."
~/.acme.sh/acme.sh --issue -d "$DOMAIN" --standalone --email "$EMAIL" --force \
--install-cert -d "$DOMAIN" \
--key-file       "$CERT_BASE_DIR/$DOMAIN.key" \
--fullchain-file "$CERT_BASE_DIR/$DOMAIN.crt" \
--reloadcmd      "echo \"\$(date): 证书 $DOMAIN 已更新\" >> /var/log/acme_renewal.log"

# --- 5. 结果反馈 ---
if [ $? -eq 0 ]; then
    echo ""
    echo "========================================================"
    echo " ✅  证书申请成功！"
    echo " 域名: $DOMAIN"
    echo " 公钥 (crt): $CERT_BASE_DIR/$DOMAIN.crt"
    echo " 私钥 (key): $CERT_BASE_DIR/$DOMAIN.key"
    echo "========================================================"
else
    echo ""
    echo " ❌  申请失败。"
    echo "请检查：1. 域名解析是否生效？ 2. 防火墙是否放行了 80 端口？"
fi
EOF

chmod +x cert_apply.sh