fix(ssl): keep panel certificate in sync after auto-renew (#12858)
The auto-renew flow in obtainSSL returned early when OpenResty was not
installed or nginx -s reload failed, skipping reloadSystemSSL. The new
certificate was persisted to the DB and written into website Nginx
configs, but the panel's own server.crt / server.key on disk and the
in-memory constant.CertStore were left pointing at the old material.
Because the cert was now fresh, subsequent cron ticks did not retry the
renewal, so the panel kept serving the stale cert until a user manually
re-applied it from 面板设置 → SSL.
Two changes:
1. agent/app/service/website_ssl.go
reloadSystemSSL is now called unconditionally after a successful
renewal, regardless of whether OpenResty is present or nginx reload
succeeded. The function already short-circuits for non-panel SSLs,
so this is safe.
2. agent/app/service/website_ssl.go + agent/cron/job/ssl.go
Add SyncSystemSSL, invoked at the start of every renew cron tick.
It compares the panel's on-disk cert/key with the WebsiteSSL row
referenced by the SSLID setting and rewrites the files + notifies
core when they diverge. This recovers existing installs that are
already in the "DB ahead of disk" state and self-heals any future
drift introduced by transient failures.
https://github.com/1Panel-dev/1Panel/issues/12472