fix: [#28] SSL certificate domain mismatch in deploy-app.sh

- Fixed generate_selfsigned_certificates() function to use correct staging domains
- Removed hardcoded fallback to 'tracker.test.local'
- Added proper environment loading from staging-hetzner-staging.env
- Implemented base domain extraction logic for certificate generation
- SSL certificates now correctly generated for tracker.torrust-demo.dev and grafana.torrust-demo.dev
- Resolves nginx startup issues with SSL certificate domain mismatches

Validation:
- Successfully redeployed staging environment with correct certificates
- All services healthy and HTTPS endpoints working
- nginx running correctly with proper staging domain certificates

Author: josecelano

infrastructure/scripts/deploy-app.sh

@@ -396,9 +396,38 @@ generate_configuration_locally() {
 # this approach ensures consistency with production deployment workflows.
 generate_selfsigned_certificates() {
     local vm_ip="$1"
-    local tracker_domain="${TRACKER_DOMAIN:-tracker.test.local}"
 
-    log_info "Generating self-signed SSL certificates on VM for tracker domain: ${tracker_domain}..."
+    # Load environment variables from the deployment environment file to access domain configuration
+    local env_file="${PROJECT_ROOT}/infrastructure/config/environments/${ENVIRONMENT_FILE}.env"
+    if [[ -f "${env_file}" ]]; then
+        # shellcheck source=/dev/null
+        source "${env_file}"
+        log_info "Loaded deployment environment configuration for SSL certificate generation"
+    else
+        log_error "Environment file not found: ${env_file}"
+        log_error "Cannot generate certificates without environment configuration"
+        exit 1
+    fi
+    
+    # Validate that TRACKER_DOMAIN is set
+    if [[ -z "${TRACKER_DOMAIN:-}" ]]; then
+        log_error "TRACKER_DOMAIN is not set in environment configuration"
+        log_error "Expected format: tracker.yourdomain.com"
+        log_error "Please verify the environment file: ${env_file}"
+        exit 1
+    fi
+    
+    # Extract base domain from TRACKER_DOMAIN (e.g., "torrust-demo.dev" from "tracker.torrust-demo.dev")
+    local base_domain="${TRACKER_DOMAIN#tracker.}"
+    if [[ "${base_domain}" == "${TRACKER_DOMAIN}" ]]; then
+        log_error "TRACKER_DOMAIN does not start with 'tracker.': ${TRACKER_DOMAIN}"
+        log_error "Expected format: tracker.yourdomain.com"
+        exit 1
+    fi
+    
+    log_info "Generating self-signed SSL certificates on VM..."
+    log_info "  Base domain: ${base_domain}"
+    log_info "  Will generate certificates for: tracker.${base_domain} and grafana.${base_domain}"
 
     # Copy the certificate generation script and its shell utilities to VM
     local cert_script="${PROJECT_ROOT}/application/share/bin/ssl-generate-test-certs.sh"
@@ -427,8 +456,8 @@ generate_selfsigned_certificates() {
     vm_exec "${vm_ip}" "chmod +x ${vm_app_dir}/share/bin/shell-utils.sh"
 
     # Run certificate generation from the application directory where compose.yaml is located
-    log_info "Running certificate generation for tracker domain: ${tracker_domain}"
-    vm_exec "${vm_ip}" "cd ${vm_app_dir} && ./share/bin/ssl-generate-test-certs.sh '${tracker_domain}'"
+    log_info "Running certificate generation for base domain: ${base_domain}"
+    vm_exec "${vm_ip}" "cd ${vm_app_dir} && ./share/bin/ssl-generate-test-certs.sh '${base_domain}'"
 
     log_success "Self-signed SSL certificates generated successfully"
 }