Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/scripts/setup/setup-certbot

138 lines
3.0 KiB
Plaintext
Raw Permalink Normal View History

install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward.
2017-10-02 01:43:15 +02:00
#!/usr/bin/env bash
set -e
usage() {
setup-certbot: Fix the usage message, and add the recently-added options.
2017-11-16 01:03:20 +01:00
cat <<EOF >&2
setup-cerbot: Allow issuing certificates for multiple domains. This commit allows specifying Subject Alternative Names to issue certs for multiple domains using certbot. The first name passed to certbot-auto becomes the common name for the certificate; common name and the other names are then added to the SAN field. All of these arguments are now positional. Also read the following for the certbot syntax reference: https://community.letsencrypt.org/t/how-to-specify-subject-name-on-san/ Fixes #10674.
2018-10-20 10:11:46 +02:00
Usage: $0 --email=admin@example.com [--method={webroot|standalone}] \
puppet: Use certbot package timer, not our own cron job. The certbot package installs its own systemd timer (and cron job, which disabled itself if systemd is enabled) which updates certificates. This process races with the cron job which Zulip installs -- the only difference being that Zulip respects the `certbot.auto_renew` setting, and that it passes the deploy hook. This means that occasionally nginx would not be reloaded, when the systemd timer caught the expiration first. Remove the custom cron job and `certbot-maybe-renew` script, and reconfigure certbot to always reload nginx after deploying, using certbot directory hooks. Since `certbot.auto_renew` can't have an effect, remove the setting. In turn, this removes the need for `--no-zulip-conf` to `setup-certbot`. `--deploy-hook` is similarly removed, as running deploy hooks to restart nginx is now the default; pass `--no-directory-hooks` in standalone mode to not attempt to reload nginx. The other property of `--deploy-hook`, of skipping symlinking into place, is given its own flog.
2021-12-08 23:44:33 +01:00
hostname.example.com [another.example.com]
setup-certbot: Fix the usage message, and add the recently-added options.
2017-11-16 01:03:20 +01:00
EOF
exit 1
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward.
2017-10-02 01:43:15 +02:00
}
if [ "$EUID" -ne 0 ]; then
echo "Error: This script must be run as root" >&2
exit 1
fi
setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install.
2017-11-16 00:19:54 +01:00
method=webroot
puppet: Use certbot package timer, not our own cron job. The certbot package installs its own systemd timer (and cron job, which disabled itself if systemd is enabled) which updates certificates. This process races with the cron job which Zulip installs -- the only difference being that Zulip respects the `certbot.auto_renew` setting, and that it passes the deploy hook. This means that occasionally nginx would not be reloaded, when the systemd timer caught the expiration first. Remove the custom cron job and `certbot-maybe-renew` script, and reconfigure certbot to always reload nginx after deploying, using certbot directory hooks. Since `certbot.auto_renew` can't have an effect, remove the setting. In turn, this removes the need for `--no-zulip-conf` to `setup-certbot`. `--deploy-hook` is similarly removed, as running deploy hooks to restart nginx is now the default; pass `--no-directory-hooks` in standalone mode to not attempt to reload nginx. The other property of `--deploy-hook`, of skipping symlinking into place, is given its own flog.
2021-12-08 23:44:33 +01:00
args="$(getopt -o '' --long help,email:,method:,skip-symlink,agree-tos -n "$0" -- "$@")"
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward.
2017-10-02 01:43:15 +02:00
eval "set -- $args"
install-shellcheck: Upgrade ShellCheck to 0.9.0. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-01-04 21:11:33 +01:00
agree_tos=()
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward.
2017-10-02 01:43:15 +02:00
while true; do
case "$1" in
--email)
EMAIL="$2"
shift
shift
;;
setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install.
2017-11-16 00:19:54 +01:00
--method)
method="$2"
shift
shift
;;
puppet: Use certbot package timer, not our own cron job. The certbot package installs its own systemd timer (and cron job, which disabled itself if systemd is enabled) which updates certificates. This process races with the cron job which Zulip installs -- the only difference being that Zulip respects the `certbot.auto_renew` setting, and that it passes the deploy hook. This means that occasionally nginx would not be reloaded, when the systemd timer caught the expiration first. Remove the custom cron job and `certbot-maybe-renew` script, and reconfigure certbot to always reload nginx after deploying, using certbot directory hooks. Since `certbot.auto_renew` can't have an effect, remove the setting. In turn, this removes the need for `--no-zulip-conf` to `setup-certbot`. `--deploy-hook` is similarly removed, as running deploy hooks to restart nginx is now the default; pass `--no-directory-hooks` in standalone mode to not attempt to reload nginx. The other property of `--deploy-hook`, of skipping symlinking into place, is given its own flog.
2021-12-08 23:44:33 +01:00
--skip-symlink)
skip_symlink=1
install: Add a couple Docker-specific options to the certbot scripts. --agree-tos is useful for the Docker environment, where we won't have an interactive shell present for agreeing to the ToS. --deploy-hook is also useful for the Docker environment; it makes it possible to customize what deploy hook (if any) we pass into the underlying cerbot command.
2018-07-22 20:56:24 +02:00
shift
;;
--agree-tos)
install-shellcheck: Upgrade ShellCheck to 0.9.0. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-01-04 21:11:33 +01:00
agree_tos=(--agree-tos)
install: Add a couple Docker-specific options to the certbot scripts. --agree-tos is useful for the Docker environment, where we won't have an interactive shell present for agreeing to the ToS. --deploy-hook is also useful for the Docker environment; it makes it possible to customize what deploy hook (if any) we pass into the underlying cerbot command.
2018-07-22 20:56:24 +02:00
shift
;;
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward.
2017-10-02 01:43:15 +02:00
--help)
show_help=1
shift
;;
--)
setup-cerbot: Allow issuing certificates for multiple domains. This commit allows specifying Subject Alternative Names to issue certs for multiple domains using certbot. The first name passed to certbot-auto becomes the common name for the certificate; common name and the other names are then added to the SAN field. All of these arguments are now positional. Also read the following for the certbot syntax reference: https://community.letsencrypt.org/t/how-to-specify-subject-name-on-san/ Fixes #10674.
2018-10-20 10:11:46 +02:00
shift
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward.
2017-10-02 01:43:15 +02:00
break
;;
esac
done
setup-cerbot: Allow issuing certificates for multiple domains. This commit allows specifying Subject Alternative Names to issue certs for multiple domains using certbot. The first name passed to certbot-auto becomes the common name for the certificate; common name and the other names are then added to the SAN field. All of these arguments are now positional. Also read the following for the certbot syntax reference: https://community.letsencrypt.org/t/how-to-specify-subject-name-on-san/ Fixes #10674.
2018-10-20 10:11:46 +02:00
# Parse the remaining arguments as Subject Alternative Names to pass to certbot
HOSTNAMES=()
for arg; do
HOSTNAMES+=(-d "$arg")
done
DOMAIN=$1
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward.
2017-10-02 01:43:15 +02:00
if [ -n "$show_help" ]; then
usage
fi
setup-certbot: Fix shellcheck warnings. In scripts/setup/setup-certbot line 64: if [ -z "$DOMAIN" -o -z "$EMAIL" ]; then ^-- SC2166: Prefer [ p ] || [ q ] as [ p -o q ] is not well defined. In scripts/setup/setup-certbot line 73: method_args=(--webroot --webroot-path=/var/lib/zulip/certbot-webroot/) ^-- SC2191: The = here is literal. To assign by index, use ( [index]=value ) with no spaces. To keep as literal, quote it. In scripts/setup/setup-certbot line 112: if [ -z "$deploy_hook" ]; then ^-- SC2128: Expanding an array without an index only gives the first element. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2018-08-03 02:14:48 +02:00
if [ -z "$DOMAIN" ] || [ -z "$EMAIL" ]; then
setup-certbot: Require hostname and email. The script already won't work without them; so if the user gets the invocation wrong, give a halfway-reasonable error rather than just crash into the ground.
2017-11-16 01:04:54 +01:00
usage
fi
setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install.
2017-11-16 00:19:54 +01:00
case "$method" in
standalone)
puppet: Use certbot package timer, not our own cron job. The certbot package installs its own systemd timer (and cron job, which disabled itself if systemd is enabled) which updates certificates. This process races with the cron job which Zulip installs -- the only difference being that Zulip respects the `certbot.auto_renew` setting, and that it passes the deploy hook. This means that occasionally nginx would not be reloaded, when the systemd timer caught the expiration first. Remove the custom cron job and `certbot-maybe-renew` script, and reconfigure certbot to always reload nginx after deploying, using certbot directory hooks. Since `certbot.auto_renew` can't have an effect, remove the setting. In turn, this removes the need for `--no-zulip-conf` to `setup-certbot`. `--deploy-hook` is similarly removed, as running deploy hooks to restart nginx is now the default; pass `--no-directory-hooks` in standalone mode to not attempt to reload nginx. The other property of `--deploy-hook`, of skipping symlinking into place, is given its own flog.
2021-12-08 23:44:33 +01:00
method_args=(--standalone --no-directory-hooks)
setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install.
2017-11-16 00:19:54 +01:00
;;
webroot)
setup-certbot: Fix shellcheck warnings. In scripts/setup/setup-certbot line 64: if [ -z "$DOMAIN" -o -z "$EMAIL" ]; then ^-- SC2166: Prefer [ p ] || [ q ] as [ p -o q ] is not well defined. In scripts/setup/setup-certbot line 73: method_args=(--webroot --webroot-path=/var/lib/zulip/certbot-webroot/) ^-- SC2191: The = here is literal. To assign by index, use ( [index]=value ) with no spaces. To keep as literal, quote it. In scripts/setup/setup-certbot line 112: if [ -z "$deploy_hook" ]; then ^-- SC2128: Expanding an array without an index only gives the first element. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2018-08-03 02:14:48 +02:00
method_args=(--webroot '--webroot-path=/var/lib/zulip/certbot-webroot/')
setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install.
2017-11-16 00:19:54 +01:00
;;
*)
usage
;;
esac
certbot: Switch to use certbot from apt. certbot-auto doesn’t work on Ubuntu 20.04, and won’t be updated; we migrate to instead using the certbot package shipped with the OS instead. Also made sure that sure certbot gets installed when running zulip-puppet-apply, to handle existing systems.
2020-05-20 22:36:50 +02:00
# Check for a supported OS release.
if [ -f /etc/os-release ]; then
shfmt: Reformat shell scripts with shfmt. https://github.com/mvdan/sh Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-10-15 04:55:57 +02:00
os_info="$(
. /etc/os-release
printf '%s\n' "$ID" "$ID_LIKE"
)"
{
read -r os_id
read -r os_id_like || true
} <<<"$os_info"
certbot: Switch to use certbot from apt. certbot-auto doesn’t work on Ubuntu 20.04, and won’t be updated; we migrate to instead using the certbot package shipped with the OS instead. Also made sure that sure certbot gets installed when running zulip-puppet-apply, to handle existing systems.
2020-05-20 22:36:50 +02:00
fi
setup-certbot: Use set -x. When there's a failure, this can make it much less confusing to figure out.
2017-11-15 22:27:48 +01:00
set -x
certbot: Switch to use certbot from apt. certbot-auto doesn’t work on Ubuntu 20.04, and won’t be updated; we migrate to instead using the certbot package shipped with the OS instead. Also made sure that sure certbot gets installed when running zulip-puppet-apply, to handle existing systems.
2020-05-20 22:36:50 +02:00
case " $os_id $os_id_like " in
*' debian '*)
certbot: Explicitly apt-get update before installing certbot. There is no guarantee that the apt data is up-to-date, unless we explicitly update. Fixes: zulip/docker-zulip#275
2020-09-21 22:33:39 +02:00
apt-get update
certbot: Switch to use certbot from apt. certbot-auto doesn’t work on Ubuntu 20.04, and won’t be updated; we migrate to instead using the certbot package shipped with the OS instead. Also made sure that sure certbot gets installed when running zulip-puppet-apply, to handle existing systems.
2020-05-20 22:36:50 +02:00
apt-get install -y certbot
;;
*' rhel '*)
yum install -y certbot
;;
esac
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward.
2017-10-02 01:43:15 +02:00
setup-certbot: Stop automatically "agreeing" to the LE TOS. It's not appropriate for our script to pass the `--agree-tos` flag without any evidence of the user actually having any knowledge of, let alone intent to agree to, any such ToS. Stop doing that. Fortunately this script hasn't been part of any release, so it's likely that no users have gone down this path.
2018-01-22 23:42:04 +01:00
# We don't use --no-interactive, because certbot needs to ask the user
# to agree to the Let's Encrypt Subscriber Agreement (aka ToS).
# Passing --force-interactive suppresses a warning, but also brings up
# an annoying prompt we stifle with --no-eff-email.
certbot: Switch to use certbot from apt. certbot-auto doesn’t work on Ubuntu 20.04, and won’t be updated; we migrate to instead using the certbot package shipped with the OS instead. Also made sure that sure certbot gets installed when running zulip-puppet-apply, to handle existing systems.
2020-05-20 22:36:50 +02:00
certbot certonly "${method_args[@]}" \
shfmt: Reformat shell scripts with shfmt. https://github.com/mvdan/sh Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-10-15 04:55:57 +02:00
"${HOSTNAMES[@]}" -m "$EMAIL" \
install-shellcheck: Upgrade ShellCheck to 0.9.0. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-01-04 21:11:33 +01:00
"${agree_tos[@]}" \
shfmt: Reformat shell scripts with shfmt. https://github.com/mvdan/sh Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-10-15 04:55:57 +02:00
--force-interactive --no-eff-email
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward.
2017-10-02 01:43:15 +02:00
setup-certbot: Treat potential existing certs with kid gloves. This helps make this script suitable to run on existing installations, by mitigating any worry about clobbering existing certs with links to the new ones, in case the admin changes their mind or was using the certs for something else too.
2017-11-15 00:12:26 +01:00
symlink_with_backup() {
if [ -e "$2" ]; then
# If the user is setting up our automatic certbot-management on a
# system that already has certs for Zulip, use some extra caution
# to keep the old certs available.
mv -f --backup=numbered "$2" "$2".setup-certbot || true
fi
ln -nsf "$1" "$2"
}
puppet: Use certbot package timer, not our own cron job. The certbot package installs its own systemd timer (and cron job, which disabled itself if systemd is enabled) which updates certificates. This process races with the cron job which Zulip installs -- the only difference being that Zulip respects the `certbot.auto_renew` setting, and that it passes the deploy hook. This means that occasionally nginx would not be reloaded, when the systemd timer caught the expiration first. Remove the custom cron job and `certbot-maybe-renew` script, and reconfigure certbot to always reload nginx after deploying, using certbot directory hooks. Since `certbot.auto_renew` can't have an effect, remove the setting. In turn, this removes the need for `--no-zulip-conf` to `setup-certbot`. `--deploy-hook` is similarly removed, as running deploy hooks to restart nginx is now the default; pass `--no-directory-hooks` in standalone mode to not attempt to reload nginx. The other property of `--deploy-hook`, of skipping symlinking into place, is given its own flog.
2021-12-08 23:44:33 +01:00
if [ -z "$skip_symlink" ]; then
install: Add a couple Docker-specific options to the certbot scripts. --agree-tos is useful for the Docker environment, where we won't have an interactive shell present for agreeing to the ToS. --deploy-hook is also useful for the Docker environment; it makes it possible to customize what deploy hook (if any) we pass into the underlying cerbot command.
2018-07-22 20:56:24 +02:00
CERT_DIR=/etc/letsencrypt/live/"$DOMAIN"
symlink_with_backup "$CERT_DIR"/privkey.pem /etc/ssl/private/zulip.key
symlink_with_backup "$CERT_DIR"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt
fi
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward.
2017-10-02 01:43:15 +02:00
setup-certbot: Reinstate nginx reload after installation. If nginx was already installed, and we're using the webroot method of initializing certbot, nginx needs to be reloaded. Hooks in `/etc/letsencrypt/renewal-hooks/deploy/` do not run during initial `certbot certonly`, so an explicit reload is required.
2021-12-10 23:34:41 +01:00
# "certbot certonly" does not run deploy hooks, so reload nginx if
# need be to pick up the new certificate.
case "$method" in
webroot)
service nginx reload
;;
esac
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward.
2017-10-02 01:43:15 +02:00
echo "Certbot SSL certificate configuration succeeded."