zulip/scripts/setup/setup-certbot

#!/usr/bin/env bash

set -e

usage() {
    cat <<EOF >&2
Usage: $0 --hostname=zulip.example.com --email=admin@example.com [--method={webroot|standalone}] [--no-zulip-conf]
EOF
    exit 1
}

if [ "$EUID" -ne 0 ]; then
    echo "Error: This script must be run as root" >&2
    exit 1
fi

method=webroot
args="$(getopt -o '' --long help,hostname:,email:,method:,no-zulip-conf -n "$0" -- "$@")"
eval "set -- $args"
while true; do
    case "$1" in
        --hostname)
            DOMAIN="$2"
            shift
            shift
            ;;
        --email)
            EMAIL="$2"
            shift
            shift
            ;;
        --method)
            method="$2"
            shift
            shift
            ;;
        --no-zulip-conf)
            no_zulip_conf=1
            shift
            ;;
        --help)
            show_help=1
            shift
            ;;
        --)
            break
            ;;
    esac
done

if [ -n "$show_help" ]; then
    usage
fi

if [ -z "$DOMAIN" -o -z "$EMAIL" ]; then
    usage
fi

case "$method" in
    standalone)
        method_args=(--standalone)
        ;;
    webroot)
        method_args=(--webroot --webroot-path=/var/lib/zulip/certbot-webroot/)
        ;;
    *)
        usage
        ;;
esac

set -x

CERTBOT_PATH="/usr/local/sbin/certbot-auto"
# For reference https://certbot.eff.org/all-instructions/#debian-other-nginx
wget -q https://dl.eff.org/certbot-auto -O "$CERTBOT_PATH"
chmod a+x "$CERTBOT_PATH"

"$CERTBOT_PATH" certonly "${method_args[@]}" -d "$DOMAIN" -m "$EMAIL" --agree-tos --non-interactive

symlink_with_backup() {
    if [ -e "$2" ]; then
        # If the user is setting up our automatic certbot-management on a
        # system that already has certs for Zulip, use some extra caution
        # to keep the old certs available.
        mv -f --backup=numbered "$2" "$2".setup-certbot || true
    fi
    ln -nsf "$1" "$2"
}

CERT_DIR=/etc/letsencrypt/live/"$DOMAIN"
symlink_with_backup "$CERT_DIR"/privkey.pem /etc/ssl/private/zulip.key
symlink_with_backup "$CERT_DIR"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt

case "$method" in
    webroot)
        service nginx reload
        ;;
esac

if [ -z "$no_zulip_conf" ]; then
    crudini --set /etc/zulip/zulip.conf certbot auto_renew yes
fi

echo "Certbot SSL certificate configuration succeeded."
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00			`#!/usr/bin/env bash`

			`set -e`

			`usage() {`
setup-certbot: Fix the usage message, and add the recently-added options. 2017-11-16 01:03:20 +01:00			`cat <<EOF >&2`
			`Usage: $0 --hostname=zulip.example.com --email=admin@example.com [--method={webroot\|standalone}] [--no-zulip-conf]`
			`EOF`
			`exit 1`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00			`}`

			`if [ "$EUID" -ne 0 ]; then`
			`echo "Error: This script must be run as root" >&2`
			`exit 1`
			`fi`

setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install. 2017-11-16 00:19:54 +01:00			`method=webroot`
			`args="$(getopt -o '' --long help,hostname:,email:,method:,no-zulip-conf -n "$0" -- "$@")"`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00			`eval "set -- $args"`
			`while true; do`
			`case "$1" in`
			`--hostname)`
			`DOMAIN="$2"`
			`shift`
			`shift`
			`;;`
			`--email)`
			`EMAIL="$2"`
			`shift`
			`shift`
			`;;`
setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install. 2017-11-16 00:19:54 +01:00			`--method)`
			`method="$2"`
			`shift`
			`shift`
			`;;`
certbot: Control auto-renew with a zulip.conf setting. This causes the cron job to run only when a Zulip-managed certbot install is actually set up. Inside `install`, zulip.conf doesn't yet exist when we run setup-certbot, so we write the setting later. But we also give setup-certbot the ability to write the setting itself, so that we can recommend it in instructions for adopting certbot in an existing Zulip installation. 2017-11-15 00:48:22 +01:00			`--no-zulip-conf)`
			`no_zulip_conf=1`
			`shift`
			`;;`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00			`--help)`
			`show_help=1`
			`shift`
			`;;`
			`--)`
			`break`
			`;;`
			`esac`
			`done`

			`if [ -n "$show_help" ]; then`
			`usage`
			`fi`

setup-certbot: Require hostname and email. The script already won't work without them; so if the user gets the invocation wrong, give a halfway-reasonable error rather than just crash into the ground. 2017-11-16 01:04:54 +01:00			`if [ -z "$DOMAIN" -o -z "$EMAIL" ]; then`
			`usage`
			`fi`

setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install. 2017-11-16 00:19:54 +01:00			`case "$method" in`
			`standalone)`
			`method_args=(--standalone)`
			`;;`
			`webroot)`
			`method_args=(--webroot --webroot-path=/var/lib/zulip/certbot-webroot/)`
			`;;`
			`*)`
			`usage`
			`;;`
			`esac`

setup-certbot: Use set -x. When there's a failure, this can make it much less confusing to figure out. 2017-11-15 22:27:48 +01:00			`set -x`

certbot: Move path to /usr/local/sbin. [greg: fixed typo bug] 2017-11-10 19:32:55 +01:00			`CERTBOT_PATH="/usr/local/sbin/certbot-auto"`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00			`# For reference https://certbot.eff.org/all-instructions/#debian-other-nginx`
setup-certbot: Eliminate obnoxious wget spew. 2017-11-15 00:14:52 +01:00			`wget -q https://dl.eff.org/certbot-auto -O "$CERTBOT_PATH"`
certbot: Move path to /usr/local/sbin. [greg: fixed typo bug] 2017-11-10 19:32:55 +01:00			`chmod a+x "$CERTBOT_PATH"`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00
setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install. 2017-11-16 00:19:54 +01:00			`"$CERTBOT_PATH" certonly "${method_args[@]}" -d "$DOMAIN" -m "$EMAIL" --agree-tos --non-interactive`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00
setup-certbot: Treat potential existing certs with kid gloves. This helps make this script suitable to run on existing installations, by mitigating any worry about clobbering existing certs with links to the new ones, in case the admin changes their mind or was using the certs for something else too. 2017-11-15 00:12:26 +01:00			`symlink_with_backup() {`
			`if [ -e "$2" ]; then`
			`# If the user is setting up our automatic certbot-management on a`
			`# system that already has certs for Zulip, use some extra caution`
			`# to keep the old certs available.`
			`mv -f --backup=numbered "$2" "$2".setup-certbot \|\| true`
			`fi`
			`ln -nsf "$1" "$2"`
			`}`

			`CERT_DIR=/etc/letsencrypt/live/"$DOMAIN"`
			`symlink_with_backup "$CERT_DIR"/privkey.pem /etc/ssl/private/zulip.key`
			`symlink_with_backup "$CERT_DIR"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00
setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install. 2017-11-16 00:19:54 +01:00			`case "$method" in`
			`webroot)`
			`service nginx reload`
			`;;`
			`esac`

certbot: Control auto-renew with a zulip.conf setting. This causes the cron job to run only when a Zulip-managed certbot install is actually set up. Inside `install`, zulip.conf doesn't yet exist when we run setup-certbot, so we write the setting later. But we also give setup-certbot the ability to write the setting itself, so that we can recommend it in instructions for adopting certbot in an existing Zulip installation. 2017-11-15 00:48:22 +01:00			`if [ -z "$no_zulip_conf" ]; then`
			`crudini --set /etc/zulip/zulip.conf certbot auto_renew yes`
			`fi`

install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00			`echo "Certbot SSL certificate configuration succeeded."`