zulip/scripts/setup/setup-certbot

#!/usr/bin/env bash

set -e

usage() {
    cat <<EOF >&2
Usage: $0 --email=admin@example.com [--method={webroot|standalone}] \
[--no-zulip-conf] hostname.example.com [another.example.com]
EOF
    exit 1
}

if [ "$EUID" -ne 0 ]; then
    echo "Error: This script must be run as root" >&2
    exit 1
fi

method=webroot
args="$(getopt -o '' --long help,email:,method:,deploy-hook:,no-zulip-conf,agree-tos -n "$0" -- "$@")"
eval "set -- $args"
while true; do
    case "$1" in
        --email)
            EMAIL="$2"
            shift
            shift
            ;;
        --method)
            method="$2"
            shift
            shift
            ;;
        --deploy-hook)
            deploy_hook=(--deploy-hook "$2")
            shift
            shift
            ;;
        --agree-tos)
            agree_tos=--agree-tos
            shift
            ;;
        --no-zulip-conf)
            no_zulip_conf=1
            shift
            ;;
        --help)
            show_help=1
            shift
            ;;
        --)
            shift
            break
            ;;
    esac
done

# Parse the remaining arguments as Subject Alternative Names to pass to certbot
HOSTNAMES=()
for arg; do
    HOSTNAMES+=(-d "$arg")
done
DOMAIN=$1

if [ -n "$show_help" ]; then
    usage
fi

if [ -z "$DOMAIN" ] || [ -z "$EMAIL" ]; then
    usage
fi

case "$method" in
    standalone)
        method_args=(--standalone)
        ;;
    webroot)
        method_args=(--webroot '--webroot-path=/var/lib/zulip/certbot-webroot/')
        ;;
    *)
        usage
        ;;
esac

set -x

CERTBOT_PATH="/usr/local/sbin/certbot-auto"
# For reference https://certbot.eff.org/all-instructions/#debian-other-nginx
wget -q https://dl.eff.org/certbot-auto -O "$CERTBOT_PATH"
chmod a+x "$CERTBOT_PATH"

# First, we install the OS packages with --quiet, to suppress `apt`
# prompting the user for input.  This can't be part of the same
# invocation as gets the certs, since `certonly --quiet --force-interactive`
# rejects the Certbot ToS, causing Certbot to fail.
"$CERTBOT_PATH" --os-packages-only --quiet
# We don't use --no-interactive, because certbot needs to ask the user
# to agree to the Let's Encrypt Subscriber Agreement (aka ToS).
# Passing --force-interactive suppresses a warning, but also brings up
# an annoying prompt we stifle with --no-eff-email.
"$CERTBOT_PATH" certonly "${method_args[@]}" \
                "${HOSTNAMES[@]}" -m "$EMAIL" \
                $agree_tos \
                "${deploy_hook[@]}" \
                --force-interactive --no-eff-email

symlink_with_backup() {
    if [ -e "$2" ]; then
        # If the user is setting up our automatic certbot-management on a
        # system that already has certs for Zulip, use some extra caution
        # to keep the old certs available.
        mv -f --backup=numbered "$2" "$2".setup-certbot || true
    fi
    ln -nsf "$1" "$2"
}

if [ ${#deploy_hook} -eq 0 ]; then
    # If no deploy hook was specified, assume we're deploying to the default
    # location Zulip wants.
    CERT_DIR=/etc/letsencrypt/live/"$DOMAIN"
    symlink_with_backup "$CERT_DIR"/privkey.pem /etc/ssl/private/zulip.key
    symlink_with_backup "$CERT_DIR"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt
fi

case "$method" in
    webroot)
        service nginx reload
        ;;
esac

if [ -z "$no_zulip_conf" ]; then
    crudini --set /etc/zulip/zulip.conf certbot auto_renew yes
fi

echo "Certbot SSL certificate configuration succeeded."
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00			`#!/usr/bin/env bash`

			`set -e`

			`usage() {`
setup-certbot: Fix the usage message, and add the recently-added options. 2017-11-16 01:03:20 +01:00			`cat <<EOF >&2`
setup-cerbot: Allow issuing certificates for multiple domains. This commit allows specifying Subject Alternative Names to issue certs for multiple domains using certbot. The first name passed to certbot-auto becomes the common name for the certificate; common name and the other names are then added to the SAN field. All of these arguments are now positional. Also read the following for the certbot syntax reference: https://community.letsencrypt.org/t/how-to-specify-subject-name-on-san/ Fixes #10674. 2018-10-20 10:11:46 +02:00			`Usage: $0 --email=admin@example.com [--method={webroot\|standalone}] \`
			`[--no-zulip-conf] hostname.example.com [another.example.com]`
setup-certbot: Fix the usage message, and add the recently-added options. 2017-11-16 01:03:20 +01:00			`EOF`
			`exit 1`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00			`}`

			`if [ "$EUID" -ne 0 ]; then`
			`echo "Error: This script must be run as root" >&2`
			`exit 1`
			`fi`

setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install. 2017-11-16 00:19:54 +01:00			`method=webroot`
setup-cerbot: Allow issuing certificates for multiple domains. This commit allows specifying Subject Alternative Names to issue certs for multiple domains using certbot. The first name passed to certbot-auto becomes the common name for the certificate; common name and the other names are then added to the SAN field. All of these arguments are now positional. Also read the following for the certbot syntax reference: https://community.letsencrypt.org/t/how-to-specify-subject-name-on-san/ Fixes #10674. 2018-10-20 10:11:46 +02:00			`args="$(getopt -o '' --long help,email:,method:,deploy-hook:,no-zulip-conf,agree-tos -n "$0" -- "$@")"`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00			`eval "set -- $args"`
			`while true; do`
			`case "$1" in`
			`--email)`
			`EMAIL="$2"`
			`shift`
			`shift`
			`;;`
setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install. 2017-11-16 00:19:54 +01:00			`--method)`
			`method="$2"`
			`shift`
			`shift`
			`;;`
install: Add a couple Docker-specific options to the certbot scripts. --agree-tos is useful for the Docker environment, where we won't have an interactive shell present for agreeing to the ToS. --deploy-hook is also useful for the Docker environment; it makes it possible to customize what deploy hook (if any) we pass into the underlying cerbot command. 2018-07-22 20:56:24 +02:00			`--deploy-hook)`
			`deploy_hook=(--deploy-hook "$2")`
			`shift`
			`shift`
			`;;`
			`--agree-tos)`
			`agree_tos=--agree-tos`
			`shift`
			`;;`
certbot: Control auto-renew with a zulip.conf setting. This causes the cron job to run only when a Zulip-managed certbot install is actually set up. Inside `install`, zulip.conf doesn't yet exist when we run setup-certbot, so we write the setting later. But we also give setup-certbot the ability to write the setting itself, so that we can recommend it in instructions for adopting certbot in an existing Zulip installation. 2017-11-15 00:48:22 +01:00			`--no-zulip-conf)`
			`no_zulip_conf=1`
			`shift`
			`;;`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00			`--help)`
			`show_help=1`
			`shift`
			`;;`
			`--)`
setup-cerbot: Allow issuing certificates for multiple domains. This commit allows specifying Subject Alternative Names to issue certs for multiple domains using certbot. The first name passed to certbot-auto becomes the common name for the certificate; common name and the other names are then added to the SAN field. All of these arguments are now positional. Also read the following for the certbot syntax reference: https://community.letsencrypt.org/t/how-to-specify-subject-name-on-san/ Fixes #10674. 2018-10-20 10:11:46 +02:00			`shift`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00			`break`
			`;;`
			`esac`
			`done`

setup-cerbot: Allow issuing certificates for multiple domains. This commit allows specifying Subject Alternative Names to issue certs for multiple domains using certbot. The first name passed to certbot-auto becomes the common name for the certificate; common name and the other names are then added to the SAN field. All of these arguments are now positional. Also read the following for the certbot syntax reference: https://community.letsencrypt.org/t/how-to-specify-subject-name-on-san/ Fixes #10674. 2018-10-20 10:11:46 +02:00			`# Parse the remaining arguments as Subject Alternative Names to pass to certbot`
			`HOSTNAMES=()`
			`for arg; do`
			`HOSTNAMES+=(-d "$arg")`
			`done`
			`DOMAIN=$1`

install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00			`if [ -n "$show_help" ]; then`
			`usage`
			`fi`

setup-certbot: Fix shellcheck warnings. In scripts/setup/setup-certbot line 64: if [ -z "$DOMAIN" -o -z "$EMAIL" ]; then ^-- SC2166: Prefer [ p ] \|\| [ q ] as [ p -o q ] is not well defined. In scripts/setup/setup-certbot line 73: method_args=(--webroot --webroot-path=/var/lib/zulip/certbot-webroot/) ^-- SC2191: The = here is literal. To assign by index, use ( [index]=value ) with no spaces. To keep as literal, quote it. In scripts/setup/setup-certbot line 112: if [ -z "$deploy_hook" ]; then ^-- SC2128: Expanding an array without an index only gives the first element. Signed-off-by: Anders Kaseorg <andersk@mit.edu> 2018-08-03 02:14:48 +02:00			`if [ -z "$DOMAIN" ] \|\| [ -z "$EMAIL" ]; then`
setup-certbot: Require hostname and email. The script already won't work without them; so if the user gets the invocation wrong, give a halfway-reasonable error rather than just crash into the ground. 2017-11-16 01:04:54 +01:00			`usage`
			`fi`

setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install. 2017-11-16 00:19:54 +01:00			`case "$method" in`
			`standalone)`
			`method_args=(--standalone)`
			`;;`
			`webroot)`
setup-certbot: Fix shellcheck warnings. In scripts/setup/setup-certbot line 64: if [ -z "$DOMAIN" -o -z "$EMAIL" ]; then ^-- SC2166: Prefer [ p ] \|\| [ q ] as [ p -o q ] is not well defined. In scripts/setup/setup-certbot line 73: method_args=(--webroot --webroot-path=/var/lib/zulip/certbot-webroot/) ^-- SC2191: The = here is literal. To assign by index, use ( [index]=value ) with no spaces. To keep as literal, quote it. In scripts/setup/setup-certbot line 112: if [ -z "$deploy_hook" ]; then ^-- SC2128: Expanding an array without an index only gives the first element. Signed-off-by: Anders Kaseorg <andersk@mit.edu> 2018-08-03 02:14:48 +02:00			`method_args=(--webroot '--webroot-path=/var/lib/zulip/certbot-webroot/')`
setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install. 2017-11-16 00:19:54 +01:00			`;;`
			`*)`
			`usage`
			`;;`
			`esac`

setup-certbot: Use set -x. When there's a failure, this can make it much less confusing to figure out. 2017-11-15 22:27:48 +01:00			`set -x`

certbot: Move path to /usr/local/sbin. [greg: fixed typo bug] 2017-11-10 19:32:55 +01:00			`CERTBOT_PATH="/usr/local/sbin/certbot-auto"`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00			`# For reference https://certbot.eff.org/all-instructions/#debian-other-nginx`
setup-certbot: Eliminate obnoxious wget spew. 2017-11-15 00:14:52 +01:00			`wget -q https://dl.eff.org/certbot-auto -O "$CERTBOT_PATH"`
certbot: Move path to /usr/local/sbin. [greg: fixed typo bug] 2017-11-10 19:32:55 +01:00			`chmod a+x "$CERTBOT_PATH"`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00
certbot: Don't prompt when installing apt packages. The comment included in this commit explains the somewhat messy situation that requires running certbot twice as part of this installer. Fixes #8486. 2018-03-29 02:07:54 +02:00			# First, we install the OS packages with --quiet, to suppress `apt`
			`# prompting the user for input. This can't be part of the same`
			# invocation as gets the certs, since `certonly --quiet --force-interactive`
			`# rejects the Certbot ToS, causing Certbot to fail.`
			`"$CERTBOT_PATH" --os-packages-only --quiet`
setup-certbot: Stop automatically "agreeing" to the LE TOS. It's not appropriate for our script to pass the `--agree-tos` flag without any evidence of the user actually having any knowledge of, let alone intent to agree to, any such ToS. Stop doing that. Fortunately this script hasn't been part of any release, so it's likely that no users have gone down this path. 2018-01-22 23:42:04 +01:00			`# We don't use --no-interactive, because certbot needs to ask the user`
			`# to agree to the Let's Encrypt Subscriber Agreement (aka ToS).`
			`# Passing --force-interactive suppresses a warning, but also brings up`
			`# an annoying prompt we stifle with --no-eff-email.`
install: Add a couple Docker-specific options to the certbot scripts. --agree-tos is useful for the Docker environment, where we won't have an interactive shell present for agreeing to the ToS. --deploy-hook is also useful for the Docker environment; it makes it possible to customize what deploy hook (if any) we pass into the underlying cerbot command. 2018-07-22 20:56:24 +02:00			`"$CERTBOT_PATH" certonly "${method_args[@]}" \`
setup-cerbot: Allow issuing certificates for multiple domains. This commit allows specifying Subject Alternative Names to issue certs for multiple domains using certbot. The first name passed to certbot-auto becomes the common name for the certificate; common name and the other names are then added to the SAN field. All of these arguments are now positional. Also read the following for the certbot syntax reference: https://community.letsencrypt.org/t/how-to-specify-subject-name-on-san/ Fixes #10674. 2018-10-20 10:11:46 +02:00			`"${HOSTNAMES[@]}" -m "$EMAIL" \`
setup-certbot: Remove --force-renewal. (#11652) There’s no reason to do this unless you’re, like, trying to trip the Let’s Encrypt rate limits (or perhaps trying to manually test this code). Signed-off-by: Anders Kaseorg <andersk@mit.edu> 2019-02-23 00:50:38 +01:00			`$agree_tos \`
install: Add a couple Docker-specific options to the certbot scripts. --agree-tos is useful for the Docker environment, where we won't have an interactive shell present for agreeing to the ToS. --deploy-hook is also useful for the Docker environment; it makes it possible to customize what deploy hook (if any) we pass into the underlying cerbot command. 2018-07-22 20:56:24 +02:00			`"${deploy_hook[@]}" \`
			`--force-interactive --no-eff-email`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00
setup-certbot: Treat potential existing certs with kid gloves. This helps make this script suitable to run on existing installations, by mitigating any worry about clobbering existing certs with links to the new ones, in case the admin changes their mind or was using the certs for something else too. 2017-11-15 00:12:26 +01:00			`symlink_with_backup() {`
			`if [ -e "$2" ]; then`
			`# If the user is setting up our automatic certbot-management on a`
			`# system that already has certs for Zulip, use some extra caution`
			`# to keep the old certs available.`
			`mv -f --backup=numbered "$2" "$2".setup-certbot \|\| true`
			`fi`
			`ln -nsf "$1" "$2"`
			`}`

setup-certbot: Fix shellcheck warnings. In scripts/setup/setup-certbot line 64: if [ -z "$DOMAIN" -o -z "$EMAIL" ]; then ^-- SC2166: Prefer [ p ] \|\| [ q ] as [ p -o q ] is not well defined. In scripts/setup/setup-certbot line 73: method_args=(--webroot --webroot-path=/var/lib/zulip/certbot-webroot/) ^-- SC2191: The = here is literal. To assign by index, use ( [index]=value ) with no spaces. To keep as literal, quote it. In scripts/setup/setup-certbot line 112: if [ -z "$deploy_hook" ]; then ^-- SC2128: Expanding an array without an index only gives the first element. Signed-off-by: Anders Kaseorg <andersk@mit.edu> 2018-08-03 02:14:48 +02:00			`if [ ${#deploy_hook} -eq 0 ]; then`
install: Add a couple Docker-specific options to the certbot scripts. --agree-tos is useful for the Docker environment, where we won't have an interactive shell present for agreeing to the ToS. --deploy-hook is also useful for the Docker environment; it makes it possible to customize what deploy hook (if any) we pass into the underlying cerbot command. 2018-07-22 20:56:24 +02:00			`# If no deploy hook was specified, assume we're deploying to the default`
			`# location Zulip wants.`
			`CERT_DIR=/etc/letsencrypt/live/"$DOMAIN"`
			`symlink_with_backup "$CERT_DIR"/privkey.pem /etc/ssl/private/zulip.key`
			`symlink_with_backup "$CERT_DIR"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt`
			`fi`
install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00
setup-certbot: Add option to choose verification method. This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install. 2017-11-16 00:19:54 +01:00			`case "$method" in`
			`webroot)`
			`service nginx reload`
			`;;`
			`esac`

certbot: Control auto-renew with a zulip.conf setting. This causes the cron job to run only when a Zulip-managed certbot install is actually set up. Inside `install`, zulip.conf doesn't yet exist when we run setup-certbot, so we write the setting later. But we also give setup-certbot the ability to write the setting itself, so that we can recommend it in instructions for adopting certbot in an existing Zulip installation. 2017-11-15 00:48:22 +01:00			`if [ -z "$no_zulip_conf" ]; then`
			`crudini --set /etc/zulip/zulip.conf certbot auto_renew yes`
			`fi`

install: Add option to get certs via certbot. While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward. 2017-10-02 01:43:15 +02:00			`echo "Certbot SSL certificate configuration succeeded."`