install: Add a couple Docker-specific options to the certbot scripts.

--agree-tos is useful for the Docker environment, where we won't have
an interactive shell present for agreeing to the ToS.

--deploy-hook is also useful for the Docker environment; it makes it
possible to customize what deploy hook (if any) we pass into the
underlying cerbot command.
This commit is contained in:
jeaye 2018-07-22 11:56:24 -07:00 committed by Tim Abbott
parent 08d890e671
commit 4999474cce
2 changed files with 25 additions and 6 deletions

View File

@ -15,6 +15,8 @@ if ! zulip_conf_get_boolean certbot auto_renew; then
exit 0 exit 0
fi fi
deploy_hook="${ZULIP_CERTBOT_DEPLOY_HOOK:-service nginx reload}"
/usr/local/sbin/certbot-auto renew --quiet \ /usr/local/sbin/certbot-auto renew --quiet \
--webroot --webroot-path=/var/lib/zulip/certbot-webroot/ \ --webroot --webroot-path=/var/lib/zulip/certbot-webroot/ \
--deploy-hook 'service nginx reload' --deploy-hook "$deploy_hook"

View File

@ -15,7 +15,7 @@ if [ "$EUID" -ne 0 ]; then
fi fi
method=webroot method=webroot
args="$(getopt -o '' --long help,hostname:,email:,method:,no-zulip-conf -n "$0" -- "$@")" args="$(getopt -o '' --long help,hostname:,email:,method:,deploy-hook:,no-zulip-conf,agree-tos -n "$0" -- "$@")"
eval "set -- $args" eval "set -- $args"
while true; do while true; do
case "$1" in case "$1" in
@ -34,6 +34,15 @@ while true; do
shift shift
shift shift
;; ;;
--deploy-hook)
deploy_hook=(--deploy-hook "$2")
shift
shift
;;
--agree-tos)
agree_tos=--agree-tos
shift
;;
--no-zulip-conf) --no-zulip-conf)
no_zulip_conf=1 no_zulip_conf=1
shift shift
@ -84,7 +93,11 @@ chmod a+x "$CERTBOT_PATH"
# to agree to the Let's Encrypt Subscriber Agreement (aka ToS). # to agree to the Let's Encrypt Subscriber Agreement (aka ToS).
# Passing --force-interactive suppresses a warning, but also brings up # Passing --force-interactive suppresses a warning, but also brings up
# an annoying prompt we stifle with --no-eff-email. # an annoying prompt we stifle with --no-eff-email.
"$CERTBOT_PATH" certonly "${method_args[@]}" -d "$DOMAIN" -m "$EMAIL" --force-interactive --no-eff-email "$CERTBOT_PATH" certonly "${method_args[@]}" \
-d "$DOMAIN" -m "$EMAIL" \
$agree_tos --force-renewal \
"${deploy_hook[@]}" \
--force-interactive --no-eff-email
symlink_with_backup() { symlink_with_backup() {
if [ -e "$2" ]; then if [ -e "$2" ]; then
@ -96,9 +109,13 @@ symlink_with_backup() {
ln -nsf "$1" "$2" ln -nsf "$1" "$2"
} }
if [ -z "$deploy_hook" ]; then
# If no deploy hook was specified, assume we're deploying to the default
# location Zulip wants.
CERT_DIR=/etc/letsencrypt/live/"$DOMAIN" CERT_DIR=/etc/letsencrypt/live/"$DOMAIN"
symlink_with_backup "$CERT_DIR"/privkey.pem /etc/ssl/private/zulip.key symlink_with_backup "$CERT_DIR"/privkey.pem /etc/ssl/private/zulip.key
symlink_with_backup "$CERT_DIR"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt symlink_with_backup "$CERT_DIR"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt
fi
case "$method" in case "$method" in
webroot) webroot)