setup: Install a temporary certificate, before certbot runs.

Installing certbot with --method=standalone means that the
configuration file will be written to assume that the standalone
method will be used going forward.  Since nginx will be running,
attempts to renew the certificate will fail.

Install a temporary self-signed certificate, just to allow nginx to
start, and then follow up (after applying puppet to start nginx) with
the call to setup-certbot, which will use the webroot authenticator.

The `setup-certbot --method=standalone` option is left intact, for use
in development environments.

Fixes part of #20593; it does not address installs which were
previously improperly configured with `authenticator = standalone`.

scripts/lib/install

@@ -369,14 +369,10 @@ elif [ "$package_system" = yum ]; then
     fi
 fi
 
-if [ -n "$USE_CERTBOT" ]; then
-    # Puppet, which is run below, installs the post-deploy hook to
-    # reload nginx -- but it also installs nginx itself, so we're fine
-    # to run this now.
-    "$ZULIP_PATH"/scripts/setup/setup-certbot \
-        --method=standalone \
-        "$EXTERNAL_HOST" --email "$ZULIP_ADMINISTRATOR"
-elif [ -n "$SELF_SIGNED_CERT" ]; then
+# We generate a self-signed cert even with certbot, so we can use the
+# webroot authenticator, which requires nginx be set up with a
+# certificate.
+if [ -n "$SELF_SIGNED_CERT" ] || [ -n "$USE_CERTBOT" ]; then
     "$ZULIP_PATH"/scripts/setup/generate-self-signed-cert \
         --exists-ok "${EXTERNAL_HOST:-$(hostname)}"
 fi
@@ -485,6 +481,11 @@ elif [ "$package_system" = yum ]; then
     :
 fi
 
+if [ -n "$USE_CERTBOT" ]; then
+    "$ZULIP_PATH"/scripts/setup/setup-certbot \
+        "$EXTERNAL_HOST" --email "$ZULIP_ADMINISTRATOR"
+fi
+
 if has_class "zulip::nginx" && ! has_class "zulip::profile::docker"; then
     # Check nginx was configured properly now that we've installed it.
     # Most common failure mode is certs not having been installed.