From 76ce8631c019a7471454e0ecc91161629c86b88d Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Sat, 15 Jan 2022 01:48:06 +0000 Subject: [PATCH] setup: Install a temporary certificate, before certbot runs. Installing certbot with --method=standalone means that the configuration file will be written to assume that the standalone method will be used going forward. Since nginx will be running, attempts to renew the certificate will fail. Install a temporary self-signed certificate, just to allow nginx to start, and then follow up (after applying puppet to start nginx) with the call to setup-certbot, which will use the webroot authenticator. The `setup-certbot --method=standalone` option is left intact, for use in development environments. Fixes part of #20593; it does not address installs which were previously improperly configured with `authenticator = standalone`. --- scripts/lib/install | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/scripts/lib/install b/scripts/lib/install index c9a5ed5b46..e648b9ae91 100755 --- a/scripts/lib/install +++ b/scripts/lib/install @@ -369,14 +369,10 @@ elif [ "$package_system" = yum ]; then fi fi -if [ -n "$USE_CERTBOT" ]; then - # Puppet, which is run below, installs the post-deploy hook to - # reload nginx -- but it also installs nginx itself, so we're fine - # to run this now. - "$ZULIP_PATH"/scripts/setup/setup-certbot \ - --method=standalone \ - "$EXTERNAL_HOST" --email "$ZULIP_ADMINISTRATOR" -elif [ -n "$SELF_SIGNED_CERT" ]; then +# We generate a self-signed cert even with certbot, so we can use the +# webroot authenticator, which requires nginx be set up with a +# certificate. +if [ -n "$SELF_SIGNED_CERT" ] || [ -n "$USE_CERTBOT" ]; then "$ZULIP_PATH"/scripts/setup/generate-self-signed-cert \ --exists-ok "${EXTERNAL_HOST:-$(hostname)}" fi @@ -485,6 +481,11 @@ elif [ "$package_system" = yum ]; then : fi +if [ -n "$USE_CERTBOT" ]; then + "$ZULIP_PATH"/scripts/setup/setup-certbot \ + "$EXTERNAL_HOST" --email "$ZULIP_ADMINISTRATOR" +fi + if has_class "zulip::nginx" && ! has_class "zulip::profile::docker"; then # Check nginx was configured properly now that we've installed it. # Most common failure mode is certs not having been installed.