install: Add option to get certs via certbot.

While this doesn't quite complete our plans for certbot support (it's not documented, etc.), this is a great stride forward.
2017-10-02 01:43:15 +02:00 · 2017-10-02 01:43:15 +02:00 · 8b6b4e043f
parent fe2adeeee1
commit 8b6b4e043f
2 changed files with 67 additions and 5 deletions
--- a/scripts/lib/install
+++ b/scripts/lib/install
@ -8,10 +8,18 @@ usage() {

 # Shell option parsing.  Over time, we'll want to move some of the
 # environment variables below into this self-documenting system.
-args="$(getopt -o '' --long help,hostname:,email: -n "$0" -- "$@")"
+args="$(getopt -o '' --long help,certbot,hostname:,email: -n "$0" -- "$@")"
 eval "set -- $args"
 while true; do
    case "$1" in
+        --certbot)
+            USE_CERTBOT=1
+            shift
+            ;;
+        --help)
+            show_help=1
+            shift
+            ;;
        --hostname)
            EXTERNAL_HOST="$2"
            shift
@ -22,10 +30,6 @@ while true; do
            shift
            shift
            ;;
-        --help)
-            show_help=1
-            shift
-            ;;
        --)
            break
            ;;
@ -73,6 +77,10 @@ ZULIP_PATH="$(realpath $(dirname $0)/../..)"
 # Handle issues around upstart on Ubuntu Xenial
 "$ZULIP_PATH"/scripts/lib/check-upstart

+if [ -n "$USE_CERTBOT" ]; then
+    "$ZULIP_PATH"/scripts/setup/setup-certbot --hostname "$EXTERNAL_HOST" --email "$ZULIP_ADMINISTRATOR"
+fi
+
 # Check for missing SSL certificates early as well
 if [ "$PUPPET_CLASSES" = "zulip::voyager" ] && { ! [ -e "/etc/ssl/private/zulip.key" ] || ! [ -e "/etc/ssl/certs/zulip.combined-chain.crt" ]; }; then
   set +x
--- a/scripts/setup/setup-certbot
+++ b/scripts/setup/setup-certbot
@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+set -e
+
+usage() {
+  echo "Usage: $0 <domain name> <email>" >&2
+  exit 1
+}
+
+if [ "$EUID" -ne 0 ]; then
+    echo "Error: This script must be run as root" >&2
+    exit 1
+fi
+
+args="$(getopt -o '' --long help,hostname:,email: -n "$0" -- "$@")"
+eval "set -- $args"
+while true; do
+    case "$1" in
+        --hostname)
+            DOMAIN="$2"
+            shift
+            shift
+            ;;
+        --email)
+            EMAIL="$2"
+            shift
+            shift
+            ;;
+        --help)
+            show_help=1
+            shift
+            ;;
+        --)
+            break
+            ;;
+    esac
+done
+
+if [ -n "$show_help" ]; then
+    usage
+fi
+
+# For reference https://certbot.eff.org/all-instructions/#debian-other-nginx
+# We download to /root as a reasonably safe place with only root having access
+wget https://dl.eff.org/certbot-auto -O /root/certbot-auto
+chmod a+x /root/certbot-auto
+
+/root/certbot-auto --nginx certonly -d "$DOMAIN" -m "$EMAIL" --agree-tos --non-interactive
+
+# Link the generated cert to the path read by Zulip
+ln -nsf /etc/letsencrypt/live/"$DOMAIN"/privkey.pem /etc/ssl/private/zulip.key
+ln -nsf /etc/letsencrypt/live/"$DOMAIN"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt
+
+echo "Certbot SSL certificate configuration succeeded."