setup-certbot: Add option to choose verification method.

This allows the installer to continue using this script for the `standalone` method, while the no-argument form now uses the same `webroot` method as the renewal cron job, suitable for running by hand to adopt Certbot after initial install.
2017-11-15 15:19:54 -08:00 · 2017-11-15 15:19:54 -08:00 · 8f387ba4d4
parent 7c887a6741
commit 8f387ba4d4
2 changed files with 28 additions and 3 deletions
--- a/scripts/lib/install
+++ b/scripts/lib/install
@ -94,7 +94,8 @@ ZULIP_PATH="$(realpath $(dirname $0)/../..)"
 "$ZULIP_PATH"/scripts/lib/check-upstart

 if [ -n "$USE_CERTBOT" ]; then
-    "$ZULIP_PATH"/scripts/setup/setup-certbot --no-zulip-conf \
+    "$ZULIP_PATH"/scripts/setup/setup-certbot \
+        --no-zulip-conf --method=standalone \
        --hostname "$EXTERNAL_HOST" --email "$ZULIP_ADMINISTRATOR"
 fi

--- a/scripts/setup/setup-certbot
+++ b/scripts/setup/setup-certbot
@ -12,7 +12,8 @@ if [ "$EUID" -ne 0 ]; then
    exit 1
 fi

-args="$(getopt -o '' --long help,hostname:,email:,no-zulip-conf -n "$0" -- "$@")"
+method=webroot
+args="$(getopt -o '' --long help,hostname:,email:,method:,no-zulip-conf -n "$0" -- "$@")"
 eval "set -- $args"
 while true; do
    case "$1" in
@ -26,6 +27,11 @@ while true; do
            shift
            shift
            ;;
+        --method)
+            method="$2"
+            shift
+            shift
+            ;;
        --no-zulip-conf)
            no_zulip_conf=1
            shift
@ -44,6 +50,18 @@ if [ -n "$show_help" ]; then
    usage
 fi

+case "$method" in
+    standalone)
+        method_args=(--standalone)
+        ;;
+    webroot)
+        method_args=(--webroot --webroot-path=/var/lib/zulip/certbot-webroot/)
+        ;;
+    *)
+        usage
+        ;;
+esac
+
 set -x

 CERTBOT_PATH="/usr/local/sbin/certbot-auto"
@ -51,7 +69,7 @@ CERTBOT_PATH="/usr/local/sbin/certbot-auto"
 wget -q https://dl.eff.org/certbot-auto -O "$CERTBOT_PATH"
 chmod a+x "$CERTBOT_PATH"

-"$CERTBOT_PATH" --standalone certonly -d "$DOMAIN" -m "$EMAIL" --agree-tos --non-interactive
+"$CERTBOT_PATH" certonly "${method_args[@]}" -d "$DOMAIN" -m "$EMAIL" --agree-tos --non-interactive

 symlink_with_backup() {
    if [ -e "$2" ]; then
@ -67,6 +85,12 @@ CERT_DIR=/etc/letsencrypt/live/"$DOMAIN"
 symlink_with_backup "$CERT_DIR"/privkey.pem /etc/ssl/private/zulip.key
 symlink_with_backup "$CERT_DIR"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt

+case "$method" in
+    webroot)
+        service nginx reload
+        ;;
+esac
+
 if [ -z "$no_zulip_conf" ]; then
    crudini --set /etc/zulip/zulip.conf certbot auto_renew yes
 fi