setup-cerbot: Allow issuing certificates for multiple domains.

This commit allows specifying Subject Alternative Names to issue certs
for multiple domains using certbot. The first name passed to certbot-auto
becomes the common name for the certificate; common name and the other
names are then added to the SAN field. All of these arguments are now
positional. Also read the following for the certbot syntax reference:

https://community.letsencrypt.org/t/how-to-specify-subject-name-on-san/

Fixes #10674.

docs/production/ssl-certificates.md

@@ -72,6 +72,9 @@ The `--hostname` and `--email` options are required when using
 Zulip server machine to be reachable by that name from the public
 Internet.
 
+If you need to configure a multiple domain certificate, you can generate
+one as described in the section below after installing Zulip.
+
 [doc-install-script]: ../production/install.html#step-2-install-zulip
 
 ### After Zulip is already installed
@@ -80,11 +83,12 @@ To enable the Certbot automation on an already-installed Zulip
 server, run the following commands:
 ```
 sudo -s  # If not already root
-/home/zulip/deployments/current/scripts/setup/setup-certbot --hostname=HOSTNAME --email=EMAIL
+/home/zulip/deployments/current/scripts/setup/setup-certbot --email=EMAIL HOSTNAME [HOSTNAME2...]
 ```
 where HOSTNAME is the domain name users see in their browser when
 using the server (e.g., `zulip.example.com`), and EMAIL is a contact
-address for the server admins.
+address for the server admins. Additional hostnames can also be
+specified to issue a certificate for multiple domains.
 
 ### How it works
 

scripts/lib/install

@@ -161,7 +161,7 @@ fi
 if [ -n "$USE_CERTBOT" ]; then
     "$ZULIP_PATH"/scripts/setup/setup-certbot \
         --no-zulip-conf --method=standalone \
-        --hostname "$EXTERNAL_HOST" --email "$ZULIP_ADMINISTRATOR"
+        "$EXTERNAL_HOST" --email "$ZULIP_ADMINISTRATOR"
 elif [ -n "$SELF_SIGNED_CERT" ]; then
     "$ZULIP_PATH"/scripts/setup/generate-self-signed-cert \
         --exists-ok "${EXTERNAL_HOST:-$(hostname)}"

scripts/setup/setup-certbot

@@ -4,7 +4,8 @@ set -e
 
 usage() {
     cat <<EOF >&2
-Usage: $0 --hostname=zulip.example.com --email=admin@example.com [--method={webroot|standalone}] [--no-zulip-conf]
+Usage: $0 --email=admin@example.com [--method={webroot|standalone}] \
+[--no-zulip-conf] hostname.example.com [another.example.com]
 EOF
     exit 1
 }
@@ -15,15 +16,10 @@ if [ "$EUID" -ne 0 ]; then
 fi
 
 method=webroot
-args="$(getopt -o '' --long help,hostname:,email:,method:,deploy-hook:,no-zulip-conf,agree-tos -n "$0" -- "$@")"
+args="$(getopt -o '' --long help,email:,method:,deploy-hook:,no-zulip-conf,agree-tos -n "$0" -- "$@")"
 eval "set -- $args"
 while true; do
     case "$1" in
-        --hostname)
-            DOMAIN="$2"
-            shift
-            shift
-            ;;
         --email)
             EMAIL="$2"
             shift
@@ -52,11 +48,19 @@ while true; do
             shift
             ;;
         --)
+            shift
             break
             ;;
     esac
 done
 
+# Parse the remaining arguments as Subject Alternative Names to pass to certbot
+HOSTNAMES=()
+for arg; do
+    HOSTNAMES+=(-d "$arg")
+done
+DOMAIN=$1
+
 if [ -n "$show_help" ]; then
     usage
 fi
@@ -94,7 +98,7 @@ chmod a+x "$CERTBOT_PATH"
 # Passing --force-interactive suppresses a warning, but also brings up
 # an annoying prompt we stifle with --no-eff-email.
 "$CERTBOT_PATH" certonly "${method_args[@]}" \
-                -d "$DOMAIN" -m "$EMAIL" \
+                "${HOSTNAMES[@]}" -m "$EMAIL" \
                 $agree_tos --force-renewal \
                 "${deploy_hook[@]}" \
                 --force-interactive --no-eff-email