certbot: Switch to use certbot from apt.

certbot-auto doesn’t work on Ubuntu 20.04, and won’t be updated; we migrate to instead using the certbot package shipped with the OS instead. Also made sure that sure certbot gets installed when running zulip-puppet-apply, to handle existing systems.
2020-05-21 02:06:50 +05:30 · 2020-05-21 02:06:50 +05:30 · 9e8f1aacb3
parent 7e75a7e336
commit 9e8f1aacb3
3 changed files with 23 additions and 11 deletions
--- a/puppet/zulip/manifests/nginx.pp
+++ b/puppet/zulip/manifests/nginx.pp
@ -95,6 +95,13 @@ class zulip::nginx {
    mode   => '0650'
  }

+  $certbot_auto_renew = zulipconf('cerbot', 'auto_renew', '')
+  if $certbot_auto_renew == 'yes' {
+    package { 'certbot':
+      ensure => 'installed',
+    }
+  }
+
  file { ['/var/lib/zulip', '/var/lib/zulip/certbot-webroot']:
    ensure => 'directory',
    owner  => 'zulip',
--- a/scripts/lib/certbot-maybe-renew
+++ b/scripts/lib/certbot-maybe-renew
@ -17,6 +17,6 @@ fi

 deploy_hook="${ZULIP_CERTBOT_DEPLOY_HOOK:-service nginx reload}"

-/usr/local/sbin/certbot-auto renew --quiet \
+certbot renew --quiet \
  --webroot --webroot-path=/var/lib/zulip/certbot-webroot/ \
  --deploy-hook "$deploy_hook"
--- a/scripts/setup/setup-certbot
+++ b/scripts/setup/setup-certbot
@ -81,23 +81,28 @@ case "$method" in
        ;;
 esac

+# Check for a supported OS release.
+if [ -f /etc/os-release ]; then
+    os_info="$(. /etc/os-release; printf '%s\n' "$ID" "$ID_LIKE")"
+    { read -r os_id; read -r os_id_like|| true; } <<< "$os_info"
+fi
+
 set -x

-CERTBOT_PATH="/usr/local/sbin/certbot-auto"
-# For reference https://certbot.eff.org/all-instructions/#debian-other-nginx
-wget -q https://dl.eff.org/certbot-auto -O "$CERTBOT_PATH"
-chmod a+x "$CERTBOT_PATH"
+case " $os_id $os_id_like " in
+    *' debian '*)
+        apt-get install -y certbot
+        ;;
+    *' rhel '*)
+        yum install -y certbot
+        ;;
+esac

-# First, we install the OS packages with --quiet, to suppress `apt`
-# prompting the user for input.  This can't be part of the same
-# invocation as gets the certs, since `certonly --quiet --force-interactive`
-# rejects the Certbot ToS, causing Certbot to fail.
-"$CERTBOT_PATH" --os-packages-only --quiet
 # We don't use --no-interactive, because certbot needs to ask the user
 # to agree to the Let's Encrypt Subscriber Agreement (aka ToS).
 # Passing --force-interactive suppresses a warning, but also brings up
 # an annoying prompt we stifle with --no-eff-email.
-"$CERTBOT_PATH" certonly "${method_args[@]}" \
+certbot certonly "${method_args[@]}" \
                "${HOSTNAMES[@]}" -m "$EMAIL" \
                $agree_tos \
                "${deploy_hook[@]}" \