From 9e8f1aacb378ed18df9e90de8ca671e4d2382c47 Mon Sep 17 00:00:00 2001 From: arpit551 Date: Thu, 21 May 2020 02:06:50 +0530 Subject: [PATCH] certbot: Switch to use certbot from apt. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit certbot-auto doesn’t work on Ubuntu 20.04, and won’t be updated; we migrate to instead using the certbot package shipped with the OS instead. Also made sure that sure certbot gets installed when running zulip-puppet-apply, to handle existing systems. --- puppet/zulip/manifests/nginx.pp | 7 +++++++ scripts/lib/certbot-maybe-renew | 2 +- scripts/setup/setup-certbot | 25 +++++++++++++++---------- 3 files changed, 23 insertions(+), 11 deletions(-) diff --git a/puppet/zulip/manifests/nginx.pp b/puppet/zulip/manifests/nginx.pp index 9105a1972f..58012ed8b8 100644 --- a/puppet/zulip/manifests/nginx.pp +++ b/puppet/zulip/manifests/nginx.pp @@ -95,6 +95,13 @@ class zulip::nginx { mode => '0650' } + $certbot_auto_renew = zulipconf('cerbot', 'auto_renew', '') + if $certbot_auto_renew == 'yes' { + package { 'certbot': + ensure => 'installed', + } + } + file { ['/var/lib/zulip', '/var/lib/zulip/certbot-webroot']: ensure => 'directory', owner => 'zulip', diff --git a/scripts/lib/certbot-maybe-renew b/scripts/lib/certbot-maybe-renew index c3d1c5acb8..97999d2ebb 100755 --- a/scripts/lib/certbot-maybe-renew +++ b/scripts/lib/certbot-maybe-renew @@ -17,6 +17,6 @@ fi deploy_hook="${ZULIP_CERTBOT_DEPLOY_HOOK:-service nginx reload}" -/usr/local/sbin/certbot-auto renew --quiet \ +certbot renew --quiet \ --webroot --webroot-path=/var/lib/zulip/certbot-webroot/ \ --deploy-hook "$deploy_hook" diff --git a/scripts/setup/setup-certbot b/scripts/setup/setup-certbot index 3f20400a7c..3ae4f10308 100755 --- a/scripts/setup/setup-certbot +++ b/scripts/setup/setup-certbot @@ -81,23 +81,28 @@ case "$method" in ;; esac +# Check for a supported OS release. +if [ -f /etc/os-release ]; then + os_info="$(. /etc/os-release; printf '%s\n' "$ID" "$ID_LIKE")" + { read -r os_id; read -r os_id_like|| true; } <<< "$os_info" +fi + set -x -CERTBOT_PATH="/usr/local/sbin/certbot-auto" -# For reference https://certbot.eff.org/all-instructions/#debian-other-nginx -wget -q https://dl.eff.org/certbot-auto -O "$CERTBOT_PATH" -chmod a+x "$CERTBOT_PATH" +case " $os_id $os_id_like " in + *' debian '*) + apt-get install -y certbot + ;; + *' rhel '*) + yum install -y certbot + ;; +esac -# First, we install the OS packages with --quiet, to suppress `apt` -# prompting the user for input. This can't be part of the same -# invocation as gets the certs, since `certonly --quiet --force-interactive` -# rejects the Certbot ToS, causing Certbot to fail. -"$CERTBOT_PATH" --os-packages-only --quiet # We don't use --no-interactive, because certbot needs to ask the user # to agree to the Let's Encrypt Subscriber Agreement (aka ToS). # Passing --force-interactive suppresses a warning, but also brings up # an annoying prompt we stifle with --no-eff-email. -"$CERTBOT_PATH" certonly "${method_args[@]}" \ +certbot certonly "${method_args[@]}" \ "${HOSTNAMES[@]}" -m "$EMAIL" \ $agree_tos \ "${deploy_hook[@]}" \