puppet: Only fix certbot certificates if https is enabled.

This is a reprise of c97162e485, but for the case where certbot
certs are no longer in use by way of enabling `http_only` and letting
another server handle TLS termination.

Fixes: #22034.

puppet/zulip/manifests/profile/app_frontend.pp

@@ -60,14 +60,16 @@ class zulip::profile::app_frontend {
     source  => 'puppet:///modules/zulip/letsencrypt/nginx-deploy-hook.sh',
     require => Package[certbot],
   }
-  exec { 'fix-standalone-certbot':
+  if ! $nginx_http_only {
-    onlyif  => @(EOT),
+      exec { 'fix-standalone-certbot':
-      test -L /etc/ssl/certs/zulip.combined-chain.crt &&
+        onlyif  => @(EOT),
-      readlink /etc/ssl/certs/zulip.combined-chain.crt | grep -q /etc/letsencrypt/live/ &&
+          test -L /etc/ssl/certs/zulip.combined-chain.crt &&
-      test -d /etc/letsencrypt/renewal &&
+          readlink /etc/ssl/certs/zulip.combined-chain.crt | grep -q /etc/letsencrypt/live/ &&
-      grep -qx "authenticator = standalone" /etc/letsencrypt/renewal/*.conf
+          test -d /etc/letsencrypt/renewal &&
-      | EOT
+          grep -qx "authenticator = standalone" /etc/letsencrypt/renewal/*.conf
-    command => "${::zulip_scripts_path}/lib/fix-standalone-certbot",
+          | EOT
+        command => "${::zulip_scripts_path}/lib/fix-standalone-certbot",
+      }
   }
 
   # Restart the server regularly to avoid potential memory leak problems.