install --self-signed-cert: Generate our own, rather than use system's.

This gives us just one way of adopting a self-signed cert, rather than
one script which would generate a new one and an option to another
which would symlink to the system's snakeoil cert.  Now those two
codepaths converge, and do the same thing.

The small advantage of generating our own over the alternative is that
it lets us set the name in the cert to EXTERNAL_HOST, rather than the
system's hostname as embedded in the system snakeoil certs.  Not a big
deal, but might make things go slightly smoother if some browsers are
lenient (in a way that they probably shouldn't be.)

scripts/lib/install

@@ -8,10 +8,8 @@ Usage:
   install --help
 
 Other options:
-  --certbot
+  --certbot (requires --hostname and --email)
   --self-signed-cert
-
-If --certbot is used, --hostname and --email are required.
 EOF
     exit 0
 };
@@ -54,6 +52,12 @@ if [ -n "$show_help" ]; then
     usage
 fi
 
+if [ -n "$SELF_SIGNED_CERT" ] && [ -n "$USE_CERTBOT" ]; then
+    echo "error: --self-signed-cert and --certbot are incompatible" >&2
+    echo >&2
+    usage
+fi
+
 if [ -n "$USE_CERTBOT" ] \
        && { [ -z "$EXTERNAL_HOST" ] || [ -z "$ZULIP_ADMINISTRATOR" ]; }; then
     usage
@@ -186,10 +190,8 @@ fi
 apt-get -y upgrade
 
 if [ "$has_nginx" = 0 ]; then
-    if [ -n "$SELF_SIGNED_CERT" ] && ! [ -e "/etc/ssl/private/zulip.key" ]; then
-        apt-get install -y openssl ssl-cert
-        ln -nsf /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/zulip.combined-chain.crt
-        ln -nsf /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/zulip.key
+    if [ -n "$SELF_SIGNED_CERT" ]; then
+        "$ZULIP_PATH"/scripts/setup/generate-self-signed-cert --exists-ok "${EXTERNAL_HOST:-$(hostname)}"
     fi
 
     # Check nginx was configured properly now that we've installed it.

scripts/setup/generate-self-signed-cert

@@ -2,16 +2,17 @@
 set -e
 
 usage() {
-    echo "usage: $0 [--force] EXTERNAL_HOST" >&2
+    echo "usage: $0 [--force] [--exists-ok] EXTERNAL_HOST" >&2
     exit 1
 }
 
-args="$(getopt -o '' --long help,force -- "$@")"
+args="$(getopt -o '' --long help,force,exists-ok -- "$@")"
 eval "set -- $args"
 while true; do
     case "$1" in
         --help) usage;;
         --force) FORCE=1; shift;;
+        --exists-ok) EXISTS_OK=1; shift;;
         --) shift; break;;
         *) usage;;
     esac
@@ -32,6 +33,10 @@ set -x
 KEYFILE=/etc/ssl/private/zulip.key
 CERTFILE=/etc/ssl/certs/zulip.combined-chain.crt
 
+if [ -n "$EXISTS_OK" ] && [ -e "$KEYFILE" -a -e "$CERTFILE" ]; then
+    exit 0
+fi
+
 if [ -z "$FORCE" ] && [ -e "$KEYFILE" -o -e "$CERTFILE" ]; then
     echo "$0: certificate and/or key already exists; use --force to overwrite." >&2
     exit 1