setup: Add certbot support.

The task is to generate a self-signed cert so Zulip can be started, then to wait until Zulip is up before using certbot to generate new certs. Zulip needs to be up so it can meet certbot's challenge. Using a deploy hook, certs are persisted in the data directory. The same applies to renewal. Tweaked by tabbott mostly to edit comments remove an unnecessary setting before merging. Fixes #120.
2025-10-23 04:51:58 +00:00 · 2018-07-22 11:55:07 -07:00
parent e8526c2208
commit 3b5d63b9ba
4 changed files with 77 additions and 10 deletions
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -168,12 +168,18 @@ configureCerts() {
            ;;
    esac
    if [ ! -e "$DATA_DIR/certs/zulip.key" ] && [ ! -e "$DATA_DIR/certs/zulip.combined-chain.crt" ]; then
+
        if [ "$GENERATE_CERTBOT_CERT" = "True" ]; then
-            echo "Certbot not yet supported"
-            exit 1
-            # TODO: Run setup-certbot and move /etc/letsencrypt to the data dir?
-            # /home/zulip/deployments/current/setup/setup-certbot "$SETTING_EXTERNAL_HOST"
-        elif [ "$GENERATE_SELF_SIGNED_CERT" = "True" ]; then
+            # Zulip isn't yet running, so the certbot's challenge can't be met.
+            # We'll schedule this for later.
+            echo "Scheduling LetsEncrypt cert generation ..."
+            GENERATE_CERTBOT_CERT_SCHEDULED=True
+
+            # Generate self-signed certs just to get Zulip going.
+            GENERATE_SELF_SIGNED_CERT=True
+        fi
+
+        if [ "$GENERATE_SELF_SIGNED_CERT" = "True" ]; then
            echo "Generating self-signed certificates ..."
            mkdir -p "$DATA_DIR/certs"
            /home/zulip/deployments/current/scripts/setup/generate-self-signed-cert "$SETTING_EXTERNAL_HOST"
@@ -407,12 +413,43 @@ runPostSetupScripts() {
    set -e
    echo "Post setup scripts execution succeeded."
 }
+function runCertbotAsNeeded() {
+    if [ ! "$GENERATE_CERTBOT_CERT_SCHEDULED" = "True" ]; then
+        echo "Certbot is not scheduled to run."
+        return
+    fi
+
+    echo "Waiting for nginx to come online before generating certbot certificate ..."
+    while ! curl -sk "$SETTING_EXTERNAL_HOST" >/dev/null 2>&1; do
+        sleep 1;
+    done
+
+    echo "Generating LetsEncrypt/certbot certificate ..."
+
+    # Remove the self-signed certs which were only needed to get Zulip going.
+    rm -f "$DATA_DIR"/certs/zulip.key "$DATA_DIR"/certs/zulip.combined-chain.crt
+
+    ZULIP_CERTBOT_DEPLOY_HOOK="/sbin/certbot-deploy-hook"
+
+    # Accept the terms of service automatically.
+    /home/zulip/deployments/current/scripts/setup/setup-certbot \
+        --agree-tos \
+        --hostname="$SETTING_EXTERNAL_HOST" \
+        --email="$SETTING_ZULIP_ADMINISTRATOR" \
+        --deploy-hook "$ZULIP_CERTBOT_DEPLOY_HOOK"
+
+    echo "LetsEncrypt cert generated."
+}
 bootstrappingEnvironment() {
    echo "=== Begin Bootstrap Phase ==="
    waitingForDatabase
    zulipFirstStartInit
    zulipMigration
    runPostSetupScripts
+    # Hack: We run this in the background, since we need nginx to be
+    # started before we can create the certificate.  See #142 for
+    # details on how we can clean this up.
+    runCertbotAsNeeded &
    echo "=== End Bootstrap Phase ==="
 }
 # END appRun functions