install: Replace our generate-self-signed-certs script.

Take the core of the logic from how Debian generates the system's
/etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence
in the various config choices, and it also demonstrates a much cleaner
way to use the `openssl` tool.  Also replace the outer shell logic for
CLI and logging with a cleaner version.

docs/THIRDPARTY

@@ -68,6 +68,15 @@ Files: puppet/zulip_internal/files/zulip-ec2-configure-interfaces
 Copyright: 2013-2017, Dropbox, Inc., Kandra Labs, Inc., and contributors
 License: Expat
 
+Files: scripts/setup/generate-self-signed-certs
+Copyright: 2003-2006 Thom May
+           2006 Fabio M. Di Nitto
+           2006 Adam Conrad
+           2006-2008 Tollef Fog Heen
+           2008-2015 Stefan Fritsch
+           2018 Kandra Labs, Inc., and contributors
+License: BSD-3-Clause
+
 Files: static/audio/zulip.*
 Copyright: 2011 Vidsyn
 License: CC-0-1.0

scripts/setup/generate-self-signed-certs

@@ -1,30 +1,75 @@
 #!/usr/bin/env bash
-
 set -e
+
+usage() {
+    echo "usage: $0 [--force] EXTERNAL_HOST" >&2
+    exit 1
+}
+
+args="$(getopt -o '' --long help,force -- "$@")"
+eval "set -- $args"
+while true; do
+    case "$1" in
+        --help) usage;;
+        --force) FORCE=1; shift;;
+        --) shift; break;;
+        *) usage;;
+    esac
+done
+EXTERNAL_HOST="$1"
+
+if [ -z "$EXTERNAL_HOST" ]; then
+    usage
+fi
+
 if [ "$EUID" -ne 0 ]; then
-    echo "Error: This script must be run as root" >&2
+    echo "error: this script must be run as root" >&2
     exit 1
 fi
 
-if [ -z "${1:-}" ]; then
-    echo "Usage: $0 <Zulip server name>" >&2
+set -x
+
+KEYFILE=/etc/ssl/private/zulip.key
+CERTFILE=/etc/ssl/certs/zulip.combined-chain.crt
+
+if [ -z "$FORCE" ] && [ -e "$KEYFILE" -o -e "$CERTFILE" ]; then
+    echo "$0: certificate and/or key already exists; use --force to overwrite." >&2
     exit 1
 fi
+rm -f "$KEYFILE" "$CERTFILE"
 
-SERVER_NAME="$1"
+config="$(mktemp)" || exit 1
+trap 'rm -f "$config"' EXIT
 
-echo "Executing certificates configuration..."
-if [ ! -e /etc/ssl/private/zulip.key ] && [ ! -e /etc/ssl/certs/zulip.combined-chain.crt ]; then
-    echo "SSL certificates for Zulip not found in /etc/ssl/."
-    echo "Autogenerating certificates ..."
-    apt-get install -y openssl
-    openssl genrsa -des3 -passout pass:x -out /tmp/server.pass.key 4096
-    openssl rsa -passin pass:x -in /tmp/server.pass.key -out /etc/ssl/private/zulip.key
-    openssl req -new -nodes -subj "/O=$SERVER_NAME" -key /etc/ssl/private/zulip.key -out /tmp/server.csr
-    openssl x509 -req -days 365 -in /tmp/server.csr -signkey /etc/ssl/private/zulip.key -out /etc/ssl/certs/zulip.combined-chain.crt
-    rm -f /tmp/server.csr /tmp/server.pass.key
-    echo "Generated new self-signed SSL certificates for Zulip."
-else
-    echo "SSL certificates for Zulip already exist in /etc/ssl/.  Skipping."
-fi
-echo "SSL certificate configuration succeeded."
+cat >"$config" <<EOF
+# Based on /usr/share/ssl-cert/ssleay.cnf from Debian's `ssl-cert`
+# package, which is used for the system's snakeoil cert in /etc/ssl/.
+
+RANDFILE            = /dev/urandom
+
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+prompt              = no
+policy              = policy_anything
+req_extensions      = v3_req
+x509_extensions     = v3_req
+
+[ req_distinguished_name ]
+commonName          = $EXTERNAL_HOST
+
+[ v3_req ]
+basicConstraints    = CA:FALSE
+subjectAltName      = DNS:$EXTERNAL_HOST
+EOF
+
+apt-get install -y openssl
+
+# Based on /usr/sbin/make-ssl-cert from Debian's `ssl-cert` package.
+openssl req -new -x509 \
+        -config "$config" -days 3650 -nodes -sha256 \
+        -out "$CERTFILE" -keyout "$KEYFILE"
+
+chmod 644 "$CERTFILE"
+chmod 640 "$KEYFILE"
+chown zulip:zulip "$KEYFILE"