mirror of
https://github.com/zulip/zulip.git
synced 2025-11-03 21:43:21 +00:00
95ba947f13
This commit allows specifying Subject Alternative Names to issue certs for multiple domains using certbot. The first name passed to certbot-auto becomes the common name for the certificate; common name and the other names are then added to the SAN field. All of these arguments are now positional. Also read the following for the certbot syntax reference: https://community.letsencrypt.org/t/how-to-specify-subject-name-on-san/ Fixes #10674.
135 lines
3.4 KiB
Bash
Executable File
135 lines
3.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
set -e
|
|
|
|
usage() {
|
|
cat <<EOF >&2
|
|
Usage: $0 --email=admin@example.com [--method={webroot|standalone}] \
|
|
[--no-zulip-conf] hostname.example.com [another.example.com]
|
|
EOF
|
|
exit 1
|
|
}
|
|
|
|
if [ "$EUID" -ne 0 ]; then
|
|
echo "Error: This script must be run as root" >&2
|
|
exit 1
|
|
fi
|
|
|
|
method=webroot
|
|
args="$(getopt -o '' --long help,email:,method:,deploy-hook:,no-zulip-conf,agree-tos -n "$0" -- "$@")"
|
|
eval "set -- $args"
|
|
while true; do
|
|
case "$1" in
|
|
--email)
|
|
EMAIL="$2"
|
|
shift
|
|
shift
|
|
;;
|
|
--method)
|
|
method="$2"
|
|
shift
|
|
shift
|
|
;;
|
|
--deploy-hook)
|
|
deploy_hook=(--deploy-hook "$2")
|
|
shift
|
|
shift
|
|
;;
|
|
--agree-tos)
|
|
agree_tos=--agree-tos
|
|
shift
|
|
;;
|
|
--no-zulip-conf)
|
|
no_zulip_conf=1
|
|
shift
|
|
;;
|
|
--help)
|
|
show_help=1
|
|
shift
|
|
;;
|
|
--)
|
|
shift
|
|
break
|
|
;;
|
|
esac
|
|
done
|
|
|
|
# Parse the remaining arguments as Subject Alternative Names to pass to certbot
|
|
HOSTNAMES=()
|
|
for arg; do
|
|
HOSTNAMES+=(-d "$arg")
|
|
done
|
|
DOMAIN=$1
|
|
|
|
if [ -n "$show_help" ]; then
|
|
usage
|
|
fi
|
|
|
|
if [ -z "$DOMAIN" ] || [ -z "$EMAIL" ]; then
|
|
usage
|
|
fi
|
|
|
|
case "$method" in
|
|
standalone)
|
|
method_args=(--standalone)
|
|
;;
|
|
webroot)
|
|
method_args=(--webroot '--webroot-path=/var/lib/zulip/certbot-webroot/')
|
|
;;
|
|
*)
|
|
usage
|
|
;;
|
|
esac
|
|
|
|
set -x
|
|
|
|
CERTBOT_PATH="/usr/local/sbin/certbot-auto"
|
|
# For reference https://certbot.eff.org/all-instructions/#debian-other-nginx
|
|
wget -q https://dl.eff.org/certbot-auto -O "$CERTBOT_PATH"
|
|
chmod a+x "$CERTBOT_PATH"
|
|
|
|
# First, we install the OS packages with --quiet, to suppress `apt`
|
|
# prompting the user for input. This can't be part of the same
|
|
# invocation as gets the certs, since `certonly --quiet --force-interactive`
|
|
# rejects the Certbot ToS, causing Certbot to fail.
|
|
"$CERTBOT_PATH" --os-packages-only --quiet
|
|
# We don't use --no-interactive, because certbot needs to ask the user
|
|
# to agree to the Let's Encrypt Subscriber Agreement (aka ToS).
|
|
# Passing --force-interactive suppresses a warning, but also brings up
|
|
# an annoying prompt we stifle with --no-eff-email.
|
|
"$CERTBOT_PATH" certonly "${method_args[@]}" \
|
|
"${HOSTNAMES[@]}" -m "$EMAIL" \
|
|
$agree_tos --force-renewal \
|
|
"${deploy_hook[@]}" \
|
|
--force-interactive --no-eff-email
|
|
|
|
symlink_with_backup() {
|
|
if [ -e "$2" ]; then
|
|
# If the user is setting up our automatic certbot-management on a
|
|
# system that already has certs for Zulip, use some extra caution
|
|
# to keep the old certs available.
|
|
mv -f --backup=numbered "$2" "$2".setup-certbot || true
|
|
fi
|
|
ln -nsf "$1" "$2"
|
|
}
|
|
|
|
if [ ${#deploy_hook} -eq 0 ]; then
|
|
# If no deploy hook was specified, assume we're deploying to the default
|
|
# location Zulip wants.
|
|
CERT_DIR=/etc/letsencrypt/live/"$DOMAIN"
|
|
symlink_with_backup "$CERT_DIR"/privkey.pem /etc/ssl/private/zulip.key
|
|
symlink_with_backup "$CERT_DIR"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt
|
|
fi
|
|
|
|
case "$method" in
|
|
webroot)
|
|
service nginx reload
|
|
;;
|
|
esac
|
|
|
|
if [ -z "$no_zulip_conf" ]; then
|
|
crudini --set /etc/zulip/zulip.conf certbot auto_renew yes
|
|
fi
|
|
|
|
echo "Certbot SSL certificate configuration succeeded."
|