mirror of
https://github.com/zulip/zulip.git
synced 2026-06-12 21:00:58 +08:00
113 lines
2.4 KiB
Bash
Executable File
113 lines
2.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
set -e
|
|
|
|
usage() {
|
|
cat <<EOF >&2
|
|
Usage: $0 --email=admin@example.com [--method={webroot|standalone}] \
|
|
hostname.example.com [another.example.com]
|
|
EOF
|
|
exit 1
|
|
}
|
|
|
|
if [ "$EUID" -ne 0 ]; then
|
|
echo "Error: This script must be run as root" >&2
|
|
exit 1
|
|
fi
|
|
|
|
method=webroot
|
|
args="$(getopt -o '' --long help,email:,method:,agree-tos -n "$0" -- "$@")"
|
|
eval "set -- $args"
|
|
agree_tos=()
|
|
while true; do
|
|
case "$1" in
|
|
--email)
|
|
EMAIL="$2"
|
|
shift
|
|
shift
|
|
;;
|
|
--method)
|
|
method="$2"
|
|
shift
|
|
shift
|
|
;;
|
|
--agree-tos)
|
|
agree_tos=(--agree-tos)
|
|
shift
|
|
;;
|
|
--help)
|
|
show_help=1
|
|
shift
|
|
;;
|
|
--)
|
|
shift
|
|
break
|
|
;;
|
|
esac
|
|
done
|
|
|
|
# Parse the remaining arguments as Subject Alternative Names to pass to certbot
|
|
HOSTNAMES=()
|
|
for arg; do
|
|
HOSTNAMES+=(-d "$arg")
|
|
done
|
|
DOMAIN=$1
|
|
|
|
if [ -n "$show_help" ]; then
|
|
usage
|
|
fi
|
|
|
|
if [ -z "$DOMAIN" ] || [ -z "$EMAIL" ]; then
|
|
usage
|
|
fi
|
|
|
|
case "$method" in
|
|
standalone)
|
|
method_args=(--standalone --no-directory-hooks)
|
|
;;
|
|
webroot)
|
|
method_args=(--webroot '--webroot-path=/var/lib/zulip/certbot-webroot/')
|
|
;;
|
|
*)
|
|
usage
|
|
;;
|
|
esac
|
|
|
|
# If we aren't being run interactively, default to keeping the
|
|
# existing certificate (rather than burning through a renewal)
|
|
# If run interactively, certbot will prompt.
|
|
default_keep=()
|
|
if [ ! -t 0 ]; then
|
|
default_keep=(--keep-until-expiring)
|
|
fi
|
|
|
|
# We need to know _which_ domain is Zulip's, in the symlink deploy
|
|
# hook, so we pass this down
|
|
export ZULIP_DOMAIN="$DOMAIN"
|
|
|
|
# Certbot does not run deploy hooks on new certificates
|
|
# (certbot/certbot#9978) so we will need to fake it if so
|
|
if [ -d "/etc/letsencrypt/live/$DOMAIN/" ]; then
|
|
needs_hooks=0
|
|
else
|
|
needs_hooks=1
|
|
fi
|
|
|
|
certbot certonly "${method_args[@]}" \
|
|
"${HOSTNAMES[@]}" -m "$EMAIL" \
|
|
"${agree_tos[@]}" \
|
|
"${default_keep[@]}" \
|
|
--no-eff-email
|
|
|
|
# "certbot certonly" before version 3.2.0 does not run deploy hooks,
|
|
# so we fake running them.
|
|
if [ "$needs_hooks" = "1" ]; then
|
|
export RENEWED_DOMAINS="$*"
|
|
if [ "$method" == "webroot" ]; then
|
|
for deploy_hook in /etc/letsencrypt/renewal-hooks/deploy/*; do
|
|
"$deploy_hook"
|
|
done
|
|
fi
|
|
fi
|
|
echo "Certbot SSL certificate configuration succeeded."
|