Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
The task is to generate a self-signed cert so Zulip can be started, then to wait until Zulip is up before using certbot to generate new certs. Zulip needs to be up so it can meet certbot's challenge. Using a deploy hook, certs are persisted in the data directory. The same applies to renewal. Tweaked by tabbott mostly to edit comments remove an unnecessary setting before merging. Fixes #120.
- Loading branch information
Showing
4 changed files
with
77 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -euo pipefail | ||
|
||
backup() { | ||
if [ -e "$1" ]; then | ||
# If the user is setting up our automatic certbot-management on a | ||
# system that already has certs for Zulip, use some extra caution | ||
# to keep the old certs available. This naming is consistent with Zulip's | ||
# own setup-certbot backups. | ||
mv -f --backup=numbered "$1" "$1".setup-certbot || true | ||
fi | ||
} | ||
|
||
source_cert_dir=/etc/letsencrypt/live/"$SETTING_EXTERNAL_HOST" | ||
dest_cert_dir="$DATA_DIR"/certs | ||
|
||
# Persist the certs to the data directory. | ||
backup "$dest_cert_dir"/zulip.key | ||
backup "$dest_cert_dir"/zulip.combined-chain.crt | ||
cp -f "$source_cert_dir"/privkey.pem "$dest_cert_dir"/zulip.key | ||
cp -f "$source_cert_dir"/fullchain.pem "$dest_cert_dir"/zulip.combined-chain.crt | ||
|
||
# Ensure nginx can find them. | ||
ln -nsf "$dest_cert_dir"/zulip.key /etc/ssl/private/zulip.key | ||
ln -nsf "$dest_cert_dir"/zulip.combined-chain.crt /etc/ssl/certs/zulip.combined-chain.crt | ||
|
||
# Restart various services so the new certs can be used. | ||
supervisorctl restart nginx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters