From 06012127e992eedb9657c3251b109257e4c6eed1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= <s@saghul.net>
Date: Wed, 2 Dec 2020 10:38:10 +0100
Subject: [PATCH] web: replace certbot with acme.sh

The former seems to be in a pretty bad state for usage with Debian based
containers:

- The Debian provided package is too old
- certbot-auto no longer works on Debian
- The recommended way of using snap is not Docker friendly

Thus, we are migrating to acme.sh, which has the advantage of also
making the web container slimmer.
---
 docker-compose.yml                    |  2 +-
 env.example                           |  3 ++
 web/Dockerfile                        | 11 ++----
 web/rootfs/defaults/letsencrypt-renew | 10 ------
 web/rootfs/defaults/ssl.conf          |  4 +--
 web/rootfs/etc/cont-init.d/10-config  | 52 ++++++++++++++++-----------
 6 files changed, 40 insertions(+), 42 deletions(-)
 delete mode 100755 web/rootfs/defaults/letsencrypt-renew

diff --git a/docker-compose.yml b/docker-compose.yml
index 3e67d4b..0df3426 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,7 +10,6 @@ services:
             - '${HTTPS_PORT}:443'
         volumes:
             - ${CONFIG}/web:/config:Z
-            - ${CONFIG}/web/letsencrypt:/etc/letsencrypt:Z
             - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
         environment:
             - ENABLE_LETSENCRYPT
@@ -19,6 +18,7 @@ services:
             - DISABLE_HTTPS
             - LETSENCRYPT_DOMAIN
             - LETSENCRYPT_EMAIL
+            - LETSENCRYPT_USE_STAGING
             - PUBLIC_URL
             - TZ
             - AMPLITUDE_ID
diff --git a/env.example b/env.example
index dc7a119..6216b49 100644
--- a/env.example
+++ b/env.example
@@ -71,6 +71,9 @@ TZ=UTC
 # E-Mail for receiving important account notifications (mandatory)
 #LETSENCRYPT_EMAIL=alice@atlanta.net
 
+# Use the staging server (for avoiding rate limits while testing)
+#LETSENCRYPT_USE_STAGING=1
+
 
 #
 # Etherpad integration (for document sharing)
diff --git a/web/Dockerfile b/web/Dockerfile
index 6099d37..4018366 100644
--- a/web/Dockerfile
+++ b/web/Dockerfile
@@ -1,13 +1,12 @@
 ARG JITSI_REPO=jitsi
 FROM ${JITSI_REPO}/base
 
-ADD https://dl.eff.org/certbot-auto /usr/local/bin/
-
+ADD https://raw.githubusercontent.com/acmesh-official/acme.sh/2.8.8/acme.sh /opt
 COPY rootfs/ /
 
 RUN \
 	apt-dpkg-wrap apt-get update && \
-	apt-dpkg-wrap apt-get install -y cron nginx-extras jitsi-meet-web python3-venv && \
+	apt-dpkg-wrap apt-get install -y cron nginx-extras jitsi-meet-web socat && \
 	apt-dpkg-wrap apt-get -d install -y jitsi-meet-web-config && \
     dpkg -x /var/cache/apt/archives/jitsi-meet-web-config*.deb /tmp/pkg && \
     mv /tmp/pkg/usr/share/jitsi-meet-web-config/config.js /defaults && \
@@ -16,10 +15,6 @@ RUN \
 	apt-cleanup && \
 	rm -rf /tmp/pkg /var/cache/apt
 
-RUN \
-	chmod a+x /usr/local/bin/certbot-auto && \
-	USE_PYTHON_3=1 certbot-auto --noninteractive --install-only --no-bootstrap
-
 EXPOSE 80 443
 
-VOLUME ["/config", "/etc/letsencrypt", "/usr/share/jitsi-meet/transcripts"]
+VOLUME ["/config", "/usr/share/jitsi-meet/transcripts"]
diff --git a/web/rootfs/defaults/letsencrypt-renew b/web/rootfs/defaults/letsencrypt-renew
deleted file mode 100755
index 76a3a5d..0000000
--- a/web/rootfs/defaults/letsencrypt-renew
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-# stop nginx
-s6-svc -d /var/run/s6/services/nginx
-
-# renew cert
-certbot-auto --no-self-upgrade -n renew >> /config/le-renew.log
-
-# start nginx
-s6-svc -u /var/run/s6/services/nginx
diff --git a/web/rootfs/defaults/ssl.conf b/web/rootfs/defaults/ssl.conf
index af73a5e..6d479a1 100644
--- a/web/rootfs/defaults/ssl.conf
+++ b/web/rootfs/defaults/ssl.conf
@@ -5,8 +5,8 @@ ssl_session_tickets off;
 
 # ssl certs
 {{ if .Env.ENABLE_LETSENCRYPT | default "0" | toBool }}
-ssl_certificate /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/fullchain.pem;
-ssl_certificate_key /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/privkey.pem;
+ssl_certificate /etc/nginx/acme/{{ .Env.LETSENCRYPT_DOMAIN }}/fullchain.pem;
+ssl_certificate_key /etc/nginx/acme/{{ .Env.LETSENCRYPT_DOMAIN }}/key.pem;
 {{ else }}
 ssl_certificate /config/keys/cert.crt;
 ssl_certificate_key /config/keys/cert.key;
diff --git a/web/rootfs/etc/cont-init.d/10-config b/web/rootfs/etc/cont-init.d/10-config
index 194684d..069b666 100644
--- a/web/rootfs/etc/cont-init.d/10-config
+++ b/web/rootfs/etc/cont-init.d/10-config
@@ -10,17 +10,25 @@ mkdir -p \
 # generate keys (maybe)
 if [[ $DISABLE_HTTPS -ne 1 ]]; then
     if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then
-        if [[ ! -f /etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then
-            if ! certbot-auto \
-                  certonly \
-                  --no-self-upgrade \
-                  --noninteractive \
-                  --standalone \
-                  --preferred-challenges http \
-                  -d $LETSENCRYPT_DOMAIN \
-                  --agree-tos \
-                  --email $LETSENCRYPT_EMAIL ; then
-
+        if [[ ! -f /config/acme.sh/acme.sh ]]; then
+            mkdir /config/acme.sh
+            pushd /opt
+            sh ./acme.sh --install --home /config/acme.sh --accountemail $LETSENCRYPT_EMAIL
+            popd
+        fi
+        if [[ ! -f /etc/nginx/acme/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then
+            STAGING=""
+            if [[ $LETSENCRYPT_USE_STAGING -eq 1 ]]; then
+                STAGING="--staging"
+            fi
+            # TODO: move away from standalone mode to webroot mode.
+            if ! /config/acme.sh/acme.sh \
+                    $STAGING \
+                    --issue \
+                    --standalone \
+                    --pre-hook "if [[ -f /var/run/s6/services/nginx ]]; then s6-svc -d /var/run/s6/services/nginx; fi" \
+                    --post-hook "if [[ -f /var/run/s6/services/nginx ]]; then s6-svc -u /var/run/s6/services/nginx; fi" \
+                    -d $LETSENCRYPT_DOMAIN ; then
                 echo "Failed to obtain a certificate from the Let's Encrypt CA."
                 # this tries to get the user's attention and to spare the
                 # authority's rate limit:
@@ -28,16 +36,18 @@ if [[ $DISABLE_HTTPS -ne 1 ]]; then
                 echo "Exiting."
                 exit 1
             fi
-        fi
-
-        # remove default certbot renewal
-        if [[ -f /etc/cron.d/certbot ]]; then
-            rm /etc/cron.d/certbot
-        fi
-
-        # setup certbot renewal script
-        if [[ ! -f /etc/cron.daily/letencrypt-renew ]]; then
-            cp /defaults/letsencrypt-renew /etc/cron.daily/
+            mkdir -p /etc/nginx/acme/$LETSENCRYPT_DOMAIN
+            if ! /config/acme.sh/acme.sh \
+                    --install-cert -d $LETSENCRYPT_DOMAIN \
+                    --key-file /etc/nginx/acme/$LETSENCRYPT_DOMAIN/key.pem  \
+                    --fullchain-file /etc/nginx/acme/$LETSENCRYPT_DOMAIN/fullchain.pem ; then
+                echo "Failed to install certificate."
+                # this tries to get the user's attention and to spare the
+                # authority's rate limit:
+                sleep 15
+                echo "Exiting."
+                exit 1
+            fi
         fi
     else
         # use self-signed certs