web: replace certbot with acme.sh

The former seems to be in a pretty bad state for usage with Debian based
containers:

- The Debian provided package is too old
- certbot-auto no longer works on Debian
- The recommended way of using snap is not Docker friendly

Thus, we are migrating to acme.sh, which has the advantage of also
making the web container slimmer.

docker-compose.yml

@@ -10,7 +10,6 @@ services:
             - '${HTTPS_PORT}:443'
         volumes:
             - ${CONFIG}/web:/config:Z
-            - ${CONFIG}/web/letsencrypt:/etc/letsencrypt:Z
             - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
         environment:
             - ENABLE_LETSENCRYPT
@@ -19,6 +18,7 @@ services:
             - DISABLE_HTTPS
             - LETSENCRYPT_DOMAIN
             - LETSENCRYPT_EMAIL
+            - LETSENCRYPT_USE_STAGING
             - PUBLIC_URL
             - TZ
             - AMPLITUDE_ID

env.example

@@ -71,6 +71,9 @@ TZ=UTC
 # E-Mail for receiving important account notifications (mandatory)
 #LETSENCRYPT_EMAIL=alice@atlanta.net
 
+# Use the staging server (for avoiding rate limits while testing)
+#LETSENCRYPT_USE_STAGING=1
+
 
 #
 # Etherpad integration (for document sharing)

web/Dockerfile

@@ -1,13 +1,12 @@
 ARG JITSI_REPO=jitsi
 FROM ${JITSI_REPO}/base
 
-ADD https://dl.eff.org/certbot-auto /usr/local/bin/
+ADD https://raw.githubusercontent.com/acmesh-official/acme.sh/2.8.8/acme.sh /opt
-
 COPY rootfs/ /
 
 RUN \
 	apt-dpkg-wrap apt-get update && \
-	apt-dpkg-wrap apt-get install -y cron nginx-extras jitsi-meet-web python3-venv && \
+	apt-dpkg-wrap apt-get install -y cron nginx-extras jitsi-meet-web socat && \
 	apt-dpkg-wrap apt-get -d install -y jitsi-meet-web-config && \
     dpkg -x /var/cache/apt/archives/jitsi-meet-web-config*.deb /tmp/pkg && \
     mv /tmp/pkg/usr/share/jitsi-meet-web-config/config.js /defaults && \
@@ -16,10 +15,6 @@ RUN \
 	apt-cleanup && \
 	rm -rf /tmp/pkg /var/cache/apt
 
-RUN \
-	chmod a+x /usr/local/bin/certbot-auto && \
-	USE_PYTHON_3=1 certbot-auto --noninteractive --install-only --no-bootstrap
-
 EXPOSE 80 443
 
-VOLUME ["/config", "/etc/letsencrypt", "/usr/share/jitsi-meet/transcripts"]
+VOLUME ["/config", "/usr/share/jitsi-meet/transcripts"]

web/rootfs/defaults/letsencrypt-renew

@@ -1,10 +0,0 @@
-#!/bin/bash
-
-# stop nginx
-s6-svc -d /var/run/s6/services/nginx
-
-# renew cert
-certbot-auto --no-self-upgrade -n renew >> /config/le-renew.log
-
-# start nginx
-s6-svc -u /var/run/s6/services/nginx

web/rootfs/defaults/ssl.conf

@@ -5,8 +5,8 @@ ssl_session_tickets off;
 
 # ssl certs
 {{ if .Env.ENABLE_LETSENCRYPT | default "0" | toBool }}
-ssl_certificate /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/fullchain.pem;
+ssl_certificate /etc/nginx/acme/{{ .Env.LETSENCRYPT_DOMAIN }}/fullchain.pem;
-ssl_certificate_key /etc/letsencrypt/live/{{ .Env.LETSENCRYPT_DOMAIN }}/privkey.pem;
+ssl_certificate_key /etc/nginx/acme/{{ .Env.LETSENCRYPT_DOMAIN }}/key.pem;
 {{ else }}
 ssl_certificate /config/keys/cert.crt;
 ssl_certificate_key /config/keys/cert.key;

web/rootfs/etc/cont-init.d/10-config

@@ -10,17 +10,25 @@ mkdir -p \
 # generate keys (maybe)
 if [[ $DISABLE_HTTPS -ne 1 ]]; then
     if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then
-        if [[ ! -f /etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then
+        if [[ ! -f /config/acme.sh/acme.sh ]]; then
-            if ! certbot-auto \
+            mkdir /config/acme.sh
-                  certonly \
+            pushd /opt
-                  --no-self-upgrade \
+            sh ./acme.sh --install --home /config/acme.sh --accountemail $LETSENCRYPT_EMAIL
-                  --noninteractive \
+            popd
+        fi
+        if [[ ! -f /etc/nginx/acme/$LETSENCRYPT_DOMAIN/fullchain.pem ]]; then
+            STAGING=""
+            if [[ $LETSENCRYPT_USE_STAGING -eq 1 ]]; then
+                STAGING="--staging"
+            fi
+            # TODO: move away from standalone mode to webroot mode.
+            if ! /config/acme.sh/acme.sh \
+                    $STAGING \
+                    --issue \
                     --standalone \
-                  --preferred-challenges http \
+                    --pre-hook "if [[ -f /var/run/s6/services/nginx ]]; then s6-svc -d /var/run/s6/services/nginx; fi" \
-                  -d $LETSENCRYPT_DOMAIN \
+                    --post-hook "if [[ -f /var/run/s6/services/nginx ]]; then s6-svc -u /var/run/s6/services/nginx; fi" \
-                  --agree-tos \
+                    -d $LETSENCRYPT_DOMAIN ; then
-                  --email $LETSENCRYPT_EMAIL ; then
-
                 echo "Failed to obtain a certificate from the Let's Encrypt CA."
                 # this tries to get the user's attention and to spare the
                 # authority's rate limit:
@@ -28,16 +36,18 @@ if [[ $DISABLE_HTTPS -ne 1 ]]; then
                 echo "Exiting."
                 exit 1
             fi
+            mkdir -p /etc/nginx/acme/$LETSENCRYPT_DOMAIN
+            if ! /config/acme.sh/acme.sh \
+                    --install-cert -d $LETSENCRYPT_DOMAIN \
+                    --key-file /etc/nginx/acme/$LETSENCRYPT_DOMAIN/key.pem  \
+                    --fullchain-file /etc/nginx/acme/$LETSENCRYPT_DOMAIN/fullchain.pem ; then
+                echo "Failed to install certificate."
+                # this tries to get the user's attention and to spare the
+                # authority's rate limit:
+                sleep 15
+                echo "Exiting."
+                exit 1
             fi
-
-        # remove default certbot renewal
-        if [[ -f /etc/cron.d/certbot ]]; then
-            rm /etc/cron.d/certbot
-        fi
-
-        # setup certbot renewal script
-        if [[ ! -f /etc/cron.daily/letencrypt-renew ]]; then
-            cp /defaults/letsencrypt-renew /etc/cron.daily/
         fi
     else
         # use self-signed certs