docker: Restore ability to generate SSL certs with LetsEncrypt.

klardotsh · klardotsh · commit 6e8224011c36 · 2023-02-28T11:30:12.000-08:00
Zulip Server 4.9+ regressed Docker setups by always creating a /etc/letsencrypt directory in the top layer of the Docker container, meaning it couldn't be symlinked over from the volume mount. Since that volume mount has useful properties (providing and/or overriding LetsEncrypt setting), restore it and copy the in-image configs into the volume as defaults if and only if those files don't already exist in the volume. Fixes #381.
diff --git a/Dockerfile b/Dockerfile
@@ -73,7 +73,17 @@ RUN \
     rm -f /etc/zulip/zulip-secrets.conf /etc/zulip/settings.py && \
     apt-get -qq autoremove --purge -y && \
     apt-get -qq clean && \
-    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
+    mv /etc/letsencrypt /etc/letsencrypt.zulip
+# ^ Zulip Server installs LetsEncrypt with some default settings. We want to
+# allow /etc/letsencrypt to be volume mountable from the host while retaining
+# these settings unless overridden, so let's unclobber this path so that
+# entrypoint.sh can symlink from the volume mount and repopulate any missing
+# default files.
+#
+# This incantation must be part of the same layer that creates
+# /etc/letsencrypt/renewal-hooks to avoid Directory Not Empty / Invalid
+# Argument errors attempting to rename or unlink it.
 
 COPY entrypoint.sh /sbin/entrypoint.sh
 COPY certbot-deploy-hook /sbin/certbot-deploy-hook
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -51,7 +51,15 @@ SETTINGS_PY="/etc/zulip/settings.py"
 # === initialConfiguration ===
 prepareDirectories() {
     mkdir -p "$DATA_DIR" "$DATA_DIR/backups" "$DATA_DIR/certs" "$DATA_DIR/letsencrypt" "$DATA_DIR/uploads"
-    [ -e /etc/letsencrypt ] || ln -ns "$DATA_DIR/letsencrypt" /etc/letsencrypt
+
+	# See commentary in the Dockerfile about this process.
+	if [ -e /etc/letsencrypt ]; then
+		echo "Found unexpected /etc/letsencrypt in the Docker image, are you using the latest build?" >&2
+		exit 1
+	fi
+	ln -s "${DATA_DIR}/letsencrypt" /etc/letsencrypt
+	cp -an /etc/letsencrypt.zulip/* /etc/letsencrypt/
+
     echo "Preparing and linking the uploads folder ..."
     rm -rf /home/zulip/uploads
     ln -sfT "$DATA_DIR/uploads" /home/zulip/uploads
